On 20 September 2021, the Ministry of Public Security (MPS) released the Draft Decree on Cybersecurity Administrative Sanctions (“Draft Decree”). The MPS is collecting public opinions on this Draft Decree until 18 November 2021.

The Draft Decree consists of four chapters and 51 articles, with the main substance regarding administrative violations, penalties, and remedial measures covered under Chapter II.

Key takeaways

  • The Draft Decree’s extra-jurisdictional governing scope will impact both domestic and offshore organizations and individuals.
  • The fine applicable to a violating organization can amount to up to 5% of its revenue generated in the Vietnam market.
  • Certain provisions under the Draft Decree provide some indication as to how the MPS has updated the Draft Decree on Personal Data Protection (“Draft PDPD“) that was released in February 2021 by laying out specific sanctions concerning the personal data protection regime applicable to the “Personal Data Controller,” the “Personal Data Controlling and Processing Entity,” and “Third Party.” These terms are not mentioned in the version of the Draft PDPD released in February 2021.

In depth

  1. Scope of application

The Draft Decree sets out specific administrative violations and their corresponding penalties, sanction levels, remedial measures, and the competent authorities tasked to handle the administrative violations in cybersecurity.

  1. Governed subjects

The governed subjects include both Vietnamese and foreign organizations and individuals committing administrative violations in cyberspace. By organizations, the Draft Decree refers to, among others:

  • Foreign enterprises or their branches, representative offices, business locations that provide services of telecommunication, internet, content cyberspace, information technology, cybersecurity, and cyber information security
  • Organizations, enterprises that provide information services1 in cyberspace
  • Domain name registrars
  • Information system owners
  • Information system operators
  1. General application rules

The main forms of sanctions include warnings and monetary fines. However, subject to the nature and seriousness of the violation, a violating entity may further be subject to one or more additional sanctions as follows:

  • Deprivation of the right to use licenses, certificates or practicing certificates for a definite time or suspension of operations for a definite time
  • Confiscation of material evidence, means, and documents related to the violation
  • Prohibition of practicing or doing work related to the violation in the field of cybersecurity

However, there is no clear guidance on how the nature and seriousness of the violation would be determined.

Furthermore, the Draft Decree also provides for a set of remedial measures applicable to the violating entity. Among which, there are:

  • Forced implementation of the remedial measures on cybersecurity
  • Forced deletion or correction of information that violates the laws on cybersecurity
  • Forced return of illegal profits obtained from committing administrative violations

The amount of fines set out under the Draft Decree are applicable to violating individuals. For violating organizations, the applicable fines will be doubled in most cases. For special cases where the nature, seriousness, consequences of the violation, violating entity, aggravating factor and repetition of violation are taken into account, the competent agency has the discretion to either:

  • Apply five times the amount of monetary fines applicable to the violating individual or organization
  • Apply a fine of 5% of the revenue generated in Vietnam market by the violating organization

That said, the authority to impose a fine multiplied by five times is currently left blank and pending further consideration.2

  1. Classification of administrative violations and their corresponding sanctions, remedies

Administrative violations in cyberspace are grouped into five classes under Chapter II as follows:

  1. Violations of information security assurance – Section I
  2. Violations of personal data protection – Section II
  3. Violations of prevention of and combat against cyberattacks – Section III
  4. Violations of implementation of cybersecurity protection activities – Section IV
  5. Violations of prevention of and combat against the use of cyberspace, information technology, and electronic devices to violate the laws on social order and safety – Section V

Although it remains unclear how the administrative sanction framework applies to offshore entities in general, the violations specified under Sections I and IV may have significant impact on offshore service providers because of the following reasons:

  • The Draft Decree has introduced terms like Personal Data Controller, Personal Data Controlling and Processing Entity, the Third Party, and officer in charge of personal data protection, but there is no further definition or description in the Draft Decree (or the draft PDPD) of who such persons/entities are and their specific rights, roles or obligations. This in turn may cause great uncertainty in understanding well what acts would be considered violations.
  • The Draft Decree sets out several new obligations that have not been provided nor described in other substantive regulations. In other words, the Draft Decree imposes fines on entities for committing acts considered illegal without first prescribing that such acts are illegal in other legal documents.

The table below outlines some notable violations under each of the five sections mentioned above:

Concerning violationsApplicable fine3
Section I. Violations of information security assurance
Article 12. Violations of regulations on responsibility for processing information containing contents that violate the lawsArticle 12.1a) Providing or sharing links to online information containing any content that violates the lawsb) Failing to take administrative and technical measures to prevent, detect, stop or remove information containing any content that violates the lawsc) Failing to cooperate with competent agencies in implementing administrative and technical measures to prevent, detect, stop and remove information containing any content that violates the lawsd) Failing to take administrative and technical measures to prevent, detect, stop or remove information containing any content that violates the laws at the request of the competent agenciesdd) Failing to remove information containing any content that violates the laws at the request of the competent agenciese) Failing to provide information about violations of the laws posted or shared on information systems, [or about] products and services provided by organizations or individualsVND 80 million to VND 120 million (approx. USD 3,500 to USD 5,300) 
Article 12.2Same violation as Article 12.1 committed for the second time (not applicable to violation under Article 12.1(a)) of the Draft DecreeUp to VND 200 million (approx. USD 8,800)
Article 13. Violations of regulations on protecting information classified as state secrets, business secrets, personal secrets, work secrets, family secrets and private life in cyberspaceArticle 13.2c) Failing to comply with requests of the specialized cybersecurity protection forces on prevention and combat of cyberespionage, protection of information classified as state secrets, work secrets, business secrets, personal secrets, family secrets, and private life in accordance with the lawsVND 80 million to VND 120 million (approx. USD 3,500 to USD 5,300)
Section II. Violations of personal data protection
Article 14. Violations of principles on personal data protectionArticle 14.1a) Personal data is processed in contravention of the laws.b) The data subject is not informed or does not receive a notification of the processing of their personal data.c) Personal data is not processed in accordance with the purposes for which it is registered, [and/or] the statement about processing of personal data.d) Personal data is collected inappropriately and not within the scope and purpose of processing.dd) Personal data is updated or supplemented not in accordance with the purposes of processing.e) Personal data is not afforded with protection and security measures during processing, including protection against violations of regulations on personal data protection and prevention and combating of loss, destruction or damage caused by incidents [or] use of technical measures.g) Personal data is stored beyond the period for data processing purposes.VND 120 million to VND 160 million (approx. USD 5,300 to USD 7,100) 
Article 14.2Data Controller’s failure to comply with the principles of data processing specified in Articles 3.1 to 3.7 of the Decree on Protection of Personal Data and failure to demonstrate its compliance with such principlesVND 160 million to VND 200 million (approx. USD 7,100 to USD 8,800)
Article 15. Violations of the rights of data subjectsArticle 15.1a) The data subject is not informed of the purposes of data collection, the manner under which the personal data is used and shared to the Personal Data Controller, the Personal Data Controlling and Processing Entity, the Data Processor or the Third Party (if any) at the time of collection, or notified when the data is indirectly collected from the Third Party, except where such information collection and processing has been previously notified.b) The Personal Data Controller, the Personal Data Processor, the Personal Data Controlling and Processing Entity, [or] the Third Party collects and processes the personal data without the data subject’s consent.c) The data subject cannot access to view and edit his/her personal data after it has been collected, unless notified in advance.d) The Personal Data Controller, the Personal Data Controlling and Processing Entity, the Data Processor, or the Third Party (if any) continues collecting and processing the personal data after the data subject has withdrawn his/her consent, unless otherwise specified by law.dd) The Personal Data Controller or the Personal Data Controlling and Processing Entity does not delete the personal data at the request of the data subject in cases where it is no longer needed for the original purposes of collection, unless otherwise specified by law.e) The Personal Data Controller or the Personal Data Controlling and Processing Entity does not delete the data within 48 hours after being requested by the data subject, unless otherwise specified by law.g) The Personal Data Controller, the Personal Data Controlling and Processing Entity, the Data Processor or the Third Party (if any) does not restrict the processing of personal data after being requested by the data subject, unless otherwise specified by law.h) The Personal Data Controller, the Personal Data Controlling and Processing Entity, the Data Processor or the Third Party (if any) does not provide personal data at the request of the data subject or does not assure the provision within 48 hours after being requested by the data subject.i) The Personal Data Controller or the Personal Data Controlling and Processing Entity fails to prevent or restrict the disclosure of personal data or use it for advertising or marketing purposes after being opposed by the data subject, unless otherwise prescribed by law, or does not assure such [prevention or restriction] within 48 hours after being requested by the data subject.VND 120 million to VND 160 million (approx. USD 5,300 to USD 7,100)
Article 15.2Acts committed by the Personal Data Controller, the Personal Data Controlling and Processing Entity, the Data Processor or the Third Party (if any) to prevent the data subject from complaining, denouncing or initiating lawsuits in accordance with the Law on Complaints and Denunciations, and other relevant legal documents in the cases specified in Clause 9, Article 5 of the Decree on Protection of Personal DataVND 160 million to VND 200 million (approx. USD 7,100 to USD 8,800)
Article 16. Violations of regulations with regard to the data subject’s consentArticle 16.1a) Processing of personal data without the consent of the data subjectb) The consent of the data subject is not clearly expressed in accordance with the provisions in Clause 3, Article 6 of the Decree on Protection of Personal Data.c) Using the consent of the data subject for wrong purposesd) The consent of the data subject is not expressed in a format that can be printed or reproduced in writing, including in electronic form or verifiable format.dd) Having no provision that the data subject may give partial or conditional consente) Failing to notify or make it clear to the data subject that the data to be processed is sensitive personal datag) Continuing to process the personal data after the data subject decides otherwise or a competent state agency requests in writingh) Failing to prove or disclaiming the obligation to prove the consent of the data subject resting with the Personal Data Controller and/or the Personal Data Controlling and Processing EntityVND 120 million to VND 160 million (approx. USD 5,300 to USD 7,100)
Article 16.2Violations of regulations on audio and video recording, and processing of personal data collected through audio and video recording in public places for security purposes specified in Clause 12, Article 6 of the Decree on Protection of Personal DataVND 160 million to VND 200 million (approx. USD 7,100 to USD 8,800)
Article 18. Violations of regulations on processing personal data without the consent of the data subject1. Not necessary for response to an emergency that threatens life, health or safety of the data subject or other individuals2. Not personal data required to be made public by law3. Not for the national benefits or the national security, or [not] performed by the competent agencies as prescribed by law4. Not consistent with the authority to investigate and handle violations of laws as prescribed5. Not serving the operations of state agencies as prescribed by lawVND 160 million to VND 200 million (approx. USD 7,100 to USD 8,800)
Article 25. Violations of regulations on assessing impacts of personal data processingArticle 25.1a) The Personal Data Controller or the Personal Data Controlling and Processing Entity fails to assess and keep records of assessing impacts of personal data processing.b) The records of assessing impacts of personal data processing made by the Controller and the Personal Data Controlling and Processing Entity are incomplete with the contents specified in Clause 1, Article 15 of the Decree on Protection of Personal Data.c) The Personal Data Processor fails to keep records of assessing impacts of all personal data processing activities performed on behalf of the Personal Data Controller.d) The records of assessing impacts of personal data processing specified in Clauses 1 and 2, Article 15 of the Decree on Protection of Personal Data are not made in writing with legal value by the Personal Data Controller, the Personal Data Controlling and Processing Entity or the Personal Data Processor.VND 120 million to VND 160 million (approx. USD 5,300 to USD 7,100)
Article 25.2Failure to ensure the availability of the records of assessing impacts of personal data processing and send one original copy of the records to the personal data protection authority after the entity goes into operation within 60 working daysVND 160 million to VND 200 million (approx. USD 7,100 to USD 8,800)
Article 26. Violations of regulations on cross-border transfer of personal dataArticle 26.1a) Cross-border transfer of personal data of Vietnamese citizens outside the Socialist Republic of Vietnam without satisfying three conditions provided for in Clause 2, Article 16 of the Decree on Protection of Personal Datab) The records of assessing impacts of cross-border transfer of personal data do not contain complete information as prescribed in Clause 3, Article 16 of the Decree on Protection of Personal Data.c) Having no legally binding agreement on organizations and individuals involved in transfer and receipt of personal data of Vietnamese citizens in accordance with the provisions on protection of personal data in Clause 4, Article 16 of the Decree on Protection of Personal DataVND 120 million to VND 160 million (approx. USD 5,300 to USD 7,100)
Article 26.2a) Failure to make available the records of assessing impacts of cross-border transfer of personal data and the legally binding agreement on organizations and individuals involved in transfer and receipt of personal data of Vietnamese citizens for the inspection and assessment by the personal data protection authority; and failing to send one original copy of the records and the agreement to the personal data protection authority after the entity goes into operation within 60 working daysb) The data transferor fails to notify the personal data protection authority of the information and contact details of the officer in charge when the data transfer is successful.c) Disclosure or loss of personal data after cross-border transfer, causing consequences for up to 10,000 data subjects who are Vietnamese citizensVND 160 million to VND 200 million (approx. USD 7,100 to USD 8,800) 
Article 26.3Disclosure or loss of personal data after cross-border transfer, causing consequences for up to 100,000 data subjects who are Vietnamese citizensVND 320 million to VND 400 million (approx. USD 14,200 to USD 17,700)
Article 26.4Disclosure or loss of personal data after cross-border transfer, causing consequences for up to 1,000,000 data subjects who are Vietnamese citizensVND 480 million to VND 600 million (approx. USD 21,200 to USD 26,500)
Article 26.5Disclosure and loss of personal data after cross-border transfer, causing consequences for more than 1,000,000 data subjects who are Vietnamese citizens5% of the total revenue in Vietnam
Article 27. Violations of regulations on personal data protection in providing marketing services and presenting advertising productsArticle 27.1a) Organizations and individuals providing marketing services and presenting advertising products which use personal data of customers that are not collected through their business activities to provide marketing services and presenting advertising productsVND 120 million to VND 160 million (approx. USD 5,300 to USD 7,100)
Article 27.2Same violation of Article 27.1 for the second timeVND 160 million to VND 200 million (approx. USD 7,100 to USD 8,800)
Article 27.3Same violation of Article 27.1 three times or more5% of the total revenue in Vietnam
Section III. Violations of prevention of and combat against cyberattacks
Article 31. Violations of regulations on preventing and combating cyberattacksArticle 31.1g) Failing to provide adequate and timely information and documents relating to cyberattacks at the request of competent agenciesVND 80 million to VND 120 million (approx. USD 3,500 to USD 5,300)
Article 31.2b) Manufacturing, buying or selling, exchanging, or giving any information technology software that is harmful to computer networks, telecommunication networks, or electronic meansc) Failing to coordinate with the specialized cybersecurity protection forces in taking measures to prevent and eliminate cyberattacksd) Providing illegal cyberattack servicesVND 120 million to VND 160 million (approx. USD 5,300 to USD 7,100)
Article 31.3Same violation of Articles 31.1 and 31.2 committed for the second timeUp to VND 200 million (approx. USD 8,800)
Article 32. Violations of regulations on preventing and combating cyberterrorismArticle 32.1a) Using cyberspace to incite terrorism or threaten terrorismb) Deliberately sharing and commenting to promote propaganda of terrorist organizations and individuals in cyberspaceVND 120 million to VND 160 million (approx. USD 5,300 to USD 7,100)
Article 32.2a) Assisting the use of cyberspace for the purposes of supporting, sponsoring or mobilizing others to support and sponsor terrorist organizations and individualsb) Delaying, obstructing or failing to take measures at the request of functional forces in preventing and combating cyber-terrorismc) Assisting terrorist organizations and individuals to use cyberspace to deal with measures for preventing and combating cyberterrorism taken by authorities, which is not yet subject to criminal prosecutionVND 160 million to VND 200 million (approx. USD 7,100 to USD 8,800)
Article 32.3Same violation of Article 32.1 for the second timeUp to VND 200 million (approx. USD 8,800)
Article 33. Violations of regulations on preventing and dealing with cybersecurity high-risk situationsArticle 33.1a) Creating, spreading, or failing to coordinate in preventing and removing information containing inciting contents in cyberspace that may lead to riots, security disruptions, or terrorismb) Failing to coordinate in deploying technical and professional solutions in order to prevent, detect and deal with cybersecurity high-risk situationsc) Failing to coordinate with the specialized cybersecurity protection forces under the Ministry of Public Security in preventing, detecting and dealing with cybersecurity high-risk situationsd) Failing to immediately deploy emergency prevention and response plans in respect of cybersecurity, to prevent, eliminate or mitigate damages resulting from cybersecurity high-risk situationsdd) Failing to coordinate in collecting relevant information; continuously monitor and supervise cybersecurity high-risk situationse) Failing to cease the provision of network information in a specific area or disconnect the international network gatewaysg) Failing to arrange forces and means to prevent or eliminate cybersecurity high-risk situationsVND 120 million to VND 160 million (approx. USD 5,300 to USD 7,100) 
Article 33.2Same violation of Article 33.1 committed for the second timeUp to VND 200 million (approx. USD 8,800)
Section IV. Violations of implementation of cybersecurity protection activities
Article 35. Violations of regulations on cybersecurity protection for information systems not on the list of information systems critical to national securityArticle 35.1a) Failing to coordinate with the specialized cybersecurity protection forces to take measures for cybersecurity protection when detecting that the information system under [their] management scope is involved in violations of the laws on cybersecurityb) Failing to notify the specialized cybersecurity protection forces when detecting any violations of the laws on cybersecurity with respect to information systems of state agencies, central and local political organizationsc) Failing to comply with the request of the specialized cybersecurity protection forces to remedy security flaws or vulnerabilities, and violations of the laws on cybersecurityVND 20 million to VND 40 million (approx. USD 880 to USD 1,760)
Article 36. Violations of regulations on cybersecurity protection for national cyberspace infrastructure and international network gatewaysArticle 36.1a) Failing to coordinate with the specialized cybersecurity protection forces in cybersecurity monitoring for national cyberspace infrastructure and international network gatewaysb) Failing to coordinate and provide information and data for investigation and handling of violations of the laws upon written requestc) Failing to arrange premises, gateways, necessary technical and professional conditions and measures for the specialized cybersecurity protection forces to perform the tasks of cybersecurity protection in accordance with the lawd) Failing to implement measures for cybersecurity protection; failing to comply with the requests of the specialized cybersecurity protection forces for cybersecurity protectionVND 120 million to VND 160 million (approx. USD 5,300 to USD 7,100)
Article 36.2Same violation of Article 36.1 committed for the second timeVND 160 million to VND 200 million (approx. USD 7,100 to USD 8,800)
Article 37. Violations of regulations on information security assuranceArticle 37.1a) Failing to verifying information when users register for digital accountsb) Failing to keep confidential information and accounts of usersc) Failing to provide user information to the specialized cybersecurity protection forces under the Ministry of Public Security upon written request for investigating and handling violations of laws on cybersecurity without proper reasonsd) Failing to prevent or take necessary measures to prevent the sharing of information and removing information with contents set out in Clauses 1, 2, 3, 4 and 5 of Article 16 of this Law on Cybersecurity on services or information systems directly managed by the agencies or organizations within 24 hours of the request of the specialized cybersecurity protection forces under the Ministry of Public Security or the competent agencies under the Ministry of Information and Communications, and saving system logs for investigating and handling violations of the laws on cybersecuritydd) Providing services on telecommunication networks and the internet and value-added services to organizations and individuals posting information in cyberspace with any contents set out in Clauses 1, 2, 3, 4 and 5 of Article 16 of this Law on Cybersecuritye) Websites and social networks do not have a server system located in Vietnam for investigation, inspection, storage and provision of information at the request of competent state agencies, or settlement of customer complaints about the provision of services as prescribedVND 120 million to VND 160 million (approx. USD 5,300 to USD 7,100)
Article 37.2Failing to store data and set up branches or representative offices in Vietnam as prescribed in Clause 3, Article 26 of the Law on CybersecurityVND 160 million to VND 200 million (approx. USD 7,100 to USD 8,800)
Article 37.3Same violation of Article 37.2 for the third time5% of the revenue in the Vietnam market
Article 38. Violations of regulations on coordination with the specialized cybersecurity protection forces to investigate and handle violations of lawsArticle 38.1a) Failing to provide user information to the specialized cybersecurity protection forces under the Ministry of Public Security upon written request for investigating and handling violations of laws on cybersecurityb) Failing to comply with written requests of the specialized cybersecurity protection forces under the Ministry of Public Security in managing and providing services on telecommunication networks and the internet for organizations and individuals committing the violations specified in Clauses 1 and 2 of this Article. 1, 2, 3, 4, 5 Article 16 Law on Cybersecurityc) Failing to implement administrative and technical measures to prevent, detect, prevent and remove information containing contents specified in Clauses 1, 2, 3, 4, 5, Article 16 of the Law on Cybersecurity on information systems under their management scope upon request of the specialized cybersecurity protection forcesVND 40 million to VND 80 million (approx. USD 1,800 to USD 3,600) 
Article 38.2Same violation of Article 38.1 committed for the second timeVND 80 million to VND 120 million (approx. USD 3,500 to USD 5,300)
Article 39. Violations of regulations on children protection on cyberspaceArticle 39.1a) Failing to implement measures to control information contents on the information systems or services they provide, causing harm to children or infringing upon children and children’s rightsb) Failing to prevent the sharing and deletion of information containing any content that is harmful to children or infringes upon children and children’s rightsc) Failing to coordinate with competent agencies in assuring children’s rights on cyberspaceVND 120 million to VND 160 million (approx. USD 5,300 to USD 7,100) 
Article 39.2Same violation of Article 39.1 committed for the second timeUp to VND 200 million (approx. USD 8,800)
Section V. Violations of prevention of and combat against the use of cyberspace, information technology, and electronic devices to violate the laws on social order and safety
Article 40. Violations of regulations on preventing and combating the use of cyberspace, information technology or electronic means to violate economic management orderArticle 40.1a) Posting information on buying, selling, exchanging, giving, collecting, leasing, lending, illegally using payment account information, accounts in the field of currency and banking, digital accounts, or credit card information on cyberspaceb) Posting information on buying and selling of goods and services prohibited by law for the purposes of deceiving and appropriating property on cyberspaceVND 40 million to VND 80 million (approx. USD 1,800 to USD 3,600)
Article 40.3dd) Using cyberspace for calling for charity to deceive and appropriate propertye) Appropriating, collecting, storing, disclosing information about other’s digital accounts without authorizationg) Illegally accessing digital accounts of agencies, organizations and individuals in order to appropriate propertyh) Illegally setting up and providing telecommunication services and the internet in order to appropriate property; stealing international telecommunication charges on the interneti) Making, storing, buying, selling, using and circulating counterfeit bank cards in order to appropriate account holders’ or cardholders’ property or pay for goods or servicesk) Infiltrating or attacking information systems serving transactions of currency, finance, securities or other transferable assets on cyberspaceVND 120 million to VND 160 million (approx. USD 5,300 to USD 7,100)
Article 40.4a) Setting up information systems, websites, applications, peer-to-peer lending platforms, virtual currencies, virtual assets and the like without permission or approval from competent agenciesb) Setting up information systems, websites, applications, exchange platforms for foreign currencies, metals, oil, gems and the like without permission or approval from competent agenciesVND 160 million to VND 200 million (approx. USD 3,500 to USD 5,300)
Article 41. Violations of regulations on preventing and combating the use of cyberspace, information technology and electronic means to violate social orderArticle 41.1a) Gambling on cyberspaceb) Posting advertisements for illegal redemption games, gambling, or organizing gambling on cyberspacec) Posting advertisements for prostitution, pornography, and debauchery on cyberspaceVND 40 million to VND 80 million (approx. USD 1,800 to USD 3,600) 
Article 41.2a) Setting up information systems, websites and applications to organize illegal gambling on cyberspaceb) Providing information technology, hardware, software, payment and intermediary payment services; setting up websites/web portals or applications infringing upon copyright or industrial property rightsc) Setting up information systems, websites or applications containing pornographic and depraved contentsd) Organizing the filming and live streaming of images containing pornographic and depraved contents on information systems, websites or social networksdd) Providing information technology, hardware, software and other services to support and serve the filming and live streaming of images containing pornographic and depraved contentse) Failing to censor, prevent or remove pornographic and depraved contents on information systems, websites, and social networksg) Posting information on illegally buying and selling narcotic substances and banned substances on cyberspaceh) Posting information on buying and selling recipes, preparation methods, precursors, means and tools used in the illegal production or use of narcotic substances and banned substances on cyberspacei) Posting information on buying and selling human tissues, organs, and people on cyberspacek) Posting information on instructing, enticing, soliciting or coercing others to commit violations of laws on cyberspacel) Posting advertisements for lending services with interest rates exceeding the maximum interest rates specified in the Civil Code on cyberspacem) Posting information on buying and selling weapons, explosive materials, combat gears, costumes, stripes, badges and numbers of the Public Security and the National Army on cyberspaceVND 80 million to VND 120 million (approx. USD 3,500 to USD 5,300)
Article 42. Violation of regulations on verification, identification and security of digital accountsArticle 42.1a) Failing to verify and identify with valid identity documents for digital accounts serving currency transactions, financial transactions, securities transactions, or transactions of other transferable assets on cyberspaceb) Failing to take measures to warn holders when their digital accounts have currency transactions, financial transactions, securities transactions, or transactions of other transferable assets on cyberspacec) Failing to store device information, IPs and login time of digital accounts for at least 90 daysVND 80 million to VND 160 million (approx. USD 3,500 to USD 7,100)

1 According to Articles 3.14 and 3.17, Decree No. 72/2013/ND-CP on management, provision, and use of internet services and online information, “Information service” means the provision of public information to service users, and “public information” is online information of an organization or individual that is publicly provided without identifications or addresses of receivers.

2 Article 43.4 of the Draft Decree.

3 For your ease of reference, we converted the proposed fines into the amounts applicable to violating organizations.