In this article we cover the draft decree on Sanctions Against Cybersecurity and Personal Data Protection Violations.

The Vietnamese Ministry of Public Security (“MPS”) released the Draft Decree on Sanctions against Administrative Violations in Cybersecurity (“Draft Decree”) for public consultation on 20 September 2021. The public consultation period will close on 18 November 2021. The scheduled effective date is 1 December 2021.

Intended to be a consolidation of administrative sanction provisions for violations occurring in cyberspace, this Draft Decree is the latest of the draft instruments unveiled by the MPS to sit under the Law on Cybersecurity 2018 (“Cybersecurity Law”). Prior to this, a separate draft decree expanding on, among others, the Cybersecurity Law’s data localization requirement was released in 2019, and the draft Decree on Personal Data Protection (“Draft PDP Decree”) earlier this year. If passed as currently worded, the Draft Decree will invalidate several provisions on administrative sanctions in the field of postal services, telecommunications, radio frequencies, information technology and electronic transactions under the existing Decree 15/2020/ND-CP.

This Draft Decree specifies acts constituting administrative violations, relevant sanctions, and remedial measures. It can largely be divided into the following three categories: (i) violations in relation to personal data protection, (ii) cybersecurity violations, and (iii) information security violations. The Draft Decree covers violations of provisions under, among others, the Cybersecurity Law and the Draft PDP Decree. We note that this Draft Decree appears to be based on version of the Draft PDP Decree that has not been shared with the public.

The Draft Decree’s proposed extra-jurisdictional scope is expected to impact domestic and offshore entities. In particular, the Draft Decree includes sanctions for violations for of the Cybersecurity Law’s yet-to-be enforced data localization provision which requires storage of certain types of data in Vietnam and establishment of local presence, as well as the Draft PDP Decree’s proposed requirements for cross border transfer of personal data. Though the data localization and cross border transfer personal data requirements have long been topics of debate due to concerns around, among others, administrative/financial burdens and impacts on data/trade flows, this Draft Decree appears to reflect the Government’s intention to proceed forward them.

Depending on the violation, monetary fines can range from VND 10 – 100 million (approx. US$440 – 4,400). The Draft Decree also provides that the fines levied on companies can be twofold. In serious cases (e.g., repeated violations), the fine can be fivefold or the 5% of the revenue in the Vietnam market of the violating company.

By way of background, the MPS issued this Draft Decree to address growing concerns over cyberspace violations and lack of relevant sanctions under existing legal instruments. According to the proposal accompanying the Draft Decree, the MPS’ areas of focus appear to be, among others, cyberattack/cyber espionage activities, disclosure/loss of state secrets through cyberspace, posting of illegal content on cyberspace, and potential violations on e-commerce platforms.

Violations and their corresponding sanctions under the Draft Decree are provided in the table below.