Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Nepal - Data Protection Overview
Back

Nepal - Data Protection Overview

March 2021

INTRODUCTION

Currently, Nepal does not have a unified data protection legislation. The Individual Privacy Act 2075 (2018) ('the Privacy Act') enacted to implement and safeguard the fundamental right to privacy guaranteed by the Constitution and the Individual Privacy Regulation 2077 (2020) ('the Privacy Regulation'), framed thereunder are regarded as the data protection legislation. Other general laws such as the Country Civil Code 2074 (2017) ('the Act'Civil Code') and the National Penal (Code) Act (2017) ('the Criminal Code') also contain general provisions relating to privacy and data protection. Thus, in the absence of a specific data control legislation, the Privacy Act and Privacy Regulation shall govern all aspects of data protection and privacy in Nepal.

In recent years, incidents of data breach have been observed frequently in Nepal wherein a large number of customers’ data including their names, mailing id, phone numbers were leaked in public. This has raised a serious concern of data security and confidentiality among the public. However, a Bill regulating consolidating matters relating to data protection has yet to be drafted, it would be premature to speculate a timeline when the Parliament will enact a specific data protection legislation.

1. GOVERNING TEXTS

1.1. Key acts, regulations, directives, bills

The following are the prevailing laws in Nepal regulating privacy-related issues:

  • Constitution of Nepal ('the Constitution');
  • The Privacy Act;
  • Privacy Regulation;
  • The Civil Code;
  • The Criminal Code; and
  • The Labor Regulations 2074 (2017) (only available in Nepali here) ('the Labour Regulations').

The Government of Nepal has tabled a Bill relating to information technology ('the IT Bill') at the Parliament for discussion. The IT Bill contains provisions relating to privacy, confidentiality and security of information or data maintained in electronic form. Provisions of the IT Bill, however, are subject to revision before its enforcement as a law. It should be noted that provisions of the Bill outlined in this publication is for the purpose of general discussion only and those provisions are yet to be enacted as a law.

1.2. Guidelines

Due to the promulgation of the Privacy Act and the Privacy Regulation recently, privacy and data protection related laws are in the nascent stage of development. Furthermore, interpretation of the provisions of the Privacy Act by the courts is yet to be handed down.

1.3. Case law

The following are case laws from the Supreme Court in relation to privacy matters:

Baburam Aryal v. GON [N.K.P. 2074, 25]:

The Supreme Court laid down that the right to privacy guaranteed by the Constitution is a fundamental right that may not be violated by the State or third parties. The Supreme Court further ruled that under the right to privacy, matters relating to a person's body, residence, property, documentation, data, communications, and character are inviolable, except as permitted by the law. An organisation or department that collects information and has undertaken the responsibility of such information shall not use such information at its discretion. Instead, such an organisation or department must protect such a 'data bank' of information at any cost. The Supreme Court further laid down that such an organisation or department must not allow unauthorised access to such a data bank, even as an exception in the absence of a clear legal basis.

Sapana Pradhan Malla v. Office of the Prime Minister and Council of Ministers et. al. [N.K.P. 2064, 1208]:

The Supreme Court held that the right to privacy guaranteed by the Constitution must be protected. An exception to this general principle is that information relating to a person may be shared with third parties only in cases where prior consent from the concerned person has been obtained.

2. SCOPE OF APPLICATION

2.1. Personal scope

Article 28 of the Constitution guarantees the right to privacy as a fundamental right granted to all individuals. The Privacy Act's reading in conjunction with the Civil Code and the Criminal Code strives to protect the personal information of all individuals. The Constitution, the Privacy Act, the Privacy Regulation, the Civil Code, and the Criminal Code have imposed obligations upon the State, state entities, organisations, legal entities, and all other agencies, which collect and retain personal information, to protect and safeguard such personal information.

2.2. Territorial scope

The Privacy Act is silent on its applicability to foreign entities not having physical presence in Nepal but are involved in data collection, use or processing personal information of Nepali citizens, individuals residing in Nepal or individuals located in Nepal. Generally, laws enacted by the Parliament shall have extra-territorial jurisdiction only in case it is specifically provided in the legislation. Thus, from a strict interpretation of the Privacy Act, it does not seem to have extra-territorial applicability and is applicable only to entities having registered in or operating within Nepal. We are yet to see a definite ruling from the courts on various aspects of privacy laws including its extraterritorial applicability. 

The IT Bill, however, aims to apply throughout Nepal as well as to persons and entities located outside Nepal in case such persons or entities, who process personal information of Nepali individuals or person located within Nepal.

2.3. Material scope

Not applicable.

3. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY

3.1. Main regulator for data protection

The Privacy Act and the Privacy Regulation do not establish a data protection authority or regulatory authority responsible for the administration and enforcement of privacy and data protection matters in Nepal. 

3.2. Main powers, duties and responsibilities

Not applicable.

4. KEY DEFINITIONS

Data controller: The applicable laws do not define the term 'data controller.'

Data processor: The applicable laws do not define the term 'data processor.'

Personal data: Section 2(c) of the Act defines the term 'personal information' as:

  • caste, race, birth, origin, religion, colour, or marital status of an individual;
  • education or academic qualification of an individual;
  • address, telephone, or email address of an individual;
  • passport details, citizenship certificate, national identity number, driving license, voter identity card, or other identification card issued by any public body to an individual;
  • correspondence sent or received by an individual containing personal information;
  • fingerprint, palm lines, retina of eye, blood group, or other biometric information of an individual;
  • details of criminal background, punishment, or sentence served by an individual for a criminal offence; and
  • views or opinions expressed by an individual in the capacity of a professional or an expert in a decision-making process.

Sensitive data: Section 27(2) of the Act defines the term 'sensitive information' as:

  • caste, race, or origin of an individual;
  • political affiliation;
  • religious faith or belief;
  • sexual orientation or an event relating to one's sex life; or
  • particulars relating to property.

Health data: The applicable laws do not define the term ‘health data.'

Biometric data: 'Biometric data' is not defined under the applicable laws. Nonetheless, biometric data is regarded as 'personal information' under the Privacy Act.

Pseudonymisation: The applicable laws do not define the term ‘pseudonymisation.'

5. LEGAL BASES

5.1. Consent

Individual's consent must be obtained before collecting or processing his/her personal information under the Privacy Act and the Privacy Regulation. However, neither the term 'consent' nor the procedure for obtaining it is defined.

5.2. Contract with the data subject

Whilst consent from an individual is required to be obtained before collecting or processing his/her personal information, there is no requirement to enter into a data processing agreement or contract with the person.

5.3. Legal obligations

Legal obligations of public bodies and private entities involved in collection or processing of personal information under the applicable laws include:

  • to obtain consent before obtaining personal information or data;
  • to disclose information such as objective behind data collection and to provide assurance relating to privacy of collected information;
  • to allow for amendment or rectification of personal information, in the event the person belonging to such information believes that such information is not accurate and wishes to amend the same;
  • to use the collected information or data only for the purpose for which the consent was obtained;
  • not to publish or disclose or cause to publish or disclose personal information without the consent of the concerned individual; and
  • not to process or cause to process sensitive personal information under its possession and control.

5.4. Interests of the data subject

Under the Privacy Act, personal information or sensitive personal information may be processed, without the consent of an individual, in the event processing is required for alleviation, identification or treatment of disease or health condition of the individual. However, such processing can only be done under the instruction of a licensed medical practitioner which must be done without insulting or humiliating the person. 

5.5. Public interest

Governmental agencies may collect or process personal information under the Privacy Act and the Privacy Regulation under 'public interest' ground which are as follows:

  • maintenance of national security, peace and order;
  • investigation or prosecution of a criminal offence, other court action or for law enforcement; and
  • public research and studies or for collecting public opinion.

5.6. Legitimate interests of the data controller

The applicable laws do not provide for a specific provision whereby personal data or information may be collected, stored, processed for legitimate interest of data controller.

5.7. Legal bases in other instances

Not applicable.

6. PRINCIPLES

Major principles of data processing, recognized under the applicable laws, include:

Lawfulness: Collection, storage, analysis, processing or publishing of personal information is prohibited except authorized by the law. Notwithstanding the foregoing, personal information may also be obtained, processed and used after obtaining the consent of individuals.

Principle of Purpose Limitation: A government agency or body corporate collecting or processing personal information with the consent of persons must use such information for the specific purpose for which it is collected.

Accuracy Principle: In the event, an individual submits an application to a public body to correct his/her information which are under the responsibility, control or protection of such body along with sufficient evidence requiring change, then the public body must correct the information in case it deems necessary to do so. However, such correction may be done only upon request basis. There is no provision of automatic correction of personal data.

The above-mentioned provisions are applicable to public bodies only and not to private entities.

Principles of Integrity and Confidentiality: The applicable laws mandate public bodies to protect personal information under their control and responsibility and also to make proper arrangement against possible risk of unauthorized use, charge, disclosure, publication or transmission of such personal information. However, obligations of security and confidentiality are applicable only to public bodies and not to private entities.

7. CONTROLLER AND PROCESSOR OBLIGATIONS

7.1. Data processing notification

The laws in force, including the Privacy Act and the Privacy Regulation, do not provide any provision or mechanism regarding either notifying or registering a complaint.

7.2. Data transfers

The Privacy Act and the Privacy Regulation do not specifically provide provisions to regulate data transfers. However, Section 12(4) of the Privacy Act prohibits the disclosing, making public or transferring of the following data of an individual, without the consent of the individual:

  • details relating to a medical examination;
  • details relating to property and income;
  • details relating to employment;
  • details relating to family matters;
  • biometric data and fingerprints;
  • signatures or electronic signatures;
  • details relating to political affiliation and voting; and
  • details relating to profession and business.

The term 'transfer' as mentioned above, may signify the transfer of personal data outside Nepal thereby requiring specific consent from the individual.

The Privacy Act and the Privacy Regulation do not contain provisions for the outsourcing of data.

7.3. Data processing records

Data processors or data controllers are not obliged to maintain a record of data processing activities undertaken by them under the applicable laws.

7.4. Data protection impact assessment

There is no provision requiring Data Protection Impact Assessment under the Privacy Act and the Privacy Regulation.

7.5. Data protection officer appointment

The current applicable laws do not provide provision for a data protection officer.

7.6. Data breach notification

The current applicable laws do not prescribe provisions for notification in the situation of a data breach.

In case of breach of data privacy, obligations to notify a particular agency of the Government do not exist.

7.7. Data retention

Section 23(1) of the Privacy Act provides that an officer authorised under the law or a person authorised by such an officer may store an individual's personal information as an exception. However, the Privacy Act and the Privacy Regulation neither provide for a specific procedure nor a time duration for retention of data.

Rule 81(1) of the Labour Regulations provide that an employer shall record name, address, family detail, citizenship certificate, contact phone number, email, and other details as deemed necessary by the employer. In addition, Rule 81(3) provides that the employer must retain records relating to the remuneration and attendance of an employee for a minimum period of five years.

7.8. Children's data

Anyone below the age of 18 years is considered to be a minor under Nepali laws. Under the Privacy Act, if any personal information to be obtained, published, or disclosed belongs to a minor, such information may be obtained, published or disclosed only if the consent of his/her guardian or person holding parental responsibility has been obtained. In addition, there are no other separate requirements to be fulfilled while processing a minor's personal information or data.

7.9. Special categories of personal data

Processing of sensitive personal information is strictly prohibited under the Privacy Act, unless:

  • it is required for prevention, alleviation, diagnosis or treatment of a disease, or for protection of public health provided that such processing is done under the instruction of a licensed medical practitioner or a person directed by such practitioner; or
  • an individual to whom such sensitive information belongs has already made such information public.

Kindly refer to the definition section above for the details as to what includes sensitive personal information under the Privacy Act.

7.10. Controller and processor contracts

Not applicable. Neither the Privacy Act nor the Privacy Regulation specifically include provisions for a data controller and processor, nor regulate their relationship.

8. DATA SUBJECT RIGHTS

8.1. Right to be informed

The applicable laws neither define the term 'data controller' nor specifically provide for the rights and responsibilities of a data controller. Section 23(1) of the Privacy Act provides that an officer authorised under the laws or a person authorised by such an officer may collect the personal information of an individual.

Section 23(4) of the Privacy Act provides that an officer, who collects personal information, has the responsibility of notifying the following details to the individual from whom personal information is being collected:

  • time for information collection;
  • the subject matter of information;
  • nature of the information;
  • method and procedure of analysis of information; and
  • other matters including protection of collected information.

Section 25 of the Privacy Act provides that a public agency, which collects personal information, has the following responsibilities:

  • to protect the information collected;
  • make appropriate arrangements to secure such information against the risk of unauthorised access or unauthorised use; and
  • to secure such information against the risk of an unauthorised amendment, disclosure, publication, or advertisement thereof.

8.2. Right to access

An individual, whose personal information is being collected or processed, shall have the right to obtain following information during the time of collection:

  • time of collection;
  • nature and content of information being collected;
  • objective behind its collection;
  • method of processing; and
  • assurance as to privacy of collected information.

8.3. Right to rectification

In the event that personal information, which is under the responsibility, protection, and control of a public body, is found to be inaccurate, then an individual may file an application for rectification of the same (Section 28 of the Privacy Act).

The right to rectification under the Privacy Act and the Privacy Regulation extends only to information collected by public bodies and not by private entities.

8.4. Right to erasure

There is no specific right to erasure under the Privacy Act and the Privacy Regulation.

8.5. Right to object/opt-out

Neither the Privacy Act nor the Privacy Regulation provides provisions to the right to withdraw the consent which once granted.

8.6. Right to data portability

There is no provision regarding the right to data portability under the Privacy Act and the Privacy Regulation.

8.7. Right not to be subject to automated decision-making

Neither the Privacy Act nor the Privacy Regulation provides provisions relating to the right not to be subject to automated decision-making.

8.8. Other rights

To be asked for consent before an officer provides others with the personal information relating to the data subject which had been collected by or is under the control of a public agency or body corporate (Section 26 of the Privacy Act).

9. PENALTIES

A person, who commits an offence under the Privacy Act, is liable for a punishment of imprisonment of up to three years or a fine of up to NPR 30, 000 (approx. €240), or both (Section 29(2) of the Privacy Act).

Section 29 of the Privacy Act prescribes punishment for the following offences:

  • breaching privacy rights relating to an individual's physical and mental state;
  • breaching privacy rights of the physical body of an individual;
  • making public biometric or genetic identity, gender identity, sexual orientation, sexual relationship, pregnancy or abortion information, or physical disease of an individual;
  • searching an individual or goods in possession of the individual, or being used by such individual without his/her consent;
  • breaching privacy relating to reproductive health and pregnancy of a woman;
  • entering or searching the residence of an individual;
  • entering an individual's residence breaching the privacy of the personal life of an individual or family members of the concerned individual;
  • searching the house of an individual only by virtue of the individual's arrest;
  • installing a CCTV camera in an individual's residence;
  • unauthorised entrance into a house, land, vehicle, or other property;
  • publicising or providing others with particulars relating to the property of an individual;
  • publicising personal documents of an individual, which are maintained by a public agency;
  • disclosing or publicising personal data of an individual;
  • violating privacy rights relating to letters, correspondences, emails, or communications made through electronic means or other;
  • opening letters belonging to an individual;
  • breaching the privacy of an individual's character, personal conduct, and behaviour;
  • taking or selling pictures of an individual;
  • expressing confidential information;
  • breaching privacy of, or providing others with messages, information or correspondences of an individual, which are maintained in an electronic medium;
  • listening to, transcribing, recording, transcribed or recorded communications or conversations between two individuals taking place through an electronic medium;
  • surveying or spying on residence or of the office of an individual;
  • operating drones;
  • collecting, storing, protecting, analysing, processing, or publishing personal information of an individual save for certain exceptions;
  • collecting information without informing the individual regarding the purpose for which the information is being collected;
  • collecting personal information by an authorised officer in contravention of the Act;
  • using personal information without the consent of an individual; or
  • processing sensitive information by a public agency.

In the event that an individual who holds a public office contravenes the Privacy Act, such an individual will be subject to departmental and other punishment, in addition to the punishments stated above (Section 32(2) of the Privacy Act).

9.1 Enforcement decisions

Apart from the cases mentioned above in Section 1.3, there have not been other notable enforcement decisions relating to privacy and data protection in Nepal.