Data Protection and Privacy Legislation in Nepal

Data protection and privacy laws regulate how personal data is collected, stored, processed, and shared, with the primary goal of safeguarding individuals’ privacy. These laws ensure that data is handled lawfully, securely, and with consent—granting individuals the right to access, correct, or delete their personal information.

This article provides a concise overview of data protection regulations in Nepal.

1. Governing Laws

• Article 28 – Right to Privacy, Constitution of Nepal

• Individual Privacy Act, 2018

• Individual Privacy Regulation, 2020

• Muluki Criminal Code, 2017

Background of the Laws

The Act and Regulation were enacted to:

• Enforce the constitutional right to privacy concerning personal matters—body, residence, property, documents, data, correspondence, and character.

• Ensure secure handling of personal data by public institutions.

• Prevent unauthorized invasion of individual privacy.

2. Scope of the Act

The Act seeks to protect the fundamental right to privacy of all individuals. It covers:

• Physical, familial, residential, and property privacy

• Privacy of correspondence, character, and biometric data

• Electronic data, including sensitive information

The law imposes responsibilities on public bodies that collect, use, or have access to personal information.

3. Applicability of the Act

The law applies to the collection, storage, use, analysis, and processing of personal data of individuals residing in Nepal or located in Nepal. However, it does not clearly define extra-territorial applicability, particularly in regard to foreign entities without a physical presence in Nepal.

4. Definition of Personal Information

“Personal Information” includes:

• Identity and demographic data (e.g., caste, ethnicity, religion, marital status)

• Academic, contact, and biometric details

• Government-issued identifiers (e.g., passport, citizenship, national ID)

• Health, financial, criminal, and professional records

• Opinions expressed by experts in decision-making contexts

The definition is narrower than the EU General Data Protection Regulation (GDPR), which recognizes any data that can directly or indirectly identify a person as personal information.

Sensitive Personal Information includes data revealing caste, ethnicity, political beliefs, religious views, health, sexual orientation, and property-related details.

5. Collection of Personal Information

Only an Authorized Person (designated by law) or someone permitted by them may collect or process personal data. They must:

• Inform the individual about the purpose of data collection

• Obtain explicit consent

The following must be disclosed to the data subject:

• Time and method of data collection

• Type and purpose of data

• Process for verification and privacy assurances

• Security measures in place for protecting the data

6. Processing and Use of Personal Information

Processing is permitted only for the stated purpose and with the data subject’s consent. Misuse of data to defame, insult, or invade an individual’s private life is prohibited.

Public entities must prevent:

• Unauthorized access

• Improper use or alteration

• Disclosure or publication without consent

Consent of guardians is required for minors or persons of unsound mind. However, data may be processed without consent:

• If authorized by law

• During criminal investigations or by court order

• For national security, public safety, or law enforcement purposes

Sensitive personal data can only be processed for healthcare services or if the individual has made it public.

7. Retention of Data

Although the Act assigns responsibility for storing and protecting personal data, it does not specify clear guidelines on data retention duration or procedures.

8. Data Transfer

The law does not provide comprehensive rules on data transfer. However:

• Consent is mandatory for any transfer to a third party

• The following cannot be transferred without consent:

  • Health records

  • Financial/property details

  • Employment and family information

  • Biometric and signature data

  • Political or transactional data

9. Duties of Public Entities

Public institutions must:

• Safeguard personal data they collect or manage

• Avoid unauthorized disclosure or sharing

• Prevent illegal processing of sensitive data

• Rectify incorrect data upon receiving valid evidence—before any benefit has been derived from the inaccurate data

10. Rights of Individuals

10.1 Right to Information and Access
Individuals have the right to be informed about:

• The nature, purpose, and method of data collection

• How their data is stored and protected

• The safeguards against unauthorized access

10.2 Right to Rectification
If data held by a public entity is incorrect, individuals can request correction by submitting evidence. This must be done before benefiting from the information.

10.3 Right to Restriction
The Act lacks clear provisions for restricting data processing once consent has been given.

11. Data Protection Authority

The law does not establish a central data protection authority or regulator. There is currently no dedicated body to oversee enforcement or handle data-related complaints.

12. Data Breaches and Legal Consequences

Violation of privacy is a criminal offence in Nepal. Offenders may be prosecuted by either the affected individual or the state.

Prohibited acts include:

• Collecting personal data without authorization

• Failing to state the purpose of collection

• Disclosing or publishing personal information without consent

Penalties include:

• Imprisonment up to 3 years

• Fines up to NPR 30,000

• Compensation for damages, losses, or suffering caused to the individual

Disclaimer: This article is for general informational purposes only. It should not be interpreted as legal advice, solicitation, or communication from any legal firm or its members. The firm assumes no liability for actions taken based on the information provided herein.