Comments on the Draft Decree on Administrative Penalties for Cybersecurity Violations
On May 31, 2023, the Ministry of Public Security (MPS) released the third draft of the Decree on Administrative Penalties for Cybersecurity Violations (the Third Draft Decree). The Third Draft Decree stipulates administrative penalties for violations of cybersecurity laws (namely the 2018 Cybersecurity Law and Decree 53/2022 detailing the 2018 Cybersecurity Law) and regulations on personal data (namely Decree 13/2023 on the protection of personal data). In this article, we provide comments and recommendations regarding certain provisions in the third draft of the Decree.
| No. | Clause | Comments | Recommendations |
| Provisions on the Scope of Application | |||
| 1) | Article 2.2(a) stipulates that subsidiaries of enterprises are within the scope of application of the Third Draft Decree | This provision may not be consistent with Article 3.4 of Decree 118/2021 issued by the Government on December 23, 2021, which details the amended Law on the Handling of Administrative Violations (Decree 118/2021). According to Article 3.4 of Decree 118/2021, business subsidiaries (e.g., representative offices, branches) are subject to administrative penalties only if they commit administrative violations that exceed the scope or duration authorized by the legal entity or are not in accordance with the legal entity’s directives, supervision, delegation, and approval. | Clarify under which circumstances a subordinate unit will be subject to administrative penalties under the Third Draft of the Decree to align with Decree 118/2021 (e.g., Article 2.2(b) of Government Decree No. 122 dated December 28, 2021, on administrative penalties regarding planning and the investment sector provides such clarity) |
| 2) | Article 2.2(d) stipulates that foreign enterprises or their branches, representative offices, or business locations providing services, including online content provision services (online content provision services), are subject to the Third Draft | a) It is unclear whether “online content provision services” and “online value-added services” as defined in Articles 26.2 and 26.3 of the 2018 Cybersecurity Law are the same, or whether the services defined in Article 2.2(d) of the Third Draft Decree constitute a new type of service. b) If this is a new type of service, it is unclear which specific services fall under this category, as the Third Draft Decree, the 2018 Cybersecurity Law, and Government Decree No. 53 dated August 15, 2022, detailing the 2018 Cybersecurity Law (Decree 53/2022) do not provide a definition of this service | Therefore, this service category should be clarified or removed for consistency |
| 3) | Article 2.2(e) stipulates that organizations and businesses providing information content in cyberspace services (cyberspace information content services) are subject to the Third Draft Decree | It is unclear which specific services are included in this category because the Third Draft Decree, the 2018 Cybersecurity Law, and Decree 53/2022 do not provide a definition of this service | This type of service should be clarified or removed for consistency |
| Provisions on fines | |||
| 4) | Article 5.2 stipulates that the fine for an administrative violation may reach up to 5% of the revenue from the immediately preceding fiscal year or the profit derived from the administrative violation committed by the violating organization or individual in the Vietnamese market | a) This fine may exceed the maximum fine under Article 24.1(d) of the 2012 Law on the Handling of Administrative Violations (i.e., 200 million VND for the cybersecurity sector applicable to organizations) b) It is unclear whether this fine should be calculated based on the revenue of a group of businesses | This issue should be clarified |
| Administrative penalties for such acts are also stipulated in the Criminal Code | |||
| 5) | Article 6.2 provides: “For criminal cases that have been accepted and processed by criminal prosecution authorities but subsequently result in a decision not to initiate criminal proceedings, […] within 3 days from the date of the decision, […]” | It should be “three working days” and “the date the decision takes effect” to align with Article 63.1 of the 2012 Law on the Handling of Administrative Violations | Amend this provision to align with Article 63.1 of the 2012 Law on the Handling of Administrative Violations |
| Violation of data subject rights | |||
| 6) | Article 15.1(e) imposes an administrative penalty on the personal data controller, the controller and processor of personal data, fails to delete personal data upon request within 48 hours after the data subject makes the request | Inconsistent with Article 16.5 of Government Decree No. 13 dated April 17, 2023, on personal data protection (Decree 13/2023), which stipulates that this obligation must be fulfilled within 72 hours from the time the data subject makes the request | Amend this provision to align with Article 16.5 of Decree 13/2023 |
| 7) | Article 15.1(h) imposes administrative penalties on data controllers and data processors that fail to provide personal data within 48 hours after the data subject makes a request | Inconsistent with Article 14.3 of Decree 13/2023, which stipulates that this obligation must be fulfilled within 72 hours of the data subject’s request | Amend this provision to align with Article 14.3 of Decree 13/2023 |
| 8) | Article 15.2 imposes administrative penalties on data controllers and data processors that fail to prevent or restrict the disclosure of personal data or the use of personal data for advertising or marketing purposes within 48 hours of a data subject’s request | This is inconsistent with Article 9.8(b) of Decree 13/2023, which requires this obligation to be fulfilled within 72 hours of the data subject’s request | Amend this provision to align with Article 9.8(a) and 9.8(b) of Decree 13/2023 |
| Violation of provisions regarding the data subject’s consent | |||
| 9) | Article 16 | Lack of administrative penalties for failure to provide consent in a format that can be printed and/or copied in writing, including in electronic or verifiable formats, as required by Article 11.5 of Decree 13/2023 | Add penalties for this violation |
| 10) | Article 16.1(b) imposes administrative penalties if “the data subject’s consent is not clearly expressed so that the data subject can freely consent to the processing of personal data” | The wording of this provision is unclear and may overlap with Article 16.1(d) of the Third Draft Decree | For greater clarity, we propose amending this provision as follows: “Compelling the data subject to consent to the processing of data or preventing the data subject from being fully informed of the necessary details to consent in accordance with the regulations” |
| 11) | Article 16.2(c) stipulates that the controller of personal data, the controller and processor of personal data fails to prove or refuses to prove that the data subject has consented to the processing of personal data | This provision duplicates Article 16.1(h) of the Third Draft Decree | This provision should be removed |
| Violation of provisions regarding the withdrawal of consent | |||
| 12) | Article 17 | Lack of administrative penalties for failing to provide the withdrawal of consent in a format that can be printed and/or copied in writing, including in electronic or verifiable formats, pursuant to Article 12.2 of Decree 13/2023 | Add penalties for this violation |
| Violation of regulations on the provision of personal data | |||
| 13) | Article 19 | Add penalties for this violation | |
| 14) | Article 19.1(a) provides for administrative penalties for the act of “providing personal data to the data subject, personal data owned or controlled by the organization when the data subject has not consented to act on their behalf” | The wording of this provision is rather unclear | For greater clarity, it is proposed to amend this provision as follows: “disclosing the data subject’s personal data, personal data owned or controlled by the organization, to another organization or individual when the data subject has not consented to such action on their behalf” |
| Violations of regulations on the storage, deletion, and destruction of personal data | |||
| 15) | Article 21.2 stipulates administrative penalties for the act of “failing to delete personal data as required by law” | The wording of this provision is rather unclear | For greater clarity, we propose amending this provision as follows: “Continuing to process personal data that must be deleted in accordance with the law” |
| Violation of regulations regarding notification of violations of personal data protection regulations | |||
| 16) | Article 25 | Lack of administrative penalties for failing to prepare a written record confirming the occurrence of a violation of personal data protection regulations as stipulated in Article 23.5 of Decree 13/2023 | Add penalties for this violation |
| Violations of regulations on cross-border transfer of personal data | |||
| 17) | Article 27 | Lack of administrative penalties for failing to suspend the transfer of personal data abroad upon request by the Ministry of Public Security, as required under Article 25.8 of Decree 13/2023 | Add penalties for this violation |
| 18) | Articles 27.1(b), 27.1(c), and 27.1(d)[1] | These provisions duplicate Article 27.1(a) of the Third Draft Decree | These provisions should be removed |
| Violations of regulations on preventing and combating cyberattacks | |||
| 19) | Article 29 | Lack of administrative penalties for system administrators who fail to implement technical measures to prevent and mitigate the acts specified in clauses (a), (b), (c), (d), and (e) of Article 18.1 of the 2018 Cybersecurity Law regarding information systems under their management. | Add penalties for this violation |
| Violations of regulations on preventing and handling cybersecurity emergencies. | |||
| 20) | Article 31 | Lack of administrative penalties for failure to implement measures to address cybersecurity incidents, including: (i) notifying relevant agencies, organizations, and individuals (as prescribed in Article 21.3(b) of the 2018 Cybersecurity Law); and (ii) analyzing, evaluating information regarding, and forecasting the likelihood, scope of impact, and extent of damage of such dangerous situations (as required under Article 21.3(d) of the 2018 Cybersecurity Law) | Add provisions on penalties for violations |
| Violations of regulations on ensuring cybersecurity | |||
| 21) | Article 35.1(d) stipulates administrative penalties for violations in the provision of services over telecommunications networks, the Internet, and other value-added services to organizations or individuals who upload information containing content specified in Articles 16.1–16.5 of the 2018 Cybersecurity Law | This provision is inconsistent with Article 26.2(c) of the 2018 Cybersecurity Law because it lacks the phrase “upon request not to provide such information by the Specialized Cybersecurity Force under the Ministry of Public Security or the competent authority under the Ministry of Information and Communications.” | To add such wording for consistency |
| 22) | Article 35.1(d) stipulates administrative penalties for owners of electronic information websites or social media platforms that do not have servers located in Vietnam to facilitate inspections, audits, data retention, and the provision of information upon request by competent state agencies, or to resolve customer complaints regarding the provision of designated services. | This provision is inconsistent with the 2018 Cybersecurity Law and Decree 53/2022 because foreign legal entities are required to establish branches or representative offices in certain limited cases but are not required to locate their server systems in Vietnam under Article 26.3 of the 2018 Cybersecurity Law and Article 26 of Decree 53/2022. Administrative penalties for foreign businesses that do not establish a branch or representative office are already stipulated in Article 39 of the Third Draft Decree | To remove this provision |
| Violations of regulations on the protection of children online | |||
| 23) | Article 37.2(b) stipulates administrative penalties for the acts of posting, broadcasting, sharing, storing, exchanging, or using information, images, or audio containing pornographic, obscene, or violence involving children | This provision overlaps with Article 37.2(a) of the Third Draft Decree | This provision should be removed |
| Violations of regulations on data storage, establishing branches, and representative offices in Vietnam | |||
| 24) | Article 39 | Lack of administrative penalties for failing to maintain a branch or representative office within the prescribed timeframe | Add penalties for this violation |
