Personal data protection violators in cyberspace to face fines up to VND 100 million

The Ministry of Public Security (MPS) has unveiled a draft decree on sanctioning of administrative violations in the fields of cybersecurity and personal data protection, proposing a range of severe penalties for violations of the regulations on advertising and data processing.

Under the draft, advertising service providers could face a fine of VND 50-70 million (around USD 1.900-2.600) if they use personal data beyond the permitted scope, fail to provide mechanisms enabling users to refuse data sharing, or neither specify retention periods nor delete data once they are no longer necessary.

The same fine might also be imposed for acts involving the unlawful collection, transfer or sale of personal data. Such violations include unauthorised data transfer, personal information trading which is not severe enough to warrant criminal prosecution, and the establishment of technical systems to unlawfully collect data. The use of personal data in the development and operation of artificial intelligence systems in contravention of law would also be subject to such fine.

Those repeatedly committing such violations might face harsher penalties, with a fine equal to 5 per cent of their total revenues generated in Vietnam in the fiscal year preceding the year of violation.

Regarding violations involving the cross-border transfer of personal data, the draft proposes a fine of VND 70-100 million (roughly USD 2.600-3.800) for failure to prepare impact assessment dossiers, to submit such dossiers to the authorities or to comply with the notification and inspection requirements.

According to the MPS, penalties are set to escalate in proportion to the scale of the misused data. Violations involving the exposure, loss or cross-border transfer of personal data affecting between 100,000 and fewer than 1 million individuals would be subject to a fine doubling the above level. For cases involving between 1 million and 5 million people, penalties could increase fivefold. If violations involve more than 5 million persons, institutional violators might be fined at 3-5 per cent of their total revenues generated in Vietnam in the fiscal year preceding the year of violation.

The draft also proposes additional sanctions, including the revocation of business licences, suspension of data processing activities, confiscation of material evidences, and deportation in cases involving foreign violators.

In addition, violators would be required to implement remedial measures, such as making and archiving dossiers, deleting illegally obtained data, returning any illicit gains, and making public apologies in accordance with law.

- (VLLF)