To enforce (i) Decree 53 guiding the Cybersecurity Law and (ii) the Personal Data Protection Decree (i.e., Decree 13), the Ministry of Public Security (MPS) has been working on a draft Cybersecurity Administrative Sanctions Decree (CASD).
By way of background, the first version of the CASD was released for public consultation in September 2021.
Last year, the MPS also held a workshop in Hanoi to collect public comments on a version of the CASD where repeated violators may be subjected to a monetary fine of up to 5% of the violator’s annual revenue.
Today, the MPS offered an updated version of the CASD for public consultation.
From a quick review, below are the notable issues:
- The draft CASD applies to both onshore and offshore entities, including offshore entities (as well as their branches and representative offices in Vietnam) providing telecommunications services, internet services, content services on the internet and IT, cybersecurity and cybersecurity information services.
- The draft CASD sets out a monetary fine of up to 5% of the violator’s total revenue of the preceding fiscal year in Vietnam in the following cases:
- Repeated violations in protecting personal data when providing marketing and advertising services
- Repeated violations in illegal collection, transfer, sale and purchase of personal data
- Acts of (illegally) disclosing and/or losing the personal data of 5 million or more Vietnamese citizens
- Acts of (illegally) transferring the personal data of 5 million or more Vietnamese citizens overseas
- The tentative effective date of the draft CASD is 1 December 2023.
The deadline for submitting comments to the MPS on the draft CASD is 20 June 2023.