Cybersecurity Vietnam: Latest Draft of Cybersecurity Administrative Sanctions Decree
© Gorodenkoff / Shutterstock.com

Cybersecurity Vietnam: Latest Draft of Cybersecurity Administrative Sanctions Decree

2 min.
16. August 2023

The Vietnamese Ministry of Public Security (MPS) has released the third draft of a Cybersecurity Administrative Action Decree (CASD). The draft CASD is scheduled to come into force on 1 December 2023. The experts from ECOVIS Vietnam OC Law in Ho Chi Minh City explain what this means in concrete terms for companies.

The CASD draft was released on 31 May 2023 to enforce Decree 13/2023/ND-CP on personal data protection (Decree 13) and Decree 53/2022/ND-CP, which provides guidance on cybersecurity law (Decree 53).

The most important aspects of the CASD

An initial assessment points to the following key aspects:

  1. Scope of application: The draft CASD is applicable to both domestic and foreign entities, including foreign entities providing telecommunications, internet, content services on the internet, IT, cybersecurity, and cybersecurity information services (as well as their legal presence in Vietnam).
  2. Introduction of new violations: In accordance with the obligations outlined in Decree 53 and Decree 13, the third draft CASD introduces additional sanctions for infringements associated with the management of personal data containing prohibited content in cyberspace, as well as the collection, modification, storage, deletion, and removal of personal data. Among other things, the decree also incorporates provisions concerning breach notification requirements.
  3. Types of penalty: The draft CASD proposes two principal forms of administrative penalty, a warning and monetary fine. Remarkably, it stipulates that violators may face fines of up to 5% of their total revenue from the preceding fiscal year in Vietnam under the following circumstances:
    • Repeated violations concerning safeguarding personal data while offering marketing and advertising services
    • Repeated violations involving the unauthorised collection, transfer, sale, and purchase of personal data
    • Acts of (illegally) disclosing or loss of personal data belonging to 5 million or more Vietnamese citizens
    • Acts of (illegal) transfer of personal data belonging to 5 million or more Vietnamese citizens to overseas locations
Companies must act urgently and lay down the tracks for cyber security and the protection of personal data.
Nguyen Nhuan, Partner, ECOVIS Vietnam OC Law, Ho Chi Minh City, Vietnam

Key Considerations

Interested stakeholders are urged to submit their comments on the draft CASD to the MPS for consideration by 20 June 2023. Given the time constraints and the imminent impact of Decree 13, it is imperative that businesses take action promptly to ensure compliance with Vietnam’s evolving regulatory framework on cybersecurity and personal data protection.

For further information please contact:

Vu Manh Quynh, Managing Partner, ECOVIS Vietnam OC Law, Ho Chi Minh City, Vietnam
Email: quynh.vu@ecovislaw.vn

Nguyen Nhuan, Partner, ECOVIS Vietnam OC Law, Ho Chi Minh City, Vietnam
Email: nhuan.nguyen@ecovislaw.vn

Sign up to our newsletter!

Contact us:

Vu Manh Quynh
Nguyen Nhuan
ECOVIS Vietnam Law / ECOVIS Orient Counsel
#2 Phan Van Dang Street
Level 1, Toong VistaVerde,
71100, Thu Duc City Ho Chi Minh City
Phone: +84 898 120 121
www.ecovis.com/vietnam/law