On May 2, 2024, Vietnam’s Ministry of Justice published on its online platform the most recent version of the draft decree on administrative sanctions for violations in the field of cybersecurity (“Draft Sanction Decree”) to gather feedback and contributions from the community and stakeholders. After receiving the Ministry of Justice’s assessment, the Ministry of Public Security (“MPS”), in charge of drafting the Draft Sanction Decree, may make further revisions before submitting it to the government for review and final decision on enactment. The decree is expected to have an effective date of June 1, 2024.
The stringent penalties for infringements involving personal data of the previous draft version remain in this Draft Sanction Decree—a sign of the proactive stance of the MPS in enforcing the Personal Data Protection Decree (“PDPD”).
Effective Date and Transitional Provisions
It is important to note that the Draft Sanction Decree does not impose any new obligations on organizations or individuals, and only sets out the administrative sanctions that could be imposed on violators as soon as June 1, 2024, which is indicated as the effective date in Article 49. This signals the MPS’s eagerness to begin taking enforcement actions against recalcitrant organizations and individuals that have not complied with the various obligations imposed on them under the Law on Network Information Security (enacted in 2015), the Law on Cybersecurity (enacted in 2018) and its guiding decree (Decree 53 – enacted in 2022), and the most recent PDPD (enacted in 2023).
Article 50.1 of the Draft Sanction Decree outlines the transitional provisions regarding administrative violations in the cybersecurity field. It clarifies that the decree does not have retroactive effect, by stating that violations occurring before its effective date, but discovered or under review after such effective date will be subject to the regulations on administrative sanctions in force at the time of the violation. Additionally, in cases where the Draft Sanction Decree either lacks sanctions or introduces lighter sanctions for past acts, those lighter provisions will prevail in handling the violations.
Adjustments to Fines and Penalties
The sanctions under the Draft Sanction Decree applicable to violations have been slightly adjusted, with changes to the amount of monetary fines, and the number of additional penalties and/or remedial measures applicable. Businesses will be happy to note that many of the fines in the chapter related to PDPD violations have been decreased compared to the previous draft. However, the maximum fixed monetary fine imposed by the Draft Sanction Decree is still VND 1 billion (approximately USD 40,000), as proposed in the previous draft, and the penalty of up to 5% of the violating enterprise’s turnover of the immediately preceding fiscal year in the Vietnamese market also still applies to certain extreme violations, including:
- Second and subsequent violations of the regulations on personal data protection in marketing and advertising activities;
- Second and subsequent violations of the regulations on illegal collection, transfer, purchase and sale of personal data; and
- Disclosure or misplacement of the personal data of 5 million or more data subjects who are Vietnamese citizens.
In the case of cross-border disclosure or misplacement or cross-border transfer of the personal data of over 5 million data subjects who are Vietnamese citizens the fine can range from 3% to 5% of the enterprise’s prior fiscal year turnover in the Vietnamese market.
Additional penalties applicable to certain violations may also be imposed, including, among others, revocation of licenses for business lines requiring personal data collection, and confiscation of exhibits and means used for conducting violations. Remedial measures may also be imposed, including, among others, suspension from processing of personal data for 1-3 months; forcible destruction or unrecoverable deletion of personal data; and forcible return of illegal profits obtained from the violations; public apology. The Draft Sanction Decree reshuffled these additional penalties and remedial measures for some of the violations.
Other Changes to the Draft
Interestingly, the Draft Sanction Decree includes new language that would exclude weekends and national holidays from the 72-hour timeline to address requests related to data subjects’ rights and to notify the MPS of PDPD violations, unless the law stipulates otherwise. This might be a sign that the MPS is modifying its original stance and that the 72-hour timeline is referring to 72 hours of working days (i.e., 3 working days). The MPS also did not amend some references to a 48-hour timeline, which was introduced in the previous draft but was deemed to be a typo or a mistake.
Finally, the Draft Sanction Decree no longer includes Article 50.2 from the previous draft, which was meant to annul various penalties for administrative violations in the fields of post, telecommunications, radio frequencies, information technology, and electronic transactions under Decree No. 15/2020/ND-CP, as amended (“Decree 15”). It is thus expected that these sanctions will continue to apply even after the promulgation of the Draft Sanction Decree. However, according to the principle of handling administrative violations in Vietnam, a company cannot be fined twice for the same violation. Therefore, the authority may need to choose whether it wishes to apply the sanction under the Draft Sanction Decree or Decree 15.
Outlook
As this Draft Sanction Decree progresses through the final stages of adoption, stakeholders are encouraged to stay informed and promptly comply with the legal requirements applicable to them—especially with their obligations under the PDPD—before the Draft Sanction Decree takes force (expected to be June 1, 2024).
We will continue to monitor developments closely and provide updates as this important legislative process unfolds.