Data Protection and Privacy Legislation in Nepal Nepal has made significant progress in establishing a legal framework for data protection and privacy. With the rise of digital transactions, online services, and government digitization programs, understanding privacy legislation in Nepal has become essential for individuals, businesses, and organizations operating within the country. This article covers the key laws, regulations, rights, and obligations related to personal data protection in Nepal.
What Is the Constitutional Basis for Privacy Rights in Nepal?
The Constitution of Nepal, 2072 (2015) is the supreme law of the land. It provides the foundational basis for privacy rights in Nepal.
Article 28 of the Constitution of Nepal explicitly states that every citizen has the right to privacy concerning their person, residence, property, documents, data, correspondence, and character. This constitutional provision makes privacy a fundamental right of every Nepali citizen.
This means that any law, policy, or government action that violates this fundamental right can be legally challenged in the Supreme Court of Nepal through a writ petition under Article 133 of the Constitution.
The constitutional guarantee covers:
- Privacy of personal information and data
- Privacy of residence and property
- Privacy of personal correspondence
- Privacy of documents and records
- Character and reputation protection
This constitutional foundation supports all subsequent data privacy laws in Nepal and sets the minimum standard that all legislation must meet.
What Is the Individual Privacy Act, 2075 (2018) in Nepal?
The Individual Privacy Act, 2075 BS (2018 AD) is the primary and dedicated data protection legislation in Nepal. The Parliament of Nepal enacted this law to give practical effect to the fundamental right to privacy guaranteed under Article 28 of the Constitution.
The Act defines private matters broadly, which includes:
- Personal information stored in any form
- Medical and health-related data
- Financial information
- Communications and correspondence
- Biometric data
- Sexual orientation and personal relationships
- Home and family life
Key Provisions of the Individual Privacy Act, 2075
Section 4 of the Act prohibits any person or organization from collecting, storing, processing, or sharing an individual’s private information without their explicit consent.
Section 7 requires that any organization that collects personal data must:
- Clearly inform the individual about the purpose of data collection
- Obtain prior consent
- Use the data only for the stated purpose
- Store data securely
Section 9 gives individuals the right to access their own personal data held by any organization. This is a key provision in personal data protection in Nepal.
Section 11 provides the right to correction, allowing individuals to demand correction of inaccurate personal data.
Section 13 imposes penalties for unauthorized disclosure of private information, including imprisonment of up to three years or a fine of up to Thirty Thousand Rupees or both.
The full text of the Individual Privacy Act is available through the Nepal Law Commission.
What Does the Electronic Transactions Act, 2063 (2006) Say About Data Protection?
The Electronic Transactions Act, 2063 (2006) is another critical law in the digital data protection framework of Nepal. Although primarily designed to regulate electronic commerce and digital transactions, it contains important provisions related to data security and cybersecurity in Nepal.
Section 44 of the Electronic Transactions Act criminalizes unauthorized access to computer systems and digital records. This provision directly protects personal data stored electronically.
Section 45 addresses computer fraud, while Section 46 penalizes damage to computer data and systems.
Section 47 makes it an offense to publish or transmit obscene or illegal material through electronic means, which has implications for unauthorized sharing of personal data.
Penalties under this Act can include:
- Imprisonment of up to five years
- Fines up to One Hundred Thousand Rupees
- Both imprisonment and fines in serious cases
The Electronic Transactions Act works alongside the Individual Privacy Act to provide a comprehensive legal framework for data protection in Nepal. You can access this Act through Nepal Telecom Regulatory Authority and the Nepal Law Commission.
What Are the Key Data Protection Laws and Regulations in Nepal?
| Law / Policy | Year | Primary Focus |
|---|---|---|
| Constitution of Nepal, Article 28 | 2015 | Fundamental Right to Privacy |
| Individual Privacy Act, 2075 | 2018 | Personal Data Protection |
| Electronic Transactions Act, 2063 | 2006 | Digital Data Security |
| National Cybersecurity Policy | 2016 | Cybersecurity Framework |
| National ID Card Regulations | 2019 | Biometric Data Governance |
| Banking and Financial Institution Act | 2073 | Financial Data Protection |
| Telecommunications Act, 2053 | 1997 | Telecom Data Regulation |
Nepal does not yet have a comprehensive General Data Protection Regulation (GDPR)-equivalent law. The government has been working on a dedicated Personal Data Protection Bill, which is expected to align Nepal’s framework closer to international standards.
What Is the National Cybersecurity Policy of Nepal?
The Government of Nepal adopted the National Cybersecurity Policy, 2016 to address growing threats to digital infrastructure and online data security in Nepal. The policy establishes a framework for protecting government systems, critical infrastructure, and citizen data.
Key objectives of the National Cybersecurity Policy include:
- Protecting national digital infrastructure
- Establishing a Computer Emergency Response Team (CERT-Nepal)
- Developing cybersecurity human resources
- Protecting personal data in digital form
- Promoting cyber hygiene and awareness
CERT-Nepal operates under the Department of Information Technology (DoIT) and handles cybersecurity incidents including data breaches and unauthorized access to personal information. You can learn more at the Department of Information Technology.
How Does Nepal’s National ID System Handle Personal Data?
The National Identity Card (NID) Program managed by the Department of National ID and Civil Registration (DoNIDCR) collects extensive biometric data from Nepali citizens. This includes fingerprints, iris scans, photographs, and personal information.
The National Identity Card and Civil Registration Act, 2076 (2019) governs this program and includes provisions for data security and data use limitations.
Key data protection features of the NID system:
- Data is stored in a centralized national database
- Access to biometric data is restricted to authorized government agencies
- Data sharing with third parties requires legal authorization
- Citizens have the right to verify their own data
The DoNIDCR operates under the Ministry of Home Affairs. Visit DoNIDCR for official information.
What Are the Rights of Individuals Under Nepal’s Data Protection Laws?
| Right | Legal Basis | Description |
|---|---|---|
| Right to Privacy | Constitution, Article 28 | Fundamental constitutional right |
| Right to Consent | Individual Privacy Act, Section 4 | Data cannot be collected without consent |
| Right to Access | Individual Privacy Act, Section 9 | Right to see personal data held about you |
| Right to Correction | Individual Privacy Act, Section 11 | Right to correct inaccurate data |
| Right to Deletion | Individual Privacy Act | Right to request removal of data |
| Right to Remedy | Individual Privacy Act, Section 13 | Right to seek legal remedy for violations |
| Right to Confidentiality | Multiple Acts | Right against unauthorized disclosure |
These rights apply to data collected by:
- Government agencies and departments
- Private companies and businesses
- Banks and financial institutions
- Hospitals and health service providers
- Telecom companies and internet service providers
What Are the Obligations of Organizations Under Nepal’s Data Protection Framework?
Organizations operating in Nepal that collect or process personal data have specific legal obligations under the Individual Privacy Act, 2075 and related laws.
Organizations must:
- Collect data only with explicit informed consent
- Use data only for the stated and authorized purpose
- Store data with adequate security measures
- Not transfer data to third parties without consent
- Ensure accuracy and currency of stored data
- Allow individuals to access and correct their data
- Report data breaches to relevant authorities
Organizations are prohibited from:
- Selling personal data to third parties
- Using data for purposes beyond the original consent
- Disclosing sensitive personal information without authorization
- Storing data longer than necessary
Organizations that violate these obligations face criminal and civil penalties under Section 13 of the Individual Privacy Act.
What Are the Penalties for Data Privacy Violations in Nepal?
Nepal’s legal framework prescribes both civil and criminal penalties for data protection violations.
Under the Individual Privacy Act, 2075:
- Unauthorized disclosure of personal information: Imprisonment up to 3 years or fine up to Rs. 30,000 or both
- Unauthorized collection of personal data: Similar penalties apply
- Repeated or aggravated violations: Higher penalties may be imposed
Under the Electronic Transactions Act, 2063:
- Unauthorized access to computer data: Imprisonment up to 3 years or fine up to Rs. 200,000 or both
- Computer fraud involving personal data: Imprisonment up to 5 years or fine up to Rs. 1,00,000 or both
- Damage to computer data: Imprisonment up to 3 years with associated fines
Victims of data privacy violations can:
- File a complaint with police
- File a writ petition in the Supreme Court
- Seek civil damages through the courts
- Report to the Department of Information Technology
What Are the Gaps in Nepal’s Data Protection Legal Framework?
Nepal’s current data protection regime has several recognized gaps and limitations.
Major gaps include:
- No independent Data Protection Authority exists yet
- No mandatory data breach notification requirements
- No specific regulation for cross-border data transfers
- Limited regulation of private sector data processing
- No data localization requirements for multinational companies
- Absence of sector-specific data protection regulations for healthcare and education
- Limited enforcement capacity and technical expertise
The government has acknowledged these gaps. The Ministry of Communication and Information Technology (MoCIT) has been working on a comprehensive Personal Data Protection Bill that aims to:
- Establish an independent regulatory authority
- Introduce GDPR-aligned data protection standards
- Regulate cross-border data flows
- Mandate data breach notifications
- Introduce data localization requirements for sensitive data
Visit MoCIT for updates on upcoming legislation.
How Does Nepal Approach Cross-Border Data Transfers?
Nepal currently does not have a specific legal framework for cross-border data transfers. The Individual Privacy Act, 2075 does not explicitly address the transfer of personal data outside Nepal’s borders.
However, the general principles of the Act apply, meaning:
- Data transferred abroad must still have the individual’s consent
- The original purpose limitation still applies
- The data controller remains responsible for the data
- Transferring data to avoid Nepal’s legal protections is not permitted
International companies operating in Nepal must still comply with the Individual Privacy Act when handling data of Nepali citizens, regardless of where the data is processed.
FAQs
Is there a dedicated data protection law in Nepal?
Yes. The Individual Privacy Act, 2075 (2018) is Nepal’s primary data protection law. It establishes rules for collection, storage, use, and disclosure of personal data and prescribes penalties for violations.
What is Article 28 of the Constitution of Nepal?
Article 28 guarantees every Nepali citizen the fundamental right to privacy over their person, property, documents, data, and correspondence. It forms the constitutional basis for all data protection legislation in Nepal.
Who enforces data protection laws in Nepal?
Currently, Nepal does not have a dedicated Data Protection Authority. Enforcement is handled by the courts, police, and the Department of Information Technology under the Ministry of Communication and Information Technology.
Can individuals access their personal data held by organizations?
Yes. Under Section 9 of the Individual Privacy Act, 2075, individuals have the legal right to access personal data that any organization holds about them and request corrections under Section 11.
What penalties apply for unauthorized disclosure of personal data?
The Individual Privacy Act, 2075 prescribes imprisonment of up to three years or a fine of up to Rs. 30,000 or both for unauthorized disclosure or misuse of personal data in Nepal.
Is Nepal planning a new comprehensive data protection law?
Yes. The Ministry of Communication and Information Technology is drafting a comprehensive Personal Data Protection Bill that will introduce stronger protections, cross-border data transfer rules, and establish an independent data protection regulatory authority.