Data protection and privacy laws are crucial in safeguarding personal information from unauthorized access, misuse, and exploitation. These laws ensure that individuals retain control over their personal data while also imposing responsibilities on entities handling such data. In Nepal, data protection is primarily governed by constitutional provisions, legislative acts, and regulations that establish a framework for responsible data management.
Legal Framework for Data Protection in Nepal
Nepal’s data protection regime is founded on multiple legal instruments, including:
- Article 28 of the Constitution of Nepal – Establishes the fundamental right to privacy, ensuring that personal information remains protected.
- Individual Privacy Act, 2018 (“Privacy Act”) – The principal legislation governing data protection, outlining the rights of individuals and obligations of public bodies concerning personal data.
- Individual Privacy Regulation, 2020 – Provides further clarity on the implementation of the Privacy Act.
- Muluki Criminal Code, 2017 – Criminalizes unauthorized collection, disclosure, or misuse of personal data.
Purpose and Scope of the Privacy Act
The enactment of the Privacy Act and its Regulation was aimed at:
1. Protecting individuals’ privacy concerning their personal, residential, financial, and biometric information.
2. Regulating the collection, storage, and processing of personal data by public institutions.
3. Preventing unauthorized disclosure or misuse of personal data, thereby maintaining the dignity and security of individuals.
The Act covers all aspects of personal data handling within Nepal, including electronic data protection. However, it does not explicitly provide for extraterritorial jurisdiction, leaving ambiguity about its applicability to foreign entities processing Nepali citizens’ data without a local presence.
Definition of Personal Information
Under the Privacy Act, personal information encompasses:
- Identifiers such as name, caste, ethnicity, date of birth, and marital status.
- Contact details including addresses, phone numbers, and email IDs.
- Government-issued identity numbers (e.g., citizenship certificate, passport, voter ID, driving license).
- Biometric data (e.g., fingerprints, retina scans, blood type).
- Criminal records and professional opinions affecting an individual.
A subset of personal data, termed Sensitive Personal Information, includes details related to an individual’s health, political affiliations, religious beliefs, financial status, and sexual orientation. The regulation of such data is more stringent compared to general personal information.
Collection and Processing of Personal Data
Data collection in Nepal is highly regulated. Only an Authorized Person, designated by law, may collect, store, or process personal data. Before collecting data, individuals must be informed about:
- The nature, purpose, and method of data collection.
- The duration for which data will be retained.
- Measures taken to ensure confidentiality and security.
Consent is a fundamental requirement for data collection, barring exceptional circumstances such as:
- Legal mandates requiring data collection.
- Criminal investigations and court orders.
- National security concerns.
Entities processing personal data must ensure that the data is used only for the specified purpose and is not misused in a manner that could harm the individual’s personal life.
Data Retention and Security Obligations
While the Privacy Act mandates that public entities secure collected data against unauthorized access, it does not specify a retention period, leading to ambiguity in long-term data storage practices. The absence of explicit retention policies raises concerns about indefinite data storage and potential misuse.
Restrictions on Data Transfer
Nepalese law places strict conditions on the transfer of personal data to third parties. Consent from the data subject is generally required before sharing personal data, particularly in cases involving:
- Health records
- Financial information
- Employment history
- Biometric data
- Political and election-related information
Despite these restrictions, the law does not comprehensively address cross-border data transfers, leaving room for interpretation on how international data-sharing arrangements should be handled.
Responsibilities of Public Entities
Public institutions are mandated to:
- Protect personal data under their control from unauthorized access, modification, or dissemination.
- Rectify inaccurate personal information if substantiated with evidence.
- Ensure that sensitive data is not processed unless necessary for medical, emergency, or legal reasons.
The Act also grants individuals the right to:
1. Access their personal data and understand how it is being used.
2. Request rectification of incorrect or misleading data.
3. Restrict processing of their data under certain conditions.
Absence of a Central Data Protection Authority
Unlike global data protection frameworks such as the EU’s General Data Protection Regulation (GDPR), Nepal lacks a dedicated regulatory body to oversee data protection compliance. This regulatory gap creates challenges in enforcing privacy laws and addressing grievances related to data breaches.
Legal Consequences of Data Breach
Violations of data protection laws in Nepal can lead to criminal penalties. Unlawful collection, disclosure, or processing of personal data may result in imprisonment for up to three years, a fine of up to NPR 30,000, or both. Additionally, individuals suffering harm from a data breach may seek compensation through legal proceedings.
Conclusion and Way Forward
Nepal’s data protection laws provide a foundational framework for safeguarding personal information, but significant gaps remain. The lack of specific regulations on data retention, cross-border data transfers, and the absence of a dedicated regulatory authority hinder the effective enforcement of privacy rights. As digital transformation continues, Nepal should consider strengthening its data protection laws by:
1. Establishing a Data Protection Authority to oversee compliance and enforcement.
2. Introducing clear data retention policies to prevent indefinite storage.
3. Addressing extraterritorial applicability to regulate foreign entities processing Nepali citizens’ data.
4. Implementing robust cross-border data transfer regulations aligned with international best practices.
By addressing these gaps, Nepal can create a more secure and transparent data protection ecosystem that aligns with global standards while safeguarding the privacy rights of its citizens.