The latest draft of Vietnam's Cybersecurity Administrative Sanctions Decree provides that its scope will cover both domestic and foreign entities operating in Vietnam, including those providing internet and cybersecurity services. The draft decree outlines monetary penalties for violations of cybersecurity and data protection laws. Repeated offenses or those involving personal data of over 5 million Vietnamese citizens could result in fines of up to 5% of an entity's annual revenue. Public consultation on the latest version of the decree is open until June 20th, with the decree expected to be officially issued on December 1st, 2023.

1. Vietnam - Latest draft of the Cybersecurity Administrative Sanctions
Decree - what you must know
After the official issuance of Decree No. 13/2023/ND-CP on personal data protection on 17
April 2023 and Decree No. 53/2022/ND-CP guiding the Cybersecurity Law on 15 August
2022, the Cybersecurity Administrative Sanctions Decree (CASD) is expected to be the final
piece of the puzzle to enforce the said Decrees and to form a comprehensive set of laws on
cybersecurity in Vietnam.
For that reason, the first draft of the CASD for public consultation in September 2021,
following by workshop organized in 2022 by the Ministry of Public Security (MPS) in Hanoi
to collect public opinions on the second version of the CASD where repeated offenders are
subject to a monetary fine of up to 5% of such offender's annual revenue.
Recently, on 31 May 2023, the MPS released the third draft of the CASD for consultations.
The notable issues of the newly released draft of the CASD are as follows:
The latest draft of the CASD provides that its scope of application will cover both domestic
and foreign entities, including foreign entities providing telecommunications, internet, content
services on the internet, IT, cybersecurity, and cybersecurity information services (as well as
their lawful legal presence in Vietnam).
Regarding the monetary penalties, the fine of up to 5% of the offender’s total revenue is
applicable in the following circumstances:
(i) Repeated violations regarding personal data protection when providing marketing and
advertising services under certain cases;
(ii) Repeated violations in case of enterprises/individuals (a) failing to apply proper measures
to protect personal data to prevent the unauthorized collection of personal data from their
systems, equipment, and services; (b) implementing transfer of personal data that is not
permitted by law or is contrary to the principles of personal data protection; (c) illegally buying
and selling personal data.
(iii) Illegal acts of disclosing and/or losing the personal data of 5 million Vietnamese citizens
or more.
(iv) Illegal acts of transferring the personal data of 5 million Vietnamese citizens or more
overseas.
While the deadline for submission of consultations to the MPS on the latest draft CASD is 20
June 2023. The CASD might be officially issued on 1 December 2023.
***
Please do not hesitate to contact Dr. Oliver Massmann under omassmann@duanemorris.com if
you have any questions or want to know more details on the above. Dr. Oliver Massmann is
the General Director of Duane Morris Vietnam LLC.