In this blog post, we breakdown the new Vietnamese cybersecurity regulations which apply to both Vietnamese and foreign organisations. Alongside the ongoing consultation for the Ministry of Public Security’s proposed data law, Vietnam is taking steps to move towards a data protection compliance regime in line with other countries and regions, such as the EU – something of particular relevance in a country with one of highest internet user growth rate (nearly 80 million internet users).

What Is the CAS Decree?

The Cybersecurity Administrative Sanctions Decree (CAS Decree) is a decree unveiled by the Vietnamese Ministry of Security to the Ministry of Justice in mid-May 2024.

The first draft was published for consultation in September 2021 and has undergone multiple revisions following public consultations.

Who Does It Apply To? Where Does It Apply?

The CAS Decree covers Vietnamese individuals and organisations. It also covers foreign entities including their branches or representative offices in Vietnam who provide certain technology services including telecommunications, internet, content on the internet, IT cybersecurity and cybersecurity information.

When Is It Effective From?

The CAS Decree was set to pass and become effective as of 1 June 2024. However, we understand that the CAS Decree has not yet passed and is likely to undergo further revisions before it can finally take effect. A new timeline has not been announced.

What Is the CAS Decree About?

The CAS Decree aims to improve the cybersecurity and data security obligations of Vietnamese and foreign organisations, and therefore Vietnamese data subjects. The CAS Decree introduces provisions such as:

• Fines of up to 5% of an organisation’s total revenue in Vietnam for certain breaches of data protection law including:
  • The repeated unlawful processing of individuals’ personal data for marketing and advertising
  • The repeated unlawful collection, transfer, sale and purchase of personal data
  • The failure to submit a personal data processing impact assessment
  • The failure to comply with international data transfer obligations when processing personal data of over five million Vietnamese data subjects
• Penalties where processing takes place without the data subject’s consent – or consent is obtained where the data subject is not fully informed
• The revocation or suspension of permits, certificates or licences

What Can Organisations Do To Comply?

Organisations should review the CAS Decree [in its final form] and take steps to comply with the new and updated obligations including:

• Conduct a review of your current data processing practices and/or gap analysis
• Implement or update your current policies and procedures
• Prepare and submit regulatory filings on time including the personal data processing impact assessment