Cybersecurity Vietnam: Latest Draft of Cybersecurity Administrative Sanctions Decree
The Vietnamese Ministry of Public Security (MPS) has released the third draft of a Cybersecurity Administrative Action Decree (CASD). The draft CASD is scheduled to come into force on 1 December 2023. The experts from ECOVIS Vietnam OC Law in Ho Chi Minh City explain what this means in concrete terms for companies.
The CASD draft was released on 31 May 2023 to enforce Decree 13/2023/ND-CP on personal data protection (Decree 13) and Decree 53/2022/ND-CP, which provides guidance on cybersecurity law (Decree 53).
The most important aspects of the CASD
An initial assessment points to the following key aspects:
- Scope of application: The draft CASD is applicable to both domestic and foreign entities, including foreign entities providing telecommunications, internet, content services on the internet, IT, cybersecurity, and cybersecurity information services (as well as their legal presence in Vietnam).
- Introduction of new violations: In accordance with the obligations outlined in Decree 53 and Decree 13, the third draft CASD introduces additional sanctions for infringements associated with the management of personal data containing prohibited content in cyberspace, as well as the collection, modification, storage, deletion, and removal of personal data. Among other things, the decree also incorporates provisions concerning breach notification requirements.
- Types of penalty: The draft CASD proposes two principal forms of administrative penalty, a warning and monetary fine. Remarkably, it stipulates that violators may face fines of up to 5% of their total revenue from the preceding fiscal year in Vietnam under the following circumstances:
- Repeated violations concerning safeguarding personal data while offering marketing and advertising services
- Repeated violations involving the unauthorised collection, transfer, sale, and purchase of personal data
- Acts of (illegally) disclosing or loss of personal data belonging to 5 million or more Vietnamese citizens
- Acts of (illegal) transfer of personal data belonging to 5 million or more Vietnamese citizens to overseas locations
Companies must act urgently and lay down the tracks for cyber security and the protection of personal data.Nguyen Nhuan, Partner, ECOVIS Vietnam OC Law, Ho Chi Minh City, Vietnam
Key Considerations
Interested stakeholders are urged to submit their comments on the draft CASD to the MPS for consideration by 20 June 2023. Given the time constraints and the imminent impact of Decree 13, it is imperative that businesses take action promptly to ensure compliance with Vietnam’s evolving regulatory framework on cybersecurity and personal data protection.
For further information please contact:
Vu Manh Quynh, Managing Partner, ECOVIS Vietnam OC Law, Ho Chi Minh City, Vietnam
Email: quynh.vu@ecovislaw.vn
Nguyen Nhuan, Partner, ECOVIS Vietnam OC Law, Ho Chi Minh City, Vietnam
Email: nhuan.nguyen@ecovislaw.vn
Contact us:
Vu Manh Quynh
Nguyen Nhuan
ECOVIS Vietnam Law
Unit SAV1.02.11, Tower 1, The Sun Avenue,28 Mai Chi Tho Street, Thu Duc City
71100 Ho Chi Minh City
Phone: +84 898 120 121
www.ecovis.com/vietnam/law