Nepal - Data Protection Overview
1. Governing Texts
Currently, Nepal does not have a unified data protection legislation. The Individual Privacy Act 2075 (2018) ('Privacy Act') enacted to implement and safeguard the fundamental right to privacy guaranteed by the Constitution of Nepal ('the Constitution') and the Individual Privacy Regulation 2077 (2020) ('Privacy Regulation'), (only available in Nepali here), framed thereunder are regarded as the data protection legislation. Other general laws such as the National Civil Code 2074 (2017) ('the Civil Code') and the National Penal (Code) Act (2017) ('Criminal Code') also contain general provisions relating to privacy and data protection. Thus, in the absence of a specific data protection legislation, the Privacy Act and Privacy Regulation will govern all aspects of data protection and privacy in Nepal.
In recent years, incidents of data breach have been observed frequently in Nepal wherein a large number of customers' data including their names, mailing id, phone numbers were leaked in public. This has raised a serious concern of data security and confidentiality among the public. However, a consolidated Bill regulating matters relating to data protection has yet to be drafted, it would be premature to speculate a timeline when the Parliament of Nepal ('Parliament') will enact a specific data protection legislation.
The following are the prevailing laws in Nepal regulating privacy-related issues:
- the Constitution;
- Privacy Act;
- Privacy Regulation;
- Civil Code;
- Criminal Code; and
- Labor Regulations 2074 (2017) (only available in Nepali here) ('the Labour Regulations').
The Government of Nepal has tabled a Bill relating to information technology (only available in Nepali here) ('IT Bill') at the Parliament for discussion. The IT Bill contains provisions relating to privacy, confidentiality, and security of information or data maintained in electronic form. Provisions of the IT Bill, however, are subject to revision before its enforcement as a law. It should be noted that provisions of the Bill outlined in this publication is for the purpose of general discussion only and those provisions are yet to be enacted as a law.
Due to the promulgation of the Privacy Act and the Privacy Regulation recently, privacy and data protection related laws are in the early stage of development. Furthermore, interpretation of the provisions of the Privacy Act by the courts is yet to be handed down.
1.3. Case law
The following are case laws from the Supreme Court of Nepal ('the Supreme Court') in relation to privacy matters:
Baburam Aryal v. GON [N.K.P. 2074, 25]:
The Supreme Court laid down that the right to privacy guaranteed by the Constitution is a fundamental right that may not be violated by the State or third parties. The Supreme Court further ruled that under the right to privacy, matters relating to a person's body, residence, property, documentation, data, communications, and character are inviolable, except as permitted by the law. An organisation or department that collects information and has undertaken the responsibility of such information must not use such information at its discretion. Instead, such an organisation or department must protect such a 'data bank' of information at any cost. The Supreme Court further laid down that such an organisation or department must not allow unauthorised access to such a data bank, even as an exception in the absence of a clear legal basis.
Sapana Pradhan Malla v. Office of the Prime Minister and Council of Ministers et. al. [N.K.P. 2064, 1208]:
The Supreme Court held that the right to privacy guaranteed by the Constitution must be protected. An exception to this general principle is that information relating to a person may be shared with third parties only in cases where prior consent from the concerned person has been obtained.
2. Scope of Application
Article 28 of the Constitution guarantees the right to privacy as a fundamental right granted to all individuals. The Privacy Act's reading in conjunction with the Civil Code and the Criminal Code strives to protect the personal information of all individuals. The Constitution, the Privacy Act, the Privacy Regulation, the Civil Code, and the Criminal Code have imposed obligations upon the State, state entities, organisations, legal entities, and all other agencies, which collect and retain personal information, to protect and safeguard such personal information.
The Privacy Act is silent on its applicability to foreign entities not having physical presence in Nepal but are involved in data collection, use, or processing personal information of Nepali citizens and individuals residing in Nepal or individuals located in Nepal. Generally, laws enacted by the Parliament will have extra-territorial jurisdiction only in case where it is specifically provided in the legislation. Thus, from a strict interpretation of the Privacy Act, it does not seem to have extra-territorial applicability and is applicable only to entities having registered in or operating within Nepal. We are yet to see a definite ruling from the courts on various aspects of privacy laws including its extraterritorial applicability.
The IT Bill, however, aims to apply throughout Nepal as well as to persons and entities located outside Nepal in case such persons or entities, who process personal information of Nepali individuals or person located within Nepal.
3.1. Main regulator for data protection
The Privacy Act and the Privacy Regulation do not establish a data protection authority or regulatory authority responsible for the administration and enforcement of privacy and data protection matters in Nepal.
3.2. Main powers, duties and responsibilities
4. Key Definitions
- caste, race, birth, origin, religion, colour, or marital status of an individual;
- education or academic qualification of an individual;
- address, telephone, or email address of an individual;
- passport details, citizenship certificate, national identity number, driving license, voter identity card, or other identification card issued by any public body to an individual;
- correspondence sent or received by an individual containing personal information;
- fingerprint, palm lines, retina of eye, blood group, or other biometric information of an individual;
- details of criminal background, punishment, or sentence served by an individual for a criminal offence; and
- views or opinions expressed by an individual in the capacity of a professional or an expert in a decision-making process.
- caste, race, or origin of an individual;
- political affiliation;
- religious faith or belief;
- sexual orientation or an event relating to one's sex life; or
- particulars relating to property.
5. Legal Bases
Individual's consent must be obtained before collecting or processing their personal information under the Privacy Act and the Privacy Regulation. However, neither the term 'consent' nor the procedure for obtaining it is defined.
Whilst consent from an individual is required to be obtained before collecting or processing their personal information, there is no requirement to enter into a data processing agreement or contract with the person.
Unless otherwise provided in a prevailing law, the personal data of the person collected in accordance with the Act and these rules, shall only be used for the purposes of which it has been collected (Section 11 of the Privacy Regulation).
Under the Privacy Act, personal information or sensitive personal information may be processed, without the consent of an individual, in the event processing is required for alleviation, identification, or treatment of disease or health condition of the individual. However, such processing can only be done under the instruction of a licensed medical practitioner which must be done without insulting or humiliating the person.
Governmental agencies may collect or process personal information under the Privacy Act and the Privacy Regulation under 'public interest' ground which are as follows:
- maintenance of national security, peace, and order;
- investigation or prosecution of a criminal offence, other court action or for law enforcement; and
- public research and studies or for collecting public opinion.
The applicable laws do not provide for a specific provision whereby personal data or information may be collected, stored, or processed for legitimate interest of data controller.
Major principles of data processing, recognised under the applicable laws, include:
Lawfulness: The collection, storage, analysis, processing, or publishing of personal information is prohibited except authorised by the law. Notwithstanding the foregoing, personal information may also be obtained, processed, and used after obtaining the consent of individuals.
Principle of purpose limitation: A government agency or corporate body collecting or processing personal information with the consent of persons must use such information for the specific purpose for which it is collected.
Accuracy principle: In the event, an individual submits an application to a public body to correct their information which are under the responsibility, control, or protection of such body along with sufficient evidence requiring change, then the public body must correct the information in case it deems necessary to do so. However, such correction may be done only upon request basis. There is no provision of automatic correction of personal data.
The above-mentioned provisions are applicable to public bodies only and not to private entities.
Principles of integrity and confidentiality: The applicable laws mandate public bodies to protect personal information under their control and responsibility and also to make proper arrangements against possible risks of unauthorised use, charge, disclosure, publication, or transmission of such personal information. However, obligations of security and confidentiality are applicable only to public bodies and not to private entities.
7. Controller and Processor Obligations
The laws in force, including the Privacy Act and the Privacy Regulation, do not provide any provision or mechanism regarding either notifying or registering a complaint.
The Privacy Act and the Privacy Regulation do not specifically provide provisions to regulate data transfers. However, Section 12(4) of the Privacy Act prohibits the disclosing, making public, or transferring of the following data of an individual, without the consent of the individual:
- details relating to a medical examination;
- details relating to property and income;
- details relating to employment;
- details relating to family matters;
- biometric data and fingerprints;
- signatures or electronic signatures;
- details relating to political affiliation and voting; and
- details relating to profession and business.
The term 'transfer' as mentioned above, may signify the transfer of personal data outside Nepal thereby requiring specific consent from the individual.
The Privacy Act and the Privacy Regulation do not contain provisions for the outsourcing of data.
Data processors or data controllers are not obliged to maintain a record of data processing activities undertaken by them under the applicable laws.
There is no provision requiring Data Protection Impact Assessment under the Privacy Act and the Privacy Regulation.
The current applicable laws do not provide provision for a data protection officer.
The current applicable laws do not prescribe provisions for notification in the situation of a data breach.
In the case of a breach of data privacy, obligations to notify a particular agency of the Government does not exist.
Section 23(1) of the Privacy Act provides that an officer authorised under the law or a person authorised by such an officer may store an individual's personal information as an exception. However, the Privacy Act and the Privacy Regulation do not provide for a specific procedure nor a time duration for the retention of data.
Rule 81(1) of the Labour Regulations provide that an employer must record name, address, family detail, citizenship certificate, contact phone number, email, and other details as deemed necessary by the employer. In addition, Rule 81(3) provides that the employer must retain records relating to the remuneration and attendance of an employee for a minimum period of five years.
Anyone below the age of 18 years is considered to be a minor under Nepali laws. Under the Privacy Act, if any personal information to be obtained, published, or disclosed belongs to a minor, such information may be obtained, published, or disclosed only if the consent of their guardian or the person holding parental responsibility has been obtained. In addition, there are no other separate requirements to be fulfilled while processing a minor's personal information or data.
The processing of sensitive personal information is strictly prohibited under the Privacy Act, unless:
- it is required for prevention, alleviation, diagnosis, or treatment of a disease, or for protection of public health provided that such processing is done under the instruction of a licensed medical practitioner or a person directed by such practitioner; or
- an individual to whom such sensitive information belongs has already made such information public.
Kindly refer to the definition section above for the details as to what includes sensitive personal information under the Privacy Act.
The Privacy Act and the Privacy Regulation do not specifically include provisions for a data controller and processor, nor regulate their relationship.
8. Data Subject Rights
The applicable laws neither define the term 'data controller' nor specifically provide for the rights and responsibilities of a data controller. Section 23(1) of the Privacy Act provides that an officer authorised under the laws or a person authorised by such an officer may collect the personal information of an individual.
Section 23(4) of the Privacy Act provides that an officer, who collects personal information, has the responsibility of notifying the following details to the individual from whom personal information is being collected:
- time for information collection;
- the subject matter of information;
- nature of the information;
- method and procedure of analysis of information; and
- other matters including protection of collected information.
Section 25 of the Privacy Act provides that a public agency, which collects personal information, has the following responsibilities:
- to protect the information collected;
- make appropriate arrangements to secure such information against the risk of unauthorised access or unauthorised use; and
- to secure such information against the risk of an unauthorised amendment, disclosure, publication, or advertisement thereof.
An individual, whose personal information is being collected or processed, shall have the right to obtain following information during the time of collection:
- time of collection;
- nature and content of information being collected;
- objective behind its collection;
- method of processing; and
- assurance as to privacy of collected information.
In the event that personal information, which is under the responsibility, protection, and control of a public body, is found to be inaccurate, then an individual may file an application for rectification of the same (Section 28 of the Privacy Act).
The right to rectification under the Privacy Act and the Privacy Regulation extends only to information collected by public bodies and not by private entities.
There is no specific right to erasure under the Privacy Act and the Privacy Regulation.
Neither the Privacy Act nor the Privacy Regulation provides provisions regarding the right to withdraw the consent once granted.
There is no provision regarding the right to data portability under the Privacy Act and the Privacy Regulation.
Neither the Privacy Act nor the Privacy Regulation provides provisions relating to the right not to be subject to automated decision-making.
The Privacy Act requires consent before an officer provides others with the personal information relating to the data subject which had been collected by or is under the control of a public agency or body corporate (Section 26 of the Privacy Act).
A person, who commits an offence under the Privacy Act, is liable for a punishment of imprisonment of up to three years or a fine of up to NPR 30, 000 (approx. €220), or both (Section 29(2) of the Privacy Act).
Section 29 of the Privacy Act prescribes punishment for the following offences:
- breaching privacy rights relating to an individual's physical and mental state;
- breaching privacy rights of the physical body of an individual;
- making public biometric or genetic identity, gender identity, sexual orientation, sexual relationship, pregnancy or abortion information, or physical disease of an individual;
- searching an individual or goods in possession of the individual, or being used by such individual without their consent;
- breaching privacy relating to reproductive health and pregnancy of a woman;
- entering or searching the residence of an individual;
- entering an individual's residence breaching the privacy of the personal life of an individual or family members of the concerned individual;
- searching the house of an individual only by virtue of the individual's arrest;
- installing a CCTV camera in an individual's residence;
- unauthorised entrance into a house, land, vehicle, or other property;
- publicising or providing others with particulars relating to the property of an individual;
- publicising personal documents of an individual, which are maintained by a public agency;
- disclosing or publicising personal data of an individual;
- violating privacy rights relating to letters, correspondences, emails, or communications made through electronic means or other;
- opening letters belonging to an individual;
- breaching the privacy of an individual's character, personal conduct, and behaviour;
- taking or selling pictures of an individual;
- expressing confidential information;
- breaching privacy of, or providing others with messages, information or correspondences of an individual, which are maintained in an electronic medium;
- listening to, transcribing, recording, transcribed or recorded communications, or conversations between two individuals taking place through an electronic medium;
- surveying or spying on residence or of the office of an individual;
- operating drones;
- collecting, storing, protecting, analysing, processing, or publishing personal information of an individual save for certain exceptions;
- collecting information without informing the individual regarding the purpose for which the information is being collected;
- collecting personal information by an authorised officer in contravention of the Privacy Act;
- using personal information without the consent of an individual; or
- processing sensitive information by a public agency.
In the event that an individual who holds a public office contravenes the Privacy Act, such an individual will be subject to departmental and other punishment, in addition to the punishments stated above (Section 32(2) of the Privacy Act).
Apart from the cases mentioned above in section on case law above there have not been other notable enforcement decisions relating to privacy and data protection in Nepal.