Comments on Draft Decree on Cybersecurity Administrative Sanctions
On 31 May 2023, the Ministry of Public Security (MPS) released the 3rd draft of the Decree on Cybersecurity Administrative Sanctions (3rd Draft Decree). The 3rd Draft Decree provides administrative penalties on violations of cybersecurity laws (i.e., Law on Cybersecurity 2018, Decree 53/2022 detailing the Law on Cybersecurity 2018) and personal data regulations (i.e., Decree 13/2023 on personal data protection). In this post, we provide comments and respective recommendations of several provisions under the 3rd Draft Decree. This post is written by Trinh Phuong Thao and edited by Nguyen Quang Vu.
|
No. |
Provisions |
Comments |
Recommendations |
|
Provisions on applicable subjects |
|||
|
1) |
Article 2.2(a) provides that the dependent units
of an enterprise are the applicable subjects of the 3rd Draft Decree |
This provision may not be consistent with Article
3.4 of Decree 118/2021 of the Government dated 23 December 2021 detailing the
Law on administrative violations handling, as amended (Decree 118/2021). Under Article 3.4 of Decree 118/2021, the
dependent units of an enterprise (e.g., the representative office, branch) are only
subject to administrative penalties if committing administrative violations beyond
the authorization scope or period by the legal entities or not under their direction, control,
assignment and approval. |
To clarify in which case the dependent unit will
be subject to administrative penalties under the 3rd Draft Decree
to be consistent with Decree 118/2021 (e.g., Article 2.2(b) of Decree 122 of
the Government dated 28 December 2021 on administrative penalties on planning
and investment sector clearly provides so) |
|
2) |
Article 2.2(dd) provides
that foreign enterprises or branches, representative offices or business
locations of foreign enterprises providing services including, among
others, content provision services in cyberspace (dịch vụ cung cấp nội dung trên không gian mạng)
are the applicable subjects of the 3rd Draft |
a) It
is not clear whether the “content provision services
in cyberspace” and “value-added services in cyberspace” under Articles 26.2
and 26.3 of the Law on Cybersecurity 2018 are the same or whether the service
under Article 2.2(dd) of the 3rd Draft
Decree is a new type of service. b) If
this is a new type of service, it is not clear what specific services are
covered under this type since the 3rd Draft Decree, the Law on Cybersecurity
2018 and Decree 53 of the Government dated 15 August 2022 detailing the Law
on Cyber Security 2018 (Decree 53/2022)
do not provide for the definition of this service |
To clarify or remove this type of service for
consistency |
|
3) |
Article 2.2(e) provides that the organizations
and enterprises providing information content in cyberspace service (dịch vụ nội dung thông tin trên không gian
mạng) are the applicable subjects of the
3rd Draft Decree |
It is not clear what specific services are
covered under this type since the 3rd Draft Decree, the Law on
Cybersecurity 2018 and Decree 53/2022 do not provide for the definition of
this service |
To clarify or remove this type of service for
consistency |
|
Provisions on the fine level |
|||
|
4) |
Article 5.2 provides that the fine level of an
administrative violation could be up to 5% of the revenue of the preceding fiscal year or the profit earned from administrative
violations of the violating organization or individual in the Vietnamese
market |
a) This
fine level may exceed the maximum fine level under Article 24.1(dd) of the Law on Administrative Violations Handling 2012
(i.e., VND 200 million for the cybersecurity sector applicable to
organizations) b) It
is not clear whether this fine level should be calculated on the revenue of a
group of undertakings |
To clarify these issues |
|
Provision of administrative sanction for acts also
specified in the Criminal Code |
|||
|
5) |
Article 6.2 provides that: “For a case that is accepted and settled by an authority conducting the criminal
proceedings, but then there is a decision not to initiate
a criminal case, […] within 03 days from the date of issuance of
the decision, […]” |
It should be “03 business days” and “the date
that the decision takes effect” to be consistent with Article 63.1 of the Law
on Administrative Violations Handling 2012 |
To amend this provision for consistency with Article
63.1 of the Law on Administrative Violations Handling 2012 |
|
Violation of the rights of the data subject |
|||
|
6) |
Article 15.1(e) imposes an administrative
penalty on the failure of the personal data controller, personal data
controlling and processing party in deleting personal data as requested
within 48 hours after the request of the data subject |
It is not consistent with Article 16.5 of Decree
13 of the Government dated 17 April 2023 on personal data protection (Decree 13/2023), which requires this
obligation to be implemented within 72 hours after the request of the data
subjects |
To amend this provision for consistency with
Article 16.5 of Decree 13/2023 |
|
7) |
Article 15.1(h) imposes an administrative
penalty on the failure by the personal data controller, personal data
controlling and processing party in providing personal data within 48
hours after the request of the data subject |
It is not consistent with Article 14.3 of Decree
13/2023, which requires this obligation to be implemented within 72 hours
after the request of the data subject |
To amend this provision for consistency with
Article 14.3 of Decree 13/2023 |
|
8) |
Article 15.2 imposes an administrative penalty on
the failure by the personal data controller, personal data controlling and
processing party to prevent or limit the disclosure of the personal data or
the use of personal data for advertising or marketing purposes within 48
hours after the request of the data subject |
It is not consistent with Article 9.8(b) of
Decree 13/2023, which requires this obligation to be implemented within 72
hours after the request of the data subject |
To amend this provision for consistency with Article
9.8(a) and 9.8(b) of Decree 13/2023 |
|
Violation of provisions on the data subject’s
consent |
|||
|
9) |
Article 16 |
Lack of administrative penalties on the failure
to express consent in a format that can be printed and/or reproduced in
writing, including in electronic or verifiable formats, which is required under
Article 11.5 of Decree 13/2023 |
To supplement this penalty for this violation |
|
10) |
Article 16.1(b) imposes an administrative
penalty if “the consent of the data subject is not expressed clearly for
the data subject to freely consent to the personal data processing” |
The wording of this provision is confusing and
may be duplicated with Article 16.1(dd) of the 3rd
Draft Decree |
To enhance clarity, it is proposed to amend this
provision as follows : “To force the data subject to consent to the
data processing or prevent the data subject from being fully informed of the
necessary contents for giving consent as regulated” |
|
11) |
Article 16.2(c) provides that the personal data
controller, personal data controlling and processing party does not prove or refuse
to prove that the data subject has consented to the personal data processing |
This provision is duplicated with Article
16.1(h) of the 3rd Draft Decree |
To remove this provision |
|
Violations of provisions on consent withdrawal |
|||
|
12) |
Article 17 |
Lack of administrative penalties on the failure
to express the withdrawal of consent in a format that can be printed and/or
reproduced in writing, including in electronic or verifiable formats, which
is under Article 12.2 of Decree 13/2023 |
To supplement the penalty for this violation |
|
Violation of provisions on providing personal data |
|||
|
13) |
Article 19 |
Lack of administrative penalties the data
controller, data controlling and processing party’s failure to: (i) notify and guide
the requesting organization or individual to request the competent authority;
or (ii) expressly notify its inability to provide
such personal data If the requested personal data are not under its
authority. This is an obligation under Article 14.8(b) of
Decree 13/2023 |
To supplement the penalty for this violation |
|
14) |
Article 19.1(a) imposes an administrative
penalty on the act of “providing personal data to the data subject,
personal data owned by or under control of the organization when the data
subject has not consented to act on behalf of him/her” |
The wording of this provision is quite confusing |
To enhance clarity, it is proposed to amend this
provision as follows : “providing personal data of the data
subject, personal data owned by or under control of the organization to other
organizations, individuals when the data subject has not consented to act
on behalf of him/her” |
|
Violation of provisions on storage, deletion and
destruction of personal data |
|||
|
15) |
Article 21.2 imposes an administrative penalty
on the act of “personal data must be deleted in accordance with the
provisions of law” |
The wording of this provision is quite confusing |
To enhance clarity, it is proposed to amend this
provision as follows : “To continue processing personal data
that must be deleted in accordance with the provisions of law” |
|
Violation of provision on notifying violation of regulations on personal data protection |
|||
|
16) |
Article 25 |
Lack of administrative penalty on failure to make
a minutes on confirmation of the occurrence of the act violating provisions
on personal data protection, which is required under Article 23.5 of Decree
13/2023 |
To supplement the penalty for this violation |
|
Violation of provision on cross-border transfer of
personal data |
|||
|
17) |
Article 27 |
Lack of administrative penalty on failure to
suspend the transfer of personal data overseas as requested by the MPS, which
is required under Article 25.8 of Decree 13/2023 |
To supplement the penalty for this violation |
|
18) |
Article 27.1(b), 27.1(c) and 27.1(d)[1]
|
These provisions are duplicated with Article
27.1(a) of the 3rd Draft Decree |
To remove these provisions |
|
Violation of provision on cyberattacks prevention
and combat |
|||
|
19) |
Article 29 |
Lack of administrative penalty on the information
system administrators’ failure to apply technical measures to prevent and
avoid the acts prescribed in sub-clauses (a), (b), (c), (d) and (e) of Article
18.1 of the Law on Cybersecurity 2018 with respect to information systems
within their managerial scope. |
To supplement the penalty for this violation |
|
Violation of provision on prevention
of and dealing with dangerous cybersecurity situations. |
|||
|
20) |
Article 31 |
Lack of administrative penalty administrative on
failure to apply measures to deal with a dangerous cybersecurity situation
including: (i) sending a notice
to relevant agencies, organizations and individuals (as required under
Article 21.3(b) of the Law on Cybersecurity 2018); and (ii) analyzing and
assessing information about and forecasts of the possibility and the scope of
effect and the level of damage caused by such dangerous situations (as
required under Article 21.3(d) of the Law on Cybersecurity 2018) |
To supplement the penalties for such violations |
|
Violation of provision on guarantees
relating to cyber-information security |
|||
|
21) |
Article 35.1(d) imposes an administrative
penalty on the provision of services on telecom networks, the Internet and
other value-added services to organizations and individuals who upload in
cyberspace information with the contents prescribed in Article 16.1 – 16.5 of
the Law on Cybersecurity 2018 |
This provision is not consistent with Article
26.2(c) of the Law on Cybersecurity 2018 since it lacks the wording “when
requested not to provide by the Cybersecurity Task Force under the MPS
or by a competent agency under the Ministry of Information and Communications.”
|
To supplement such wording for consistency |
|
22) |
Article 35.1(dd) imposes an administrative penalty on owners of websites
and social networks that do not have a server system located in
Vietnam to satisfy the inspection, examination, storage and supply of
information at the request of competent state agencies or to settle
complaints. customer complaints against the provision of the specified
service. |
This provision is not
consistent with the Law on Cybersecurity 2018 and Decree 53/2022 since
offshore entities are required to set up branches, representative offices in
limited cases but not setting up a server system in Vietnam under Article 26.3 of the Law on Cybersecurity 2018 and Article 26 of
Decree 53/2022. Administrative
penalties on offshore enterprises’ failure to set up branches or
representative offices have already been provided under Article 39 of the 3rd
Draft Decree |
To remove this provision |
|
Violation of provisions on child protection in
cyberspace |
|||
|
23) |
Article 37.2(b) imposes an administrative
penalty on posting, distributing, sharing, storing, exchanging, using information,
images and sounds with pornographic, depraved, violent contents related to
children |
This provision is
duplicated with Article 37.2(a) of the 3rd Draft Decree |
To remove this provision |
|
Violation of provisions on data
storage, the establishment of branches or representative offices in Vietnam |
|||
|
24) |
Article 39 |
Lack of administrative
penalty on failure to remain branches or representative offices within the
required period |
To supplement the
penalty for this violation |