Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Nepal - Data Protection Overview
Back

Nepal - Data Protection Overview

February 2024

1. Governing Texts

Currently, Nepal does not have unified data protection legislation. On September 13, 2022, the Data Act 2079 (2022) (only available in Nepali here) ('the Data Act'), which came into force on October 13, 2022, was promulgated with an aim to consolidate laws relating to data collection as well as to make the task of production, processing, storage, publication, and distribution of data more reliable, systematic, and in a timely fashion. Nevertheless, the Data Act fell short of expectations to provide clarity on data protection-related matters and to include comprehensive provisions relating to data collection, processing, storage, and publication thereof as well as privacy-related issues.  In contrast, it is primarily focused on regulating data collected by governmental and public entities for official purposes rather than regulating general data privacy issues. The Individual Privacy Act 2075 (2018) ('the Privacy Act') was enacted to implement and safeguard the fundamental right to privacy guaranteed by the Constitution of Nepal ('the Constitution') and the Individual Privacy Regulation 2077 (2020) ('Privacy Regulation'), (only available in Nepali here), framed thereunder along with the Data Act are regarded as the primary data protection legislation. Other general laws such as the National Civil Code 2074 (2017) ('the Civil Code') and the National Criminal Code 2074 (2017) ('Criminal Code') also contain general provisions relating to privacy and data protection. Thus, in the absence of specific data protection legislation, the Privacy Act, Privacy Regulation, and the Data Act will govern all aspects of data protection and privacy in Nepal.

In recent years, incidents of data breaches have been observed frequently in Nepal wherein a large number of customers' data including their names, email, and phone numbers were leaked in public. This has raised a serious concern about data security and confidentiality among the public. However, a consolidated Bill regulating matters relating to data protection has yet to be drafted.

1.1. Key acts, regulations, directives, bills

The following are the prevailing laws in Nepal regulating privacy-related issues:

  • the Constitution;
  • Privacy Act;
  • Privacy Regulation;
  • Data Act;
  • Civil Code;
  • Criminal Code; and
  • Labor Regulations 2074 (2017) (only available in Nepali here) ('the Labor Regulations').

In the past, the Government of Nepal ('the Government') had considered Bill 2075 relating to information technology, Information Technology (2019) ('IT Bill') (only available in Nepali here) at the Parliament for discussion. The IT Bill contained provisions relating to privacy, confidentiality, and security of information or data maintained in electronic form. However, the IT Bill has been withdrawn from the Federal Parliament of Nepal ('the Parliament') and a new bill to regulate the information technology sector has yet to be proposed as of this date.

1.2. Guidelines

Privacy and data protection-related laws are in the early stages of development in Nepal. Furthermore, interpretation of the provisions of the Privacy Act and the Data Act by the courts is yet to be handed down.

1.3. Case law

The following are case laws from the Supreme Court of Nepal ('the Supreme Court') in relation to privacy matters:

Baburam Aryal v. The Government of Nepal [N.K.P. 2074, 25]:

The Supreme Court laid down that the right to privacy guaranteed by the Constitution is a fundamental right that may not be violated by the State or third parties. The Supreme Court further ruled that under the right to privacy, matters relating to a person's body, residence, property, documentation, data, communications, and character are inviolable, except as permitted by the law. An organization or department that collects information and has undertaken the responsibility of safeguarding such information must not use such information at its discretion. Instead, such an organization or department must protect such a 'data bank' of information at any cost. The Supreme Court further laid down that such an organization or department must not allow unauthorized access to such a data bank, even as an exception in the absence of a clear legal basis.

Sapana Pradhan Malla v. Office of the Prime Minister and Council of Ministers et. al. [N.K.P. 2064, 1208]:

The Supreme Court held that the right to privacy guaranteed by the Constitution must be protected. An exception to this general principle is that information relating to a person may be shared with third parties only in cases where prior consent from the concerned person has been obtained.

Roshani Poudel et. al. v. Office of the Prime Minister and Council of Ministers et. al. [N.K.P. 2077, 1232]:

The Supreme Court held that it is imperative to guarantee that the right to privacy to protect people from discrimination and condemnation. Disclosure of personal information of a person or a citizen, except for a specific and legal purpose, violates the right against exploitation of the person or citizen, the right against violence, the right to privacy, the right to live with dignity and the established jurisprudence that govern the right to non-discrimination on the basis of health as well as international laws, the Constitution, and the Privacy Act.

2. Scope of Application

2.1. Personal scope

Article 28 of the Constitution guarantees the right to privacy as a fundamental right granted to all individuals. The Privacy Act reading in conjunction with the Civil Code and the Criminal Code strives to protect the personal information of individuals. The Constitution, Data Act, Privacy Act, Privacy Regulation, Civil Code, and Criminal Code have imposed obligations upon the State, state entities, organizations, legal entities, and all other agencies, that collect and retain personal information, to protect and safeguard such personal information.

2.2. Territorial scope

The Privacy Act and the Data Act are silent on their applicability to foreign entities not having a physical presence in Nepal but are involved in data collection, use, or processing of personal information of Nepali citizens and individuals residing in Nepal or individuals located in Nepal. Generally, laws enacted by the Parliament will have extra-territorial jurisdiction only in cases where it is specifically provided in the legislation. Thus, from a strict interpretation of the Privacy Act, it does not seem to have extra-territorial applicability and thus is applicable only to entities registered in or operating within Nepal. We are yet to see a definite ruling from courts on various aspects of privacy laws including its extraterritorial applicability.

2.3. Material scope

Not applicable.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The Privacy Act and the Privacy Regulation do not establish a data protection authority or regulatory authority responsible for the administration and enforcement of privacy and data protection matters in Nepal. The Data Act provides provisions for the establishment of a National Data Office ('Data Office') for the sole purpose of acting as an entity to engage in tasks relating to data or statistics, i.e., a central data bank. Nonetheless, the Data Office hasn't been empowered to act as a regulatory agency.

3.2. Main powers, duties and responsibilities

Not applicable.

4. Key Definitions

Data controller: The applicable laws do not define the term 'data controller.'

Data processor: The applicable laws do not define the term 'data processor.'

Personal data: Section 2(c) of the Privacy Act defines the term 'personal information' as:

  • caste, race, birth, origin, religion, color, or marital status of an individual;
  • education or academic qualification of an individual;
  • address, telephone, or email address of an individual;
  • passport details, citizenship certificate, national identity number, driving license, voter identity card, or other identification card issued by any public body to an individual;
  • correspondence sent or received by an individual containing personal information;
  • fingerprint, palm lines, the retina of the eye, blood group, or other biometric information of an individual;
  • details of criminal background, punishment, or sentence served by an individual for a criminal offense; and
  • views or opinions expressed by an individual in the capacity of a professional or an expert in a decision-making process.

Sensitive data: Section 27(2) of the Privacy Act defines the term 'sensitive information' as:

  • caste, race, or origin of an individual;
  • political affiliation;
  • religious faith or belief;
  • sexual orientation or an event relating to one's sex life; or
  • particulars relating to property.

Health data: The applicable laws do not define the term 'health data.'

Biometric data: The term 'biometric data' is not defined under the applicable laws. Nonetheless, biometric data is regarded as 'personal information' under the Privacy Act.

Pseudonymization: The applicable laws do not define the term 'pseudonymization.'

5. Legal Bases

5.1. Consent

Consent from an individual must be obtained before collecting or processing their personal information under the Privacy Act and the Privacy Regulation. However, neither the term 'consent' nor the procedure for obtaining it is defined.

Rule 5(2)(b) of the Privacy Regulation provides that consent in writing must be obtained from a data subject to disclose or publish their personal data stored in electronic medium. Similarly, Section 10(1)(b) of the Data Act also requires that the Data Office or governmental agencies or entities obtain consent in writing from an individual or their legal representative before disclosing or publishing their personal information to anyone other than authorized officers or using such personal information as evidence before any agency.

5.2. Contract with the data subject

Whilst consent from an individual is required to be obtained before collecting or processing their personal information, there is no requirement to enter into a data processing agreement or a contract with the person. Consent in writing in any form shall satisfy the requirements of the law.

5.3. Legal obligations

Rule 11 of the Privacy Regulation provides that unless otherwise provided in other prevailing laws, the personal data of a person collected in accordance with the Privacy Act and the Privacy Regulation shall only be used for the purposes for which it has been collected. Section 13(3) of the Data Act also provides such protection.

Further, Section 8(1) of the Data Act imposes an obligation upon government agencies or any other entities, including private entities, to obtain permission from the Data Office before collecting or publishing data representing the national level. In addition, such data must be certified by the Data Office before publishing them or bringing them in use.

5.4. Interests of the data subject

Under the Privacy Act, personal information or sensitive personal information may be processed, without the consent of an individual, in the event processing is required for alleviation, identification, or treatment of disease or health condition of the individual. However, such processing can only be done under the instruction of a licensed medical practitioner which must be done without insulting or humiliating the person.

5.5. Public interest

Governmental agencies may collect or process personal information under the Privacy Act and the Privacy Regulation under 'public interest' grounds which are as follows:

  • maintenance of national security, peace, and order;
  • investigation or prosecution of a criminal offense, other court action, or for law enforcement; and
  • public research and studies or for collecting public opinion.

5.6. Legitimate interests of the data controller

The applicable laws do not provide for a specific provision whereby personal data or information may be collected, stored, or processed for the legitimate interest of the data controller.

5.7. Legal bases in other instances

Not applicable.

6. Principles

Major principles of data processing, recognized under the applicable laws, include:

Lawfulness: The collection, storage, analysis, processing, or publishing of personal information is prohibited except authorized by the law. Notwithstanding the foregoing, personal information may be collected, processed, and used after obtaining consent from an individual.

Principle of purpose limitation: A government agency or corporate body, that collects or processes personal information with the consent from an individual, must use such personal information for the specific purposes for which it is collected.

Accuracy principle: In the event, an individual submits an application to a public body to correct their personal data, which are under the responsibility, control, or protection of such body, along with sufficient evidence requiring change, then the public body must correct the information in case it deems necessary to do so. However, such correction may be done only upon request basis. There is no provision for automatic correction of personal data.

Principles of integrity and confidentiality: The applicable laws mandate public bodies to protect personal information under their control and responsibility and also to make proper arrangements against possible risks of unauthorized use, charge, disclosure, publication, or transmission of such personal information.

7. Controller and Processor Obligations

7.1. Data processing notification

Section 5(1) of the Data Act provides authority to the Government to issue notification for the collection of data on any subject. Further, the Chief Data Officer of the Data Office is empowered to inspect of truthfulness of data collected by the Data Office. Similarly, Section 7(1) of the Data Act provides that apart from the Data Office, any governmental agency or public entity may collect data if so, provided by other prevailing laws. Section 12(1) of the Data Act provides that the Data Office, governmental agency, or public entity must process the data within the specified time using automated and modern methodology.

Apart from the above-mentioned provisions laid down by the Data Act, data processing notification is not required under the laws in force.

7.2. Data transfers

The Privacy Act and the Privacy Regulation do not specifically provide provisions to regulate data transfers. However, Section 12(4) of the Privacy Act prohibits the disclosing, making public, or transferring of the following data of an individual, without their  consent:

  • details relating to a medical examination;
  • details relating to property and income;
  • details relating to employment;
  • details relating to family matters;
  • biometric data and fingerprints;
  • signatures or electronic signatures;
  • details relating to political affiliation and voting; and
  • details relating to profession and business.

The term 'transfer' as mentioned above, may signify the transfer of personal data outside Nepal thereby requiring specific consent from the individual.

The Privacy Act and the Privacy Regulation do not contain provisions for the outsourcing of data.

7.3. Data processing records

Apart from the obligation imposed by Section 12(1) of the Data Act upon the Data Office, governmental agency, or public entity to process data within the specified time by using automated and modern methodology, neither data processors nor data controllers are obliged to maintain a record of data processing activities undertaken by them.

7.4. Data protection impact assessment

Neither the Privacy Act nor the Privacy Regulation nor the Data Act requires date collector or controller to conduct data protection impact assessment for cross border transfer of personal data.

7.5. Data protection officer appointment

The Privacy Act has yet to establish a data protection authority or regulatory authority responsible for the administration and enforcement of privacy and data protection-related matters. The Data Act envisages the appointment of a Chief Data Officer who shall act as an administrative chief of the Data Office. Unless, a data protection officer is appointed under other prevailing laws, i.e., the Privacy Act, etc., the Chief Data Officer of the Data Office shall act as a data protection officer for matters arising under the Data Act.

7.6. Data breach notification

The prevailing data protection laws neither define the term 'data breach' nor contain provisions relating to notification in the event of data breach. Nonetheless, Section 25 of the Privacy Act imposes an obligation upon public entities, that collect or process personal information, to protect personal information and also to make necessary provisions for the protection of personal information against unauthorized use, tampering, divulgence, publication, or broadcasting. Further, Section 21(1) of the Data Act classifies an act of damaging or destroying public data as a criminal offense and prescribes punishment for such offense.

7.7. Data retention

Section 23(1) of the Privacy Act provides authority to an officer authorized under the law or a person authorized by such an officer to store personal information of an individual. However, the Privacy Act and the Privacy Regulation do not provide for a specific procedure nor a time duration for the retention of data.

Rule 81(1) of the Labor Regulations provides that an employer must record name, address, family details, citizenship certificate, contact phone number, email, and other details as deemed necessary by the employer. In addition, Rule 81(3) provides that the employer must retain records relating to the remuneration and attendance of an employee for a minimum period of five years.

7.8. Children's data

Anyone below the age of 18 years is considered to be a minor under Nepali laws. Under the Privacy Act, if any personal information to be obtained, published, or disclosed belongs to a minor, such information may be obtained, published, or disclosed only if the consent of their guardian or the person holding parental responsibility has been obtained. In addition, there are no other separate requirements to be fulfilled while processing personal information or data of a minor.

7.9. Special categories of personal data

The processing of sensitive personal information is strictly prohibited under the Privacy Act, unless:

  • it is required for prevention, alleviation, diagnosis, or treatment of a disease, or for protection of public health provided that such processing is done under the instruction of a licensed medical practitioner or a person directed by such practitioner; or
  • an individual to whom such sensitive information belongs has already made such information public.

Kindly refer to the definition section above for the details as to what includes sensitive personal information under the Privacy Act.

7.10. Controller and processor contracts

Not applicable.

The Privacy Act and the Privacy Regulation do not specifically include provisions for a data controller and processor, nor regulate their relationship.

8. Data Subject Rights

8.1. Right to be informed

Section 23(1) of the Privacy Act provides that an officer authorized under the laws or a person authorized by such an officer may collect the personal information of an individual.

Section 23(4) of the Privacy Act provides that an officer, who collects personal information, has the responsibility of notifying the following details to an individual from whom personal information is being collected:

  • time for information collection;
  • the subject matter of information;
  • nature of the information;
  • method and procedure of analysis of information; and
  • other matters including the protection of collected information.

Section 25 of the Privacy Act further provides that a public agency, that collects personal information, has the following responsibilities:

  • to protect the information collected;
  • make appropriate arrangements to secure such information against the risk of unauthorized access or unauthorized use; and
  • to secure such information against the risk of an unauthorized amendment, disclosure, publication, or advertisement thereof.

Similarly, Section 13(1) of the Data Act provides that a data collector must inform the data subject about the purpose of data collection and matters relating to privacy prior to the collection of the data.

8.2. Right to access

Section 12(4)(d) of the Data Act provides that while distributing data collected under it, users shall have access to all kinds of data. Under Section 18(1) of the Data Act, the Data Office or governmental agencies or public entities may provide partial or full access to processed data, semi-processed data, or raw (primary) data to the public without disclosing the identity of the data subject which were collected by them pursuant to the provisions thereof.

8.3. Right to rectification

Section 28 of the Privacy Act provides provisions for rectification of inaccurate data. In the event that personal information, which is under the responsibility, protection, and control of a public body, is found to be inaccurate, then an individual may submit a request for rectification of the inaccurate personal information.

The right to rectification under the Privacy Act and the Privacy Regulation extends only to information collected by public bodies and not by private entities.

Unlike rectification provisions in the Privacy Act, the Data Act incorporates different procedures for ensuring the accuracy of collected data. Section 6(1) of the Data Act provides the Chief Data Officer of the Data Office with the authority to inspect of truthfulness of data collected by the Data Office before publishing thereof.

8.4. Right to erasure

There is no specific right to erasure under the Privacy Act or the Privacy Regulation or the Data Act.

8.5. Right to object/opt-out

Neither the Privacy Act, the Privacy Regulation nor the Data Act provides provisions regarding the right to withdraw consent once granted.

8.6. Right to data portability

There is no provision regarding the right to data portability under the Privacy Act and the Privacy Regulation.

8.7. Right not to be subject to automated decision-making

Neither the Privacy Act nor the Privacy Regulation nor the Data Act provides provisions relating to the right not to be subject to automated decision-making.

8.8. Other rights

Section 26 of the Privacy Act requires consent of the data subject before an officer provides others with the personal information relating to the data subject which had been collected by or is under the control of a public agency or body corporate.

9. Penalties

A person, who commits an offence under the Privacy Act, is liable for a punishment of imprisonment of up to three years or a fine of up to NPR 30,000 (approx. $230), or both. (Section 29(2) of the Privacy Act)

Section 29 of the Privacy Act prescribes punishment for the following offenses:

  • breaching privacy rights relating to an individual's physical and mental state;
  • breaching privacy rights of the physical body of an individual;
  • making public biometric or genetic identity, gender identity, sexual orientation, sexual relationship, pregnancy or abortion information, or physical disease of an individual;
  • searching an individual or goods in possession of the individual, or being used by such individual without their consent;
  • breaching privacy relating to reproductive health and pregnancy of a woman;
  • entering or searching the residence of an individual;
  • entering an individual's residence breaching the privacy of the personal life of an individual or family members of the concerned individual;
  • searching the house of an individual only by virtue of the individual's arrest;
  • installing a CCTV camera in an individual's residence;
  • unauthorized entrance into a house, land, vehicle, or other property;
  • publicizing or providing others with particulars relating to the property of an individual;
  • publicizing personal documents of an individual, which are maintained by a public agency;
  • disclosing or publicizing the personal data of an individual;
  • violating privacy rights relating to letters, correspondences, emails, or communications made through electronic means or other;
  • opening letters belonging to an individual;
  • breaching the privacy of an individual's character, personal conduct, and behavior;
  • taking or selling pictures of an individual;
  • expressing confidential information;
  • breaching the privacy of, or providing others with messages, information, or correspondences of an individual, which are maintained in an electronic medium;
  • listening to, transcribing, recording, transcribed or recorded communications, or conversations between two individuals taking place through an electronic medium;
  • surveying or spying on the residence or of the office of an individual;
  • operating drones;
  • collecting, storing, protecting, analyzing, processing, or publishing personal information of an individual save for certain exceptions;
  • collecting information without informing the individual regarding the purpose for which the information is being collected;
  • collecting personal information by an authorized officer in contravention of the Privacy Act;
  • using personal information without the consent of an individual; or
  • processing sensitive information by a public agency.

In the event that an individual who holds a public office contravenes the Privacy Act, such an individual will be subject to departmental and other punishment, in addition to the punishments stated above. (Section 32(2) of the Privacy Act)

A person, who commits any of the following offenses specified in the Data Act, shall be liable for a punishment of imprisonment of up to one year or a fine of up to NPR 40,000 (approx. $300), or both. (Section 26(2)(c) of the Data Act):

  • if data representing the national level is collected without permission from the Data Office;
  • if collected data representing the national level is used without certification from the Data Office;
  • if a person responsible for data, negligently or intentionally destroys or damages the data or attempts to destroy or damage the data;
  • if the data or computer database or electronic records are disclosed or published violating confidentiality provisions relating to personal data; and
  • if fact is distorted while collecting data or collected data is used for purposes other than it was collected for.

9.1 Enforcement decisions

Apart from the cases mentioned above in section on case law above, there have not been other notable enforcement decisions relating to privacy and data protection issues in Nepal.

Feedback