Nepal: An introduction to the Individual Privacy Act 2018
Nepal's legal system has undergone massive changes recently. It became a federal republic following the promulgation of the Constitution of Nepal 2015 ('the Constitution'), and the Criminal (Code) Act 2017 ('the Criminal Code'). Both are considered to be milestones in the modernisation of the legal system in Nepal. Article 28 of the Constitution declared the right to privacy and protection of information as a fundamental right, and although privacy was protected under the Criminal Code, the Individual Privacy Act 2018 ('Privacy Act') was introduced with the purpose of giving effect to the constitutional right. Anjan Neupane and Saurav Karki, of Neupane Law Associates, provide insight into the key provisions of the Privacy Act, the scope of its application, and the practical implications of its entering into force on 18 September 2018.
The Criminal Code provisions
The Criminal Code has a separate chapter on laws relating to violations of privacy. The Criminal Code criminalises conduct such as the unauthorised tapping of a voice conversations, breaches of confidentiality, taking and editing photos of a person without consent, breaches of private information in electronic media, unauthorised searches of body or belongings of a person, and trespassing.
Such violations are considered to be private criminal cases, and the State will not proceed the case on behalf of the victim. The victim has to file a complaint within three months from the date of the event at the relevant district court. The district court can impose fines of up to NPR 30,000 (approx €230), or imprisonment of up to three years. Further, the victim will also be entitled to compensation.
The Privacy Act
The Privacy Act seeks to ensure the right to privacy of body, residence, property, documents, data, communications data and character of an individual, and outlines how private information held by a public entity will be utilised, along with liabilities for breaches. However, the Privacy Act also duplicates many provisions that are already stipulated in the Criminal Code. Although overlapping laws are not desirable, individuals may choose to file complaints under either of the two laws.
Definition of 'personal information'
The Privacy Act defines the following information as 'personal information':
- Caste, ethnicity, birth, origin, religion, race or marital status;
- Educational qualification;
- Address, telephone or email address;
- Passport number, citizenship number, national Identity card number, driving license number, election Identity card number, or any other details provided by a public entity;
- Letters sent or received by an individual which states personal information;
- Thumb impressions, palm lines, retina scans, blood type or other biometric information;
- Criminal background and punishment served for any criminal offense; and
- Issues relating to the nature of opinions and views presented by any professional or expert during a procedure to render any judgment in a decision-making process.
This definition is relatively restrictive compared to the approach of the Organisation for Economic Co-operation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data 1980 ('OECD Guidelines'), and the EU General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
The OECD Guidelines and the GDPR define personal data as any information relating to an identified or identifiable individual. The GDPR lists categories of data that can help to identify the individual, such as name, Identification number, location data, online profile and other unique aspects such as the mental, physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.
In contrast with the OECD Guidelines and the GDPR, Nepal has taken a restrictive approach, as it specifies certain types of personal information without room for wider interpretation.
Coverage of the Privacy Act
Privacy of body, family life, and residence
The Privacy Act provides for the privacy of body and private life of every person. Accordingly, any information related to a person's physical and mental state is inviolable, except in relation to a health examination or an emergency rescue.
The Privacy Act further recognises genetic identity, sexual orientation, sexual life, fertility and other related information as personal information.
Similarly, the right to privacy is broad enough to cover privacy relating to family life, and information relating to the private lives of spouses is inviolable unless any related information is required during court proceedings between them.
In addition, Section 5 of the Privacy Act prohibits the body search of any person without consent unless required for criminal proceedings conducted by a proper authority.
The act of trespassing has also been prohibited under the Privacy Act. No one can enter into a residence of a person without consent. Entering into someone's residence without consent, however, will not amount to a violation at times of disaster management or during an emergency rescue.
Furthermore, the Privacy Act has incorporated a provision criminalising the installation of CCTV in the residence of a person without consent.
Privacy of property and communications data
The Privacy Act provides stronger protections for information related to property owned by an individual. The information related to property of a person is private, and it cannot be disclosed without consent.
Section 13 of the Privacy Act concerns the confidentiality of communication within letters, emails or any other medium of communication between persons, which is also legislated for under the Criminal Code. The Privacy Act criminalises activities such as taking or selling a photo, editing a photo to create new one, merging photographs, or publishing such photographs without the consent of the concerned person.
Having said this, the Privacy Act does provide a margin of consideration to press and media houses, since publication and dissemination of information, data and photos of a person holding or retired from a public office, or of a public figure in the public interest, is not treated as an offence.
Despite this, since the Privacy Act does not define 'public figures,' and amid growing amok online media in Nepal, it will be a challenge to safeguard the privacy of some individuals. Additionally, the media may be faced with frequent challenges to clarify that its coverage is indeed related to the public interest.
Data collection and preservation
In addition to the protection of various private information, Section 12 of the Privacy Act aims at regulating unauthorised and haphazard data collection. Consent is now required before the collection of private information, and even if consent is obtained, the collected data should only be used for the purposes for which it was collected.
The Privacy Act prohibits the collection, storage, preservation, analysis, procession or publication of data without the approval of an authorised person or a person acting under the authority of such a person. However, information can be collected for the purpose of study or research with the permission of the related person.
For the purposes of study, aspects such as the time of information collection, the subject matter of the information, the nature and purpose of included data, the method of information collection and the protection of collected information have to be disclosed to the concerned person beforehand.
This requirement creates added responsibility for online businesses, as they require data collection from users on a regular basis. Further, their increased responsibility will also extend to limitation of data sharing with third parties.
Responsibility of public entities
The Privacy Act puts huge responsibility on public entities to protect and preserve data they control. They are restricted from handing over such data to any other person or entity without the consent of the concerned person.
The Privacy Act has included certain information relating to persons holding a public office as an exception to the aforementioned. This includes information related to identification of the public office where one is employed, contact information relating to the public office, the name and position of a person as stated in a letter or documents issued by a public entity, details of the work executed by such a person, and issues related to the terms and conditions of the service.
Further, the Privacy Act has restricted the processing of sensitive data in control of a public entity. The following are termed as a sensitive data:
- Caste, ethnicity and origin of a person;
- Political affiliation;
- Religion of a person;
- Physical or mental health of a person;
- Sexual orientation; and
- Property details.
These data can only be processed during the diagnosis, treatment, and management of public health, and the delivery of health services to a person if such data has been made public by the concerned individual themselves.
An individual has a right to correct information related to them in the public entity if such data are wrong. However, to have such information corrected, the individual should not have received any benefits based on such data.
Offences and filing of complaints
Violation of the Privacy Act is treated as a criminal offence for which criminal proceedings can be initiated, either as a private criminal case or a state party criminal case.
The Government of Nepal can initiate cases on offences relating to activities such as body search without warrant, taking a photograph without consent, espionage, unauthorised use of drones, collection of and making changes to personal information by any person other than an authorised person or by the person in question's approval, collection of data without disclosing its purpose, and unauthorised collection of personal information. Recourse for other violations will have to be sought by the individual themselves.
Similarly to the provisions under the Criminal Code, under the Privacy Act an individual can file a complaint at their respective district court within three months of the date of cause for action for the violation of other provisions. The individual is entitled to damages caused by the violation, and the offender is liable for punishment of up to three years imprisonment, a NPR 30,000 (approx €230) fine, or both, with additional departmental punishment if the offender is a person holding a public office.
Practical implications of the Privacy Act
Overlapping provisions of the Privacy Act and Criminal Code
Firstly, the Criminal Code sets out specific punishment for each offence, whereas the Privacy Act states that violations in general will result in punishment of up to NPR 30,000 (approx €230), imprisonment for up to three years, or both.
For instance, if a person commits an offence relating to the unauthorised search of body or belongings of a person without consent, the offender would be liable for punishment of imprisonment up to one year, a fine of up to NPR 10,000 (€77), or both under the Criminal Code, whereas under the Privacy Act the offender would be liable for imprisonment of up to 3 years, a fine of up to NPR 30,000 (approx €230), or both.
Secondly, the Criminal Code states that all offences provisioned therein are to be filed as private party cases, whereas the Privacy Act states that offences such as a body search without a warrant, and taking a photograph without consent, are to be prosecuted by the State.
These issues will create ambiguities in filing of cases and in seeking specific remedies for violations under the Privacy Act.
Failure to cover emerging data protection issues
There are certain important aspects which the Privacy Act has failed to address. The definition of 'personal data' only incorporates specific forms of data. Under its existing definition, the Privacy Act does not leave any room for a wider interpretation of 'personal data.' For example, while an email address is considered to be personal data, the IP address or even social network profile or website relating to a person will not be considered personal information if such a definition is interpreted in a strict sense.
Importantly, the Privacy Act does not define or specify some of the vital concepts of data protection such as 'controller' and 'processor.' This will add difficulty to data management and related liabilities for breaches in practice.
The Privacy Act provides for the power of the Government to frame necessary rules to clarify aspects of the Privacy Act. It is yet to be seen how far such rules will clear the ambiguities of the Privacy Act, but it can be hoped that it will make way for better implementation of privacy and data protection for individuals in Nepal.