Support Centre



Law: Individual Privacy Act, 2075 (2018) ('the Privacy Act')

Regulator: There is no general data protection authority.

Summary: Privacy in Nepal is regulated by the Data Act 2079 (2022) (only available in Nepali here) ('the Data Act'), the Privacy Act, and the Individual Privacy Regulation 2077 (2020) ('Privacy Regulation') (only available in Nepali here). The Data Act which entered into force on October 13, 2022, regulates the generation, regulation, storage, and publication of data and outlines obligations for data controllers, producers, and users' of data. The Privacy Act, on the other hand, gives effect to the constitutional right to privacy and includes provisions on data collection, storage, and disclosure, and requires the consent of an individual before collecting their personal information.

Furthermore, Article 28 of the Constitution of Nepal provides individuals with the fundamental right to privacy; while the National Criminal Code 2074 (2017) ('Criminal Code') also contains general provisions relating to privacy and data protection.


With the ever-growing number of beneficiaries of information communication and technology, cybersecurity practices in Nepal have remained vulnerable to cyber threats, and Nepali companies were targetted by some of the largest cyberattacks in recent years. The Cyber Security Bylaw 2020 ('the Bylaw'), issued by the Nepal Telecommunication Authority ('NTA') in August 2020, therefore, is a commendable legislative development to strengthen cybersecurity in Nepal.

The Bylaw is applicable to entities licensed by the NTA ('Licensees'), such as telecommunication service providers, internet service providers, etc. Licensees are required to comply with the security standards and requirements set out in the Bylaw. Anjan Neupane and Saurav Karki, Partner and Senior Associate at Neupane Law Associates respectively, discuss the Bylaw in this article.