On 20 September 2021, the Ministry of Public Security ("MPS") released the Draft Decree on Penalties for Administrative Violations in Cybersecurity (“Draft Decree”) to gather public opinion (with a specified deadline falling on 18 November 2021). This Draft Decree, tentatively taking effect on 1 December 2021, will potentially impact on both local and international businesses' operation in Vietnam.

The Draft Decree consists of four (4) chapters and 51 articles, with the main substance regarding administrative violations, penalties, and remedial measures covered under Chapter 2.

Please find below a summary of the notable issues under the Draft Decree:

1. Governing Scope and Subjects of Application

  • The Draft Decree prescribes administrative violations, penalties, sanctioning levels, remedial measures, and competent authorities to handle administrative violations in cybersecurity.
  • Subjects regulated by the Draft Decree include both Vietnamese and foreign organizations and individuals committing administrative violations in cyberspace. 
  • Among others, the Draft Decree's key subjects of application include "foreign enterprises or their branches, representative offices, business locations that provide services on telecommunication networks or the Internet, content provision services in cyberspace, information technology, cybersecurity, and cyber information security."

2. Main Areas of Sanction

  • Chapter 2 of the Draft Decree enumerates five (5) categories of administrative violations based on the object that has been violated, including (i) information security assurance; (ii) personal data protection; (iii) prevention of and combat against cyberattacks; (iv) implementation of cybersecurity protection activities; and (v) prevention of and combat against the use of cyberspace, information technology, and electronic devices to violate the law on social order and safety.
  • Below are some key segments that may have direct/significant impacts on both local and international businesses:

Personal data protection (Articles 14 - 30): 

The Draft Decree encompasses sanctions for failing to satisfy requirements on personal data protection, which correlate with the main content of the Draft Decree on Personal Data Protection (“Draft PDPD”) - Vietnam's first-ever comprehensive piece of legislation on personal data. 

The Draft Decree seems to reflect new changes under the undisclosed new version of the Draft PDPD (the Draft PDPD may now recognize the concepts of data controllers, as well as the data controllers who also act as a data processor).

Pecuniary sanctions in this area may reach VND 200 million (approx. US$8,600).

Notice and takedown of illegal contents (Article 37): 

Companies may be sanctioned up to VND 160 million (approx. US$6,900) for, among others, failing to apply preventive measures to prevent the sharing of information or delete the information within 24 hours from the time of request of competent authorities.

Data localization (Article 37.2): 

Companies that fail to store data or establish a branch or a representative office in Vietnam in accordance with Article 26.3 of the Law on Cyber Security may be sanctioned up to VND 200 million (approx. US$8,600).

Digital account (Article 42): 

Companies failing to authenticate and identify with the legal ID papers for digital accounts serving currency, financial, securities or other transferable assets transactions in cyberspace are subjects to a pecuniary fine up to VND 160 million (approx. US$6,900).

  • Last but not least, repetitive offenders of certain violations (those who make the same violation for the third time and above) may be subject to a pecuniary fine equal to 5% of their total revenue in Vietnam.