Facing the increasing influence of cyberspace on information activities, propaganda, and the orientation of public opinion, the Cybersecurity Law 2018 was issued. Until now there has been no regulation setting out sanctions for violations of this law. Recently, the Ministry of Public Security (MPS) issued the third draft decree on sanctioning administrative violations in the field of cyber security (Third Draft Decree). If adopted, the Third Draft Decree will go into effect on 1 December 2023.
This update will highlight some significant points of the Third Draft Decree.
The Third Draft Decree specifies administrative violations, finished administrative violations and ongoing administrative violations, sanctioning forms, sanctioning levels, remedial measures for each act of administrative violations, sanctioned subjects, competence to make minutes, and sanctioning competence for administrative violations in the field of cyber security. It will apply to Vietnamese organizations and individuals, and foreign organizations and individuals committing administrative violations specified in the Third Draft Decree.
Fines will be the main penalty applied to each administrative violation. The Third Draft Decree adds the sanction that if a foreigner commits a violation they can be expelled from Vietnam. In addition, the fine could be as high as 5% of the revenue of the preceding fiscal year or profits earned from administrative violations. Factors that impact the height are the nature, extent, and consequences of the violation, the violators, and the aggravating circumstances, as well as the number of violations.
According to the statistics of MPS, incorrect and false information is posted on social media regularly. Some social networks are not performing well in managing, securing, censoring, and controlling public information. It is possible for users to post information that might break the law. Under the Third Draft Decree, the fine for setting up electronic information pages, social networks or accounts, specialized pages, associations, groups on social networks, and electronic forums to post, guide the creation and posting of information with content that is untrue, distorts, insults, humiliates, slanders, affects the legitimate rights and interests of organizations and individuals has significantly increased compared to the previous draft. The fine for an organization violator can be from VND 120 million to 160 million, while the fine specified in the previous draft is only from VND 80 million to 120 million.
The Third Draft Decree also covers violations of Vietnam’s first-time-ever Decree on the Protection of Personal Data that entered into force on 1 July 2023 (Decree 13). It can be considered a violation of the data subject's rights if the personal data controller, personal data controller and processor, data processor, or third party, amongst others:
Does not delete the data within a statutory time limit after the data subject's request;
Fails to provide personal data at the request of the data subject; or
Fails to guarantee the data provision to be made within a statutory time limit after the request of the data subject.
And if violating the above regulations, the organization violator may be fined from VND 40 million to 80 million. In addition, the competent authority can also apply additional penalties such as deprivation of the right to use the business license in the line of business requiring personal data collection for the duration from one to three months, and confiscation of material evidence and methods of administrative violations.
In general, under the Third Draft Decree, almost all the requirements related to personal data protection outlined in Decree 13 are associated with administrative penalties for violations, which appear to be relatively severe. In particular, for the violator who is an organization or entity:
The minimum penalty is a fine of up to VND 40 million;
The maximum penalty is a penalty amounting to 5% of total revenue in Vietnam for the preceding fiscal year, for:
- Multiple personal data protection violations in marketing and advertising business;
- Multiple personal data protection violations in the illegal collection, transfer, purchase, and sale of personal data;
- Causing disclosure or loss of personal data of 5 million Vietnamese citizens or more due to violations in personal data protection impact assessment and cross-border transfer of personal data.
Common additional penalties include deprivation of the right to use the business license in the line of business requiring personal data collection for the duration from one to three months;
Common remedial measures include:
- Forced suspension of personal data processing for a period of one to three months;
- Forced destruction or permanent deletion of personal data;
- Confiscation of illegal profits obtained from committing personal data protection violations.
Huong Vo / Associate
© 2023 ACS Legal Vietnam Company Limited – All rights reserved
This legal update is not an advice and should not be treated as such.
Download pdf: Penalties for Administrative Cybersecurity Violations
ACSV Legal is one of the top international law firms in Vietnam. Our specialist team of foreign and Vietnamese lawyers advise on sectors and industries from banking and finance to corporate restructuring and from real estate to tax. We help clients to invest and set up companies in Vietnam and better understand the business opportunities of this fast-growing market.
Our firm is a prominent fixture in the Legal 500 and other professional rankings thanks to our in-depth knowledge of Vietnam’s legal system and major legislation affecting foreign companies such as the Law on Investment, Labour Code, and Law on Enterprise.
For more information on doing business in Vietnam - whether through incorporation, investment, or M&A - just contact our team.