In the middle of writing about Sky Mavis and NFTs and cryptocurrency the Ministry of Public Security issued a draft decree related to cybersecurity. I didn’t get the chance to write about this earlier, but I think it is important enough–as it offers some guidance on questions related to the Law on Cybersecurity of 2018–to write about it even though it may not have the greatest currency. Therefore, this post will examine the Draft Decree on Penalties for Administrative Violations in Cybersecurity issued for public opinion on 20 September 2021.
While the Draft Decree acts as guidance on the Law on Cybersecurity, its main focus is on administrative violations, penalties, and remedial measures.
The Basics of the Draft Decree
The Draft Decree prescribes administrative violations, penalties, sanctioning levels, remedial measures, and competent authorities to handle administrative violations in cybersecurity. Subjects regulated by the Draft Decree include both Vietnamese and foreign organizations and individuals committing administrative violations in cyberspace. Specifically, the Draft Decree applies to the following entities:
- Organizations established according to the Enterprise Law;
- Organizations established according to the Cooperative Law;
- Organizations established according to the Investment Law;
- Political-social organizations, social organizations, social-professional organizations;
- Foreign enterprises or branches, representative offices, local businesses of foreign enterprises providing telecommunication services, internet, services provided primarily in cyberspace, information technology, internet security, internet information safety;
- Organizations, enterprises providing services primarily involving information on cyberspace;
- Organizations, enterprises registered with a domain name;
- Owners of information systems;
- Parties operating information systems;
- Other parties and organizations according to the law.
Main Areas of Sanction
The Draft Decree lists five categories of administrative violations based on the nature of the violation, including (i) information security assurance; (ii) personal data protection; (iii) prevention of and methods to combat cyberattacks; (iv) implementation of cybersecurity protection activities; and (v) prevention of and methods to combat the use of cyberspace, information technology, and electronic devices to violate the law on social order and safety.
Some of the violations related to the Law on Cybersecurity’s more controversial provisions include:
- Disseminating information that is anti-government of Vietnam, acts promoting civil disorder, destruction of national security, public order;
- Disseminating information that is false, misleading, insulting, offensive, slanderous, violates the legal rights of individuals or organizations;
- Disseminating information that violates the order of economic management;
- Disseminating information is fabricated, false that causes confusion for individuals, influences social order;
- Violating regulations on responsibilities for handling information whose subject is in violation of the law;
- Violating regulations on confidentiality and secrets of the state, enterprises, families, individuals, etc
Personal data protection
Sanctions for failing to satisfy requirements on personal data protection seem to match up with the Draft Decree on Personal Data Protection that was promulgated earlier this year and has yet to be officially adopted. The main violations include:
- Violating the basic principles of personal data protection;
- Violating the rights of data subjects;
- Violating regulations regarding the consent of data subjects;
- Violating regulations regarding the withdrawal of consent;
- Violating regulations regarding the handling of data when the processor does not have the data subject’s consent;
- Violating handling of data of minors;
- Violating regulations on reporting personal data;
- Violating regulations on accessing personal data;
- Violations regarding provision of personal data;
- Violating regulations regarding amendment of personal data;
- Violating regulations regarding storing, deleting, destroying personal data;
- Violations regarding the impact assessment of handling personal data;
- Violations regarding the transfer of data cross-borders;
- Violations regarding the protection of personal data in advertising services;
- Violations regarding the prevention, combatting of trade in personal data;
- Violations regarding the methods for protection personal data;
- Violations regarding the responsibility to protect personal data;
Other important provisions
The Draft Decree covers the prevention and combatting of network attacks; cyberterrorism; high-risk circumstances related to internet safety; important information regarding national security; the foundations of national cybersecurity and national connection gates; insuring information security; compliance with requests to handle violations; protection of children in cyberspace; use of technology to violate economic management; acts to prevent and combat the same; protection of accounts; etc.
That last paragraph summarizes the heads of violations, but specifically, there are a couple of provisions that are worth looking at in slightly more detail.
Notice and takedown of illegal content
Companies may be sanctioned up to VND 160 million (approx. US$6,900) for failure to apply preventive measures to the sharing of illegal information or failure to remove that information within 24 hours from a request of the competent authorities.
Data localization
While the Draft Decree states that companies that fail to store data or establish a branch or a representative office in Vietnam in accordance with Article 26.3 of the Law on Cyber Security may be sanctioned up to VND 200 million. Three time violators of this provision will be fined 5% of their revenue sourced in Vietnam. There is no discussion of exactly how long failure to conduct the proper activities will be deemed to be a violation that counts towards the total of violations, but it would seem that failure to comply with this data localization requirement will, in fact, produce significant penalties for foreign enterprises operating in Vietnam.
Digital accounts
Companies failing to authenticate and identify themselves with the proper identification documents for digital accounts serving currency, financial, securities or other transferable assets transactions in cyberspace are subject to a fine of up to VND 160 million (approx. US$6,900).
There is a lot of information in this draft decree to unpack, but I’ve tried to hit the highlights. If you have any questions regarding the impact of the draft decree on your business or activities in Vietnam, please feel free to get in touch.