Vietnam's Latest Decree on Violations in Cybersecurity and Data Protection
In May, the Vietnam Ministry of Justice published the latest Draft Decree on Cybersecurity Administrative Sanctions (“CASD Draft Decree”) formulated by the Ministry of Public Security (“MPS”) for public comment. The Draft Decree is expected to serve as the enforcement mechanism for the established legal framework managing cyberspace activities, including Cybersecurity Law 2018, Decree 53/2022/ND-CP guiding the Cybersecurity Law, and Decree 13/2023/ND-CP on Personal Data Protection (“PDPD”).
The Draft Decree addresses violations concerning network information security, personal data protection, and use of electronic and internet-based information, with applicability to both onshore and offshore entities. The Draft Decree was first released for public consultation in September 2021 and has since gone through multiple revisions. Although many fines related to PDPD violations have been reduced compared to the previous draft, this latest version still includes stringent penalties for non-compliance, including fines up to 5% of their annual revenue in Vietnam for severe violations. The Council has collected and submitted members’ input to the MPS to address the significant fines, among other issues in this Draft.
Although the Draft Decree was originally scheduled to become effective as of June 1, 2024, this has since been postponed and a new timeline has yet to be announced.