The most recent version of Vietnam's draft decree on penalties for cybersecurity breaches

Vietnam is set to implement a new draft decree on sanctions for cybersecurity and data protection violations, with stringent fines and penalties taking effect from June 1, 2024. While there may be further changes to the decree, businesses should prepare for potential risk exposure in advance.

In recent years, Vietnam has been actively developing a comprehensive legal framework to regulate activities in cyberspace, with a focus on personal data protection. Key milestones in this effort include the 2018 Law on Cybersecurity, Decree No. 53/2022/ND-CP, and the recent Decree No. 13/2023/ND-CP, which is the country’s first comprehensive legislation on personal data protection. However, the framework still lacks a complete enforcement mechanism without clear sanctions for non-compliance.

To address this gap, Vietnam’s Ministry of Justice has released the latest draft decree on administrative sanctions for cybersecurity violations ("Draft Sanction Decree") for public feedback. After review by the Ministry of Justice, the Ministry of Public Security (MPS), which is responsible for drafting the decree, may make further revisions before submitting it to the government for final approval. The decree is expected to come into effect on June 1, 2024.

The strict penalties for breaches involving personal data remain unchanged in this version from the previous draft, demonstrating the MPS's dedication to enforcing the Personal Data Protection Decree (PDPD).

Main points of the proposed decree

Anticipated effective date

The MPS has suggested June 1, 2024, as the anticipated effective date, with no grace period. However, there is a possibility that this date may be changed due to the need for further refinement of certain provisions.

No additional requirements

The Draft Sanction Decree does not introduce new requirements for organizations or individuals but specifies the administrative sanctions that may be imposed on offenders starting June 1, 2024, as stated in Article 49. This demonstrates the MPS’s preparedness to ensure compliance with the obligations outlined in the 2015 Law on Network Information Security, the 2018 Law on Cybersecurity and its guiding decree (Decree 53 – 2022), and the PDPD.

Stringent consequences and disciplinary measures for breaches of data protection

The reduction of fines related to PDPD violations has been noted compared to the previous draft. However, the maximum fixed monetary fine of VND 1 billion (approximately US$39,285) remains unchanged, and severe violations can result in penalties of up to 5 percent of the violating enterprise’s turnover in the previous fiscal year in Vietnam.

The specific infractions include:

- Repeated violations of regulations for safeguarding personal data in marketing and advertising

- Repeated illegal gathering, transfer, purchase, and trade of personal data

- Exposure or misplacement of the personal information of 5 million or more Vietnamese citizens

The severity of the penalties increases based on the number of affected individuals:

- Fines of up to 5 percent of total revenue for infractions impacting over five million citizens.

- Penalties of up to VND 500,000,000 for breaches affecting one to five million citizens.

- Fines of up to VND 200,000,000 for violations impacting 100,000 to one million citizens.

For organizations, these fines could double, potentially reaching 10 percent of their total revenue.

For transnational violations involving the personal data of over 5 million Vietnamese citizens, fines can range from 3 percent to 5 percent of the enterprise’s previous fiscal year turnover in Vietnam.

Additional repercussions for certain violations may include revocation of licenses, confiscation of means used for violations, and various corrective actions, such as suspension from processing personal data, destruction or unrecoverable deletion of personal data, and return of illicit gains.

Sanctions applied after the fact

According to Article 50.1 of the Draft Sanction Decree, which outlines transitional provisions for administrative violations in cybersecurity, sanctions with retroactive effect are not allowed. It specifies that the decree will not apply to violations that occurred before its effective date but were only discovered or reviewed afterward. In such cases, the regulations in force at the time of the violation will be applicable. If the Draft Sanction Decree imposes lighter sanctions or no sanctions for past acts, those provisions will take precedence.

Open to different understandings

The Draft Sanction Decree, despite being in an advanced stage, contains provisions that conflict with existing laws. For example:

1. Data subject requests: Decree 13 provides a 72-hour window to respond to data subject requests, while the draft decree shortens this to 48 hours, creating a discrepancy.

2. Data storage conditions: Decree 13 allows data storage with valid consent, whereas the draft decree imposes additional requirements such as contracts or documents from competent authorities, potentially conflicting with the existing law.

3. Changes from the previous draft: Revisions from the prior draft: The latest version of the Sanction Decree no longer contains Article 50.2, which would have nullified penalties for administrative violations under Decree No. 15/2020/ND-CP, as amended (“Decree 15”).

Consequently, the sanctions under Decree 15 are anticipated to continue in force. Nevertheless, according to Vietnamese law, a company cannot be penalized twice for the same violation, so the relevant authority will have to decide whether to enforce sanctions under the Draft Sanction Decree or Decree 15.

The draft decree on data protection in Vietnam is expected to be effective from June 1, 2024, with no grace period. It outlines administrative sanctions for violations and does not impose new obligations.

Conclusion

The proposed decree is a significant step forward in establishing a comprehensive legal framework for cybersecurity and personal data protection in Vietnam. It demonstrates the government's dedication to addressing the increasing significance of data security and privacy in the digital era. However, the presence of inconsistencies in the proposed decree emphasizes the need for further review and enhancement before its official implementation.

Considering the potential for delays in enacting the decree, businesses involved in personal data processing should proactively ensure that their operations comply with existing regulations. This proactive approach is essential for avoiding possible penalties that could be enforced from June 1, 2024. By prioritizing adherence to current regulations, businesses can reduce the risks associated with non-compliance and show their commitment to upholding data protection standards.