In order to enforce (i) Decree 53 guiding the Cybersecurity Law and (ii) the Personal Data Protection Decree (i.e., Decree 13), the Ministry of Public Security (“MPS”) has been working on a draft Cybersecurity Administrative Sanctions Decree (“CASD”).
By way of background, the first version of the CASD was released for public consultation in September 2021.
Last year, the MPS also held a workshop in Hanoi to collect public comments on a version of the CASD where repeated violators may be subjected to a monetary fine of up to 5% of the violator’s annual revenue.
Today, the MPS offered an updated version of the CASD for public consultation.
From a quick review, here is the list of notable issues:
- The draft CASD applies to both onshore and offshore entities, including offshore entities (as well as its branches and representative offices in Vietnam) providing telecommunications services, Internet services, content services on the Internet; and IT, cybersecurity, cybersecurity information services.
- The draft CASD sets out a monetary fine of up to 5% of the violator’s total revenue of the preceding fiscal year in Vietnam in the following cases:
(i) repeated violations in protecting personal data when providing marketing and advertising services;
(ii) repeated violations in illegal collection, transfer, sale and purchase of personal data;
(iii) acts of (illegal) disclosing and/or losing personal data of 5,000,000 Vietnamese citizens or more; and
(iv) acts of (illegal) transferring personal data of 5,000,000 Vietnamese citizens or more overseas.
- The tentative effective date of the draft CASD is 01 December 2023.
The deadline for submitting comments to the MPS on the draft CASD is on 20 June 2023.