The Ministry of Public Security (MPS) published an updated version (Draft 3.0) of the draft Cybersecurity Administrative Sanctions Decree (CASD) for public consultation on 31 May 2023. This legal instrument outlines a proposed framework for imposing administrative sanctions in cases of non-compliance with Decree 13/2023/ND-CP on Personal Data Protection (Decree 13) and Decree 53/2022/ND-CP, which provides guidance on the Cybersecurity Law (Decree 53).
To provide some context, the MPS initially released the previous version of Draft 3.0 for public consultation in September 2021. Furthermore, in November 2022, it hosted a workshop on “International Experiences in the Field of Cybersecurity Administrative Sanctions”. The MPS has incorporated from feedback from stakeholders and drawing from international experiences and best practices revisions in Draft 3.0.
Key Revisions in Draft 3.0:
1. Expanded Application Scope: Draft 3.0 proposes a broader scope by including non-governmental organizations (NGOs), state agencies, and other entities, in addition to both onshore and offshore individuals and entities.
2. Introduction of New Violations: To align with the obligations under Decree 53 and Decree 13, Draft 3.0 introduces additional sanctions for violations related to handling personal data (PD) containing violating content in cyberspace, as well as the collection, revision, storage, deletion, and removal of PD. Breach notification requirements are also addressed, among others.
3. Amendments to Existing Sanctions:
- Draft 3.0 proposes reduced monetary fines for specific violations, such as those pertaining to data subjects’ consent and notification requirements. However, it compensates for this decrease by introducing additional sanctions and remedial measures for such violations.
- Notable revisions include stricter sanctions for the illegal collection, transfer, sale, and purchase of PD, as well as non-compliance with requirements on cross-border transfers of PD and impact assessments. For instance, under Draft 3.0, entities failing to make or retain an impact assessment may face a monetary fine of up to VND 200 million (approximately US$ 8,516). Additionally, PD processing may be suspended for up to three months, alongside other sanctions.
The deadline for submitting comments on Draft 3.0 is set for 20 June 2023. It is important to note that the CASD is expected to take effect on 1 December 2023. Given the tight timeline and the impending impact of Decree 13, businesses are strongly advised to take prompt action to ensure compliance with Vietnam’s evolving regulatory framework concerning cybersecurity and personal data protection.