Those who illegally sell or purchase personal data of over 10,000 data subjects would face a fine of VND 80-100 million (USD 3,400-4,300).
This is proposed by the Ministry of Public Security (MPS) under a draft decree on sanctioning of administrative violations in the field of cyber security.
The fine level of VND 80-100 million would also apply to acts of disclosing or losing personal data after transmitting data across borders, causing consequences to up to 10,000 data subjects being Vietnamese nationals. In case the number of involved data subjects mounts to 100,000 or 1 million, the fine level would be doubled or tripled, respectively. If more than 1 million Vietnamese data subjects are affected, violators would be subject to a fine equaling to 5 percent of their total revenue in Vietnam.
Those failing to stop or cancel the processing of, or delete children’s personal data in case such acts are required by law would also be fined up to VND 100 million.
The draft proposes a fine of VND 60-80 million (USD 2,600-3,400) for such acts as (i) processing personal data in contravention of law; (ii) failing to notify data subjects of activities related to the processing of their personal data; (iii) failing to comply with regulations on declaration on processing of personal data; and (iv) failing to apply data protection and confidentiality measures.
The fine of VND 60-80 million would also be imposed on acts of processing children’s personal data in contravention of law or failing to verify children’s ages or processing children’s data without their parents’ or guardians’ consent.
The draft decree also sets out sanction forms and fine levels applicable to other acts, including violation of regulations on information security, prevention of cyberattack, implementation of cyber security protection, prevention and combat of using cyberspace, information technology and electronic means to violate the law on social order and safety.
The principal penalty for all violations in the field of cyber security would be reprimand or fine. Depending on the nature and severity of their violations, violators would be subject to one or more than one additional penalty, including deprivation of the right to use permits or certificates for a definite time or suspension of operation for a definite time; confiscation of material evidences, means and documents of administrative violations; or prohibition from practicing or doing jobs related to violations in the field of cyber security.
In addition to remedial measures stated in the Law on Handling of Administrative Violations, cyber security violators would have to remove violated programs or software; delete data that are illegally appropriated, traded or exchanged; or return the IP addresses, domain names or e-accounts they have been granted.- (VLLF)
