Comments on Draft Decree on Cybersecurity Administrative Sanctions

On 31 May 2023, the Ministry of Public Security (MPS) released the 3rd draft of the Decree on Cybersecurity Administrative Sanctions (3rd Draft Decree). The 3rd Draft Decree provides administrative penalties on violations of cybersecurity laws (i.e., Law on Cybersecurity 2018, Decree 53/2022 detailing the Law on Cybersecurity 2018) and personal data regulations (i.e., Decree 13/2023 on personal data protection). In this post, we provide comments and respective recommendations of several provisions under the 3rd Draft Decree. This post is written by Trinh Phuong Thao and edited by Nguyen Quang Vu.

No.

Provisions

Comments

Recommendations

Provisions on applicable subjects

1)

Article 2.2(a) provides that the dependent units of an enterprise are the applicable subjects of the 3rd Draft Decree

This provision may not be consistent with Article 3.4 of Decree 118/2021 of the Government dated 23 December 2021 detailing the Law on administrative violations handling, as amended (Decree 118/2021).

Under Article 3.4 of Decree 118/2021, the dependent units of an enterprise (e.g., the representative office, branch) are only subject to administrative penalties if committing administrative violations beyond the authorization scope or period by the legal entities or not under their direction, control, assignment and approval.

To clarify in which case the dependent unit will be subject to administrative penalties under the 3rd Draft Decree to be consistent with Decree 118/2021 (e.g., Article 2.2(b) of Decree 122 of the Government dated 28 December 2021 on administrative penalties on planning and investment sector clearly provides so)

2)

Article 2.2(dd) provides that foreign enterprises or branches, representative offices or business locations of foreign enterprises providing services including, among others, content provision services in cyberspace (dịch vụ cung cấp nội dung trên không gian mạng) are the applicable subjects of the 3rd Draft

a) It is not clear whether the “content provision services in cyberspace” and “value-added services in cyberspace” under Articles 26.2 and 26.3 of the Law on Cybersecurity 2018 are the same or whether the service under Article 2.2(dd) of the 3rd Draft Decree is a new type of service.

b) If this is a new type of service, it is not clear what specific services are covered under this type since the 3rd Draft Decree, the Law on Cybersecurity 2018 and Decree 53 of the Government dated 15 August 2022 detailing the Law on Cyber Security 2018 (Decree 53/2022) do not provide for the definition of this service

To clarify or remove this type of service for consistency

 

3)

Article 2.2(e) provides that the organizations and enterprises providing information content in cyberspace service (dịch vụ nội dung thông tin trên không gian mạng) are the applicable subjects of the 3rd Draft Decree

It is not clear what specific services are covered under this type since the 3rd Draft Decree, the Law on Cybersecurity 2018 and Decree 53/2022 do not provide for the definition of this service

To clarify or remove this type of service for consistency

 

Provisions on the fine level

4)

Article 5.2 provides that the fine level of an administrative violation could be up to 5% of the revenue of the preceding fiscal year or the profit earned from administrative violations of the violating organization or individual in the Vietnamese market

a) This fine level may exceed the maximum fine level under Article 24.1(dd) of the Law on Administrative Violations Handling 2012 (i.e., VND 200 million for the cybersecurity sector applicable to organizations)

b) It is not clear whether this fine level should be calculated on the revenue of a group of undertakings

To clarify these issues

Provision of administrative sanction for acts also specified in the Criminal Code

5)

Article 6.2 provides that: “For a case that is accepted and settled by an authority conducting the criminal proceedings, but then there is a decision not to initiate a criminal case, […] within 03 days from the date of issuance of the decision, […]”

It should be “03 business days” and “the date that the decision takes effect” to be consistent with Article 63.1 of the Law on Administrative Violations Handling 2012

To amend this provision for consistency with Article 63.1 of the Law on Administrative Violations Handling 2012

Violation of the rights of the data subject

6)

Article 15.1(e) imposes an administrative penalty on the failure of the personal data controller, personal data controlling and processing party in deleting personal data as requested within 48 hours after the request of the data subject

It is not consistent with Article 16.5 of Decree 13 of the Government dated 17 April 2023 on personal data protection (Decree 13/2023), which requires this obligation to be implemented within 72 hours after the request of the data subjects

To amend this provision for consistency with Article 16.5 of Decree 13/2023

7)

Article 15.1(h) imposes an administrative penalty on the failure by the personal data controller, personal data controlling and processing party in providing personal data within 48 hours after the request of the data subject

It is not consistent with Article 14.3 of Decree 13/2023, which requires this obligation to be implemented within 72 hours after the request of the data subject

To amend this provision for consistency with Article 14.3 of Decree 13/2023

8)

Article 15.2 imposes an administrative penalty on the failure by the personal data controller, personal data controlling and processing party to prevent or limit the disclosure of the personal data or the use of personal data for advertising or marketing purposes within 48 hours after the request of the data subject

It is not consistent with Article 9.8(b) of Decree 13/2023, which requires this obligation to be implemented within 72 hours after the request of the data subject

To amend this provision for consistency with Article 9.8(a) and 9.8(b) of Decree 13/2023

Violation of provisions on the data subject’s consent

9)

Article 16

Lack of administrative penalties on the failure to express consent in a format that can be printed and/or reproduced in writing, including in electronic or verifiable formats, which is required under Article 11.5 of Decree 13/2023

To supplement this penalty for this violation

10)

Article 16.1(b) imposes an administrative penalty if “the consent of the data subject is not expressed clearly for the data subject to freely consent to the personal data processing

The wording of this provision is confusing and may be duplicated with Article 16.1(dd) of the 3rd Draft Decree

To enhance clarity, it is proposed to amend this provision as follows :

To force the data subject to consent to the data processing or prevent the data subject from being fully informed of the necessary contents for giving consent as regulated

11)

Article 16.2(c) provides that the personal data controller, personal data controlling and processing party does not prove or refuse to prove that the data subject has consented to the personal data processing

This provision is duplicated with Article 16.1(h) of the 3rd Draft Decree

To remove this provision

Violations of provisions on consent withdrawal

12)

Article 17

Lack of administrative penalties on the failure to express the withdrawal of consent in a format that can be printed and/or reproduced in writing, including in electronic or verifiable formats, which is under Article 12.2 of Decree 13/2023

To supplement the penalty for this violation

Violation of provisions on providing personal data

13)

Article 19

Lack of administrative penalties the data controller, data controlling and processing party’s failure to:

(i) notify and guide the requesting organization or individual to request the competent authority; or

(ii) expressly notify its inability to provide such personal data

If the requested personal data are not under its authority.

This is an obligation under Article 14.8(b) of Decree 13/2023

To supplement the penalty for this violation

14)

Article 19.1(a) imposes an administrative penalty on the act of “providing personal data to the data subject, personal data owned by or under control of the organization when the data subject has not consented to act on behalf of him/her

The wording of this provision is quite confusing

To enhance clarity, it is proposed to amend this provision as follows :

providing personal data of the data subject, personal data owned by or under control of the organization to other organizations, individuals when the data subject has not consented to act on behalf of him/her”

Violation of provisions on storage, deletion and destruction of personal data

15)

Article 21.2 imposes an administrative penalty on the act of “personal data must be deleted in accordance with the provisions of law

The wording of this provision is quite confusing

To enhance clarity, it is proposed to amend this provision as follows :

To continue processing personal data that must be deleted in accordance with the provisions of law”

Violation of provision on notifying violation of regulations on personal data protection

16)

Article 25

Lack of administrative penalty on failure to make a minutes on confirmation of the occurrence of the act violating provisions on personal data protection, which is required under Article 23.5 of Decree 13/2023

To supplement the penalty for this violation

Violation of provision on cross-border transfer of personal data

17)

Article 27

Lack of administrative penalty on failure to suspend the transfer of personal data overseas as requested by the MPS, which is required under Article 25.8 of Decree 13/2023

To supplement the penalty for this violation

18)

Article 27.1(b), 27.1(c) and 27.1(d)[1]

These provisions are duplicated with Article 27.1(a) of the 3rd Draft Decree

To remove these provisions

Violation of provision on cyberattacks prevention and combat

19)

Article 29

Lack of administrative penalty on the information system administrators’ failure to apply technical measures to prevent and avoid the acts prescribed in sub-clauses (a), (b), (c), (d) and (e) of Article 18.1 of the Law on Cybersecurity 2018 with respect to information systems within their managerial scope.

To supplement the penalty for this violation

Violation of provision on prevention of and dealing with dangerous cybersecurity situations.

20)

Article 31

Lack of administrative penalty administrative on failure to apply measures to deal with a dangerous cybersecurity situation including:

(i) sending a notice to relevant agencies, organizations and individuals (as required under Article 21.3(b) of the Law on Cybersecurity 2018); and

(ii) analyzing and assessing information about and forecasts of the possibility and the scope of effect and the level of damage caused by such dangerous situations (as required under Article 21.3(d) of the Law on Cybersecurity 2018)

To supplement the penalties for such violations

Violation of provision on guarantees relating to cyber-information security

21)

Article 35.1(d) imposes an administrative penalty on the provision of services on telecom networks, the Internet and other value-added services to organizations and individuals who upload in cyberspace information with the contents prescribed in Article 16.1 – 16.5 of the Law on Cybersecurity 2018

This provision is not consistent with Article 26.2(c) of the Law on Cybersecurity 2018 since it lacks the wording “when requested not to provide by the Cybersecurity Task Force under the MPS or by a competent agency under the Ministry of Information and Communications.”

To supplement such wording for consistency

22)

Article 35.1(dd) imposes an administrative penalty on owners of websites and social networks that do not have a server system located in Vietnam to satisfy the inspection, examination, storage and supply of information at the request of competent state agencies or to settle complaints. customer complaints against the provision of the specified service.

 

This provision is not consistent with the Law on Cybersecurity 2018 and Decree 53/2022 since offshore entities are required to set up branches, representative offices in limited cases but not setting up a server system in Vietnam under Article 26.3 of the Law on Cybersecurity 2018 and Article 26 of Decree 53/2022.

Administrative penalties on offshore enterprises’ failure to set up branches or representative offices have already been provided under Article 39 of the 3rd Draft Decree

To remove this provision

Violation of provisions on child protection in cyberspace

23)

Article 37.2(b) imposes an administrative penalty on posting, distributing, sharing, storing, exchanging, using information, images and sounds with pornographic, depraved, violent contents related to children

This provision is duplicated with Article 37.2(a) of the 3rd Draft Decree

To remove this provision

Violation of provisions on data storage, the establishment of branches or representative offices in Vietnam

24)

Article 39

Lack of administrative penalty on failure to remain branches or representative offices within the required period

To supplement the penalty for this violation

 



[1] Point (d) is repeated twice.