The Government earlier this month unveiled the appraisal dossier for the draft Decree on Cybersecurity Administrative Sanctions (“CAS Decree”), which will impose administrative penalties for violations in cyberspace, including personal data breaches.
Unless there are unexpected or administrative delays, the CAS Decree will take effect from 1 June 2024.
This legal alert provides key highlights of the CAS Decree, especially on personal data breaches, and offer some practical advice for organisations ahead of the decree’s release.
The focus
1. Maximum fines of 5% total revenues in Vietnam. Taking a page from the European Commission’s sanction playbook, Vietnam’s Ministry of Public Security (MPS) has introduced what appears to be the highest monetary sanction for specific personal data protection violations, namely:
- violations related to marketing and product advertising services (Art. 22);
- unlawful collection, transfer, and trading of personal data (Art. 23);
- data protection impact assessment (DPIA) violations (Art. 25); and
- cross-border data transfer violations (Art. 26).
2. Violations specifically related to data subject’s consent. The draft CAS Decree not only penalises typical violations such as processing personal data not in line with or without data subject’s consent (Art. 15.1(a)(b)), but also punishes deceptive consent practices that exploit user choices. This includes failing to obtain clear and explicit consent, not informing users of their right to partial or conditional consent and neglecting to disclose when sensitive data is being processed (Art. 15.1(dd)(e)(g)).
These violations are particularly noteworthy because they target manipulative design patterns that undermine informed consent. For instance, pre-checked consent boxes and blanket “all-or-nothing” privacy policies often fail to inform users about their right to provide partial or conditional consent. As a result, users may be compelled to agree to the processing of all their data for all purposes, even though they have the option to consent selectively. By penalising these practices, the draft decree seeks to promote greater transparency and user control over personal data.
3. Reining in disinformation. Reflecting the Government’s heightened concern over the spread of disinformation (i.e. false information with a harmful, misleading intent), particularly with the rise of generative AI tools, the draft CAS Decree also penalises various information security violations. These include the creation and dissemination of information intended to undermine the State, disrupt social order, or violate the rights of others, where the severity does not warrant criminal prosecution (Art. 7-10). Notably, the use of online platforms such as social networks to spread disinformation is deemed a more severe offence, carrying a higher fine of up to VND 100 million for legal entities.
4. Far-reaching penalties. In addition to hefty fines, the draft CAS Decree also introduces a swath of supplementary penalties with far-reaching consequences, particularly the suspension of licences for telecommunications, information portals, or social networks, among others, or even the suspension of business operations for up to 24 months (Art. 4.2).
Unresolved matters
1. Unclear fine calculations for revenue-based sanctions. The draft CAS Decree lacks clarity on the calculation and application of the punitive 5% total revenue penalty, especially in cases where the violator generates no revenue in Vietnam[1] or operates from overseas, raising question about the practicality of determining local revenue in such situations. Interestingly, in its report to the Government on the draft CAS Decree feedback,[2] the MPS sought to clarify this ambiguity by referring to the Enterprises Law, but this legislation provides no guidance on calculating total revenue. Therefore, it remains unclear whether and how the MPS will enforce this maximum fine threshold in practice.
2. Inconsistency with the Personal Data Protection Decree. Under the draft CAS Decree, data controllers, data controller-cum-processors, and applicable third parties face penalties for failure to address a data subject’s request to delete or restrict the processing of their data or provide their data within 48 hours (except for public holidays) (Art. 14.1(e)(h) and 14.2). However, this response window is up to 72 hours under the Personal Data Protection Decree (Decree 13/2023/ND-CP or PDPD) (Art, 9.6(b), 9.8(b), and 14.3). It is possible that this discrepancy may be a clerical error, and the draft CAS Decree could be intended to clarify that the timeframe under the PDPD is exclusive of non-business days.
3. Overlapping sanctions. There are also some inconsistencies in fines for similar violations.
Some breaches of personal data protection principles, such as unlawfully processing personal data or doing so without the data subject’s knowledge, can result in fines up to VND 140 million for legal entities (Art. 13.1(a)(b)(c)). On the other hand, violations related to data subject consent, such as processing without consent or outside agreed purposes, carry a lower maximum fine of VND 40 million for corporate entities (Art. 15.1(a)(d)). This lack of clarity could lead to arbitrary enforcement, as authorities might have leeway to choose the penalty with a higher fine to apply.
4. No defined violations that warrant a 24-month suspension of operations. The draft CAS Decree again demonstrates a lack of clarity, failing to specify which violations carry the maximum 24-month suspension of operations. Interestingly, this highest supplementary penalty, which applies to information security breaches only, is currently capped at a mere 3 months. This raises the question of whether the ceiling threshold will be revised in the final draft, or if the 24-month cap is reserved for other, more serious offenses that will be included in a later amendment of the CAS Decree.
Vietnam’s GDPR?
Given the above unresolved matters, it remains to be seen whether the draft decree will be revised to address these outstanding issues or if its release will be further pushed back.
Separately, there are signs pointing towards an even more comprehensive data privacy legislation in Vietnam is in the works. Despite the PDPD’s recent release, its status as a sub-law instrument may limit its effectiveness in regulating personal data protection matters and harmonising with other legislations. To address this limitation, the MPS has earlier this year prepared a dossier advocating for a new personal data protection law, which comprises a comprehensive assessment of the existing data privacy landscape and an evaluation of the proposed law’s impact.
Together with the CAS Decree, this move sets the stage for the forthcoming Personal Data Protection Law, further strengthening Vietnam’s own data privacy framework.
What businesses should do
Compliance with data privacy regulations is not only crucial for continuous business operations and risk mitigation, but to demonstrate respect for user privacy rights. To ensure readiness, businesses should consider the following essential actions:
· Review existing data processing practices
- Map out how your organisation collects, processes, stores, and shares personal data, both internally and externally (data mapping);
- Identify areas of concern and potential vulnerabilities in data processing and non-compliance.
· Develop or update policies and procedures
- Create or review and update your organisation’s data privacy policy and procedures for handling personal data;
- Implement robust procedures for obtaining and managing user consent, data breach notification, and responding to data subject requests;
- Ensure alignment across different departments and divisions within the organisation to adhere to internal policies and procedures as well as personal data protection regulations.
· Regulatory filings
Regularly prepare and submit DPIA reports to the Police Department of Cybersecurity and Hi-tech Crime Prevention (A05) under the MPS according to the data processing practices of an organisation.
A DPIA is not a one-off exercise but an ongoing process that continues throughout an organisation’s operation. Accordingly, any data processing or cross-border transfer activities including a change in data processing (for instance, the processing of new type of data and/or for a new processing purpose) triggers a separate DPIA report for submission to A05.
LNT & Partners - Nguyen Anh Tuan and Tran Hai Thinh