Table of Contents
Data protection and privacy laws govern how personal information can be collected, stored, processed, and shared, with the aim of protecting individuals' privacy by ensuring their data is handled responsibly and securely. With increasing digitalization and data-driven activities, understanding data protection and privacy law in Nepal has become essential for businesses, public bodies, and individuals to ensure compliance and protect fundamental privacy rights. This guide covers the legal framework, personal information definitions, collection requirements, transfer restrictions, rights of individuals, penalties, and current gaps in Nepal's data protection regime.
Constitutional Foundation
The Constitution of Nepal 2015 (2072) under Article 28 recognizes the right to privacy as a fundamental right. This constitutional provision protects the privacy relating to a person's body, residence, property, documents, records, statistics, correspondence, and reputation as inviolable. This fundamental right forms the basis for all data protection legislation in Nepal.
Legal Framework
Data protection and privacy in Nepal is governed by specific legislation enacted to give effect to constitutional privacy rights.
| Legislation | Year | Purpose |
|---|---|---|
| Constitution of Nepal | 2072 (2015) | Fundamental right to privacy under Article 28 |
| Individual Privacy Act | 2075 (2018) | Primary law governing data protection and privacy |
| Individual Privacy Regulation | 2077 (2020) | Detailed implementation procedures |
| National Penal (Code) Act | 2074 (2017) | Criminal offences against privacy |
Objectives of the Individual Privacy Act
The Individual Privacy Act 2075 was enacted with specific objectives to protect personal information:
- Give effect to the constitutional right to privacy on matters relating to body, residence, property, document, data, correspondence, and character
- Manage the protection and safe use of personal information held by public bodies or institutions
- Prevent encroachment on the privacy of every person
Scope of Protection
The Act protects the privacy of individuals in the following matters:
- Property
- Documents
- Data
- Correspondence
- Character
- Personal information in electronic means
- Sensitive data
Definition of Personal Information
The Act defines personal information comprehensively, though with a narrower scope compared to international standards like GDPR.
| Category | Examples |
|---|---|
| Identity Information | Caste, ethnicity, birth, origin, religion, color, marital status |
| Educational Information | Education or academic qualifications |
| Contact Information | Address, telephone, email address |
| Official Documents | Passport, citizenship certificate, national ID, driving license, voter ID |
| Correspondence | Letters sent or received containing personal information |
| Biometric Information | Thumb impressions, fingerprints, retina, blood group |
| Criminal Records | Criminal background, sentences imposed, service of sentence |
| Professional Opinions | Views expressed by professionals or experts in decision processes |
Sensitive Personal Information
Section 27(2) of the Act defines sensitive personal information as data revealing:
- Caste, ethnicity, or origin
- Political affiliation
- Religious faith or belief
- Physical or mental health
- Sexual orientation or events relating to sexual life
- Details relating to property
Public entities are prohibited from processing sensitive information unless required for diagnosis, treatment, health service delivery, or emergency rescue, or if the individual makes such information public themselves.
Collection of Personal Information
The Act permits only officials authorized under law ("Authorized Person") or persons permitted by such officials to collect, store, protect, analyze, process, or publish personal information.
Requirements for Collection
Before collecting personal information, the Authorized Person must:
- Fully inform the individual regarding the purpose of collection
- Obtain consent from the individual
Mandatory Disclosures During Collection
| S.N. | Information to be Disclosed |
|---|---|
| 1 | Time of collecting information |
| 2 | Content of information |
| 3 | Nature of information |
| 4 | Objective of collecting information |
| 5 | Method and process of testing information |
| 6 | Certainty of maintaining privacy of collected information |
| 7 | Matters regarding protection of collected information |
Lawful Purposes for Collection
Personal information may be collected for the following purposes:
- When the Authorized body is required to collect under existing law
- For investigation, prosecution of criminal offences, or court proceedings
- When the person holds or is about to hold a post in a body corporate or public body
- For maintaining national security or peace and order
Consent Requirements
Consent is fundamental to data collection and processing under Nepali law. Special consent requirements apply for certain categories of individuals.
| Category | Consent Requirement |
|---|---|
| Adults | Direct consent from the individual |
| Minors (below 18 years) | Consent of guardian or curator |
| Persons of unsound mind | Consent of guardian or curator |
| Intellectually disabled persons | Consent of guardian or curator |
Transfer of Data
While the Act does not explicitly regulate data transfers, it prohibits disclosing or transferring personal data without obtaining consent from the individual. The following data cannot be provided to third parties or published without consent:
- Details relating to health examination
- Details relating to property and income generation
- Details relating to employment
- Details relating to family matters
- Biometric details and thumb impression
- Signature or electronic signature
- Details relating to political affiliation and election
- Details relating to business or transaction
Disclosure of Physical and Mental Condition
Privacy of physical and mental condition is protected, but disclosure is permitted in the following circumstances:
- With consent of the person concerned
- Matter already made public by the person with their own will
- Investigation in the course of any offence by investigating or prosecuting official
- Required for obtaining any facility or concession related to physical condition
Responsibilities of Authorized Bodies
The Act imposes obligations on authorized bodies for protecting personal information.
| Obligation | Description |
|---|---|
| Protection | Make appropriate arrangements against unauthorized access to personal information |
| Security | Protect against unauthorized use, change, disclosure, publication, or transmission |
| Purpose Limitation | Use information only for the purpose for which it was collected |
| Rectification | Correct information upon application with sufficient evidence |
| Non-disclosure | Cannot transfer or disclose to third parties without consent |
Rights of Individuals
The Act provides certain rights to individuals regarding their personal information.
Right of Access and Being Informed
Individuals have the right to be informed about the subject matter of collected information and the purpose of collection. They can confirm whether necessary arrangements have been made against unauthorized access or misuse.
Right of Rectification
If personal information held by any public entity is wrong or not based on fact, individuals have the right to file an application to correct such information. However, this right cannot be exercised after taking advantage of facilities based on the incorrect information.
Criminal Offences Against Privacy
The National Penal Code 2074 establishes criminal offences against privacy:
- Listening to or recording others' conversation without consent
- Divulging confidential matters
- Taking or disfiguring photographs without consent
- Selling photographs to others without consent
- Opening letters or tapping telephone conversations
- Deceitfully making telephone calls or transmitting messages
- Breaching privacy through electronic means
- Unauthorized search of any person's body
- Unauthorized entry into residence
Penalties for Violations
Violations of the Individual Privacy Act attract significant penalties.
| Violation | Penalty |
|---|---|
| Offences under the Act | Imprisonment up to 3 years and/or fine up to NPR 30,000 |
| Causing damage, loss, or injury | Compensation to victim as determined by court |
Complaint Mechanism
If any conduct violates the Act, the aggrieved party can file a complaint with the concerned District Court. The complaint must be made within 3 months from the date of commission of such act. The aggrieved party can initiate criminal proceedings either as a private party or through the state for violating Act provisions.
Regulatory Authority
Currently, Nepal does not have a dedicated data protection authority or regulatory body responsible for administration and enforcement of privacy matters. The Act provides for establishment of a National Data Office for acting as a central data bank, but this office has not been empowered as a regulatory agency.
Important: In the absence of a data protection authority, the District Court serves as the only complaint hearing authority for privacy violations.
Territorial Scope
The Privacy Act does not explicitly address applicability to foreign entities lacking physical presence in Nepal but engaging in collection, use, or processing of personal information of Nepali citizens or residents. When strictly interpreted, the Act appears to lack extraterritorial applicability and is restricted to entities registered in or operating within Nepal.
Landmark Supreme Court Decisions
The Supreme Court of Nepal has issued important rulings on data protection and privacy.
Baburam Aryal v. Government of Nepal (N.K.P. 2074, 25)
The Supreme Court held that the right to privacy is a fundamental right that may not be violated by the State or third parties. Organizations collecting information must protect such "data bank" at any cost and must not allow unauthorized access even as an exception without clear legal basis.
Sapana Pradhan Malla v. Office of Prime Minister (N.K.P. 2064, 1208)
The Court held that information relating to a person may be shared with third parties only in cases where prior consent from the concerned person has been obtained.
Roshani Poudel v. Office of Prime Minister (N.K.P. 2077, 1232)
The Court ruled that disclosure of personal information except for specific and legal purposes violates the right against exploitation, right to privacy, right to live with dignity, and right to non-discrimination on the basis of health.
Current Gaps in Data Protection Law
Nepal's data protection framework has several limitations that need to be addressed:
- No Extraterritorial Jurisdiction: Foreign entities processing Nepali citizens' data are not covered
- No Regulatory Authority: Absence of dedicated data protection regulator
- No Breach Notification: No obligation to notify data subjects or authorities of data breaches
- Limited Individual Rights: No right to erasure (right to be forgotten), data portability, or right to object
- No Data Processor/Controller Duties: Lack of specific provisions for processors and controllers
- Weak Compensation Mechanism: Insufficient provisions for compensating data breach victims
Need Legal Assistance?
Our legal team provides comprehensive data protection and privacy law services including compliance advisory, policy drafting, and representation in privacy matters throughout Nepal. Contact us for professional consultation.
Frequently Asked Questions
| Legislation | Year | Purpose |
|---|---|---|
| Constitution of Nepal (Article 28) | 2015 | Fundamental right to privacy |
| Individual Privacy Act | 2075 (2018) | Primary data protection law |
| Individual Privacy Regulation | 2077 (2020) | Implementation procedures |
| National Penal Code | 2074 (2017) | Criminal offences against privacy |
Personal information includes:
- Caste, ethnicity, birth, origin, religion, color, marital status
- Education and academic qualifications
- Address, telephone, email
- Passport, citizenship, national ID, driving license, voter ID
- Letters containing personal information
- Biometric data (fingerprints, retina, blood group)
- Criminal background and sentences
- Professional opinions in decision processes
Sensitive personal information reveals:
- Caste, ethnicity, or origin
- Political affiliation
- Religious faith or belief
- Physical or mental health
- Sexual orientation or events relating to sexual life
- Details relating to property
Processing of sensitive data is restricted to health services, emergency rescue, or when made public by the individual.
Only officials authorized under law ("Authorized Person") or persons permitted by such officials can collect, store, protect, analyze, process, or publish personal information. Collection requires:
- Full disclosure of purpose
- Consent from the individual
| S.N. | Required Disclosure |
|---|---|
| 1 | Time of collection |
| 2 | Content of information |
| 3 | Nature of information |
| 4 | Objective of collection |
| 5 | Method and process of testing |
| 6 | Certainty of maintaining privacy |
| 7 | Protection arrangements |
| Category | Consent Required From |
|---|---|
| Minors (below 18 years) | Guardian or curator |
| Persons of unsound mind | Guardian or curator |
| Intellectually disabled persons | Guardian or curator |
Prohibited transfers without consent:
- Health examination details
- Property and income details
- Employment details
- Family matters
- Biometric details and thumb impression
- Signature or electronic signature
- Political affiliation and election details
- Business or transaction details
| Violation | Penalty |
|---|---|
| Offences under the Act | Imprisonment up to 3 years and/or fine up to NPR 30,000 |
| Causing damage/loss | Compensation as determined by court |
Complaint mechanism:
- File complaint with concerned District Court
- Must be filed within 3 months from date of violation
- Can be initiated as private party or through state
- Compensation can be claimed for damage, loss, or pain
No, Nepal currently does not have a dedicated data protection authority or regulatory body. The Act provides for a National Data Office as a central data bank, but it has not been empowered as a regulatory agency. District Courts serve as the only complaint hearing authority.
| Obligation | Description |
|---|---|
| Protection | Prevent unauthorized access |
| Security | Prevent unauthorized use, change, disclosure |
| Purpose Limitation | Use only for stated purpose |
| Rectification | Correct information upon application |
| Non-disclosure | No third-party transfer without consent |
Individual rights under the Act:
- Right of Access: Know what information is collected and why
- Right to be Informed: Know about privacy arrangements
- Right of Rectification: Request correction of wrong information
Note: Rights like erasure (right to be forgotten), data portability, and right to object are not provided.
The Act does not explicitly address extraterritorial applicability. Strictly interpreted, it appears limited to entities registered in or operating within Nepal. Foreign entities without physical presence in Nepal collecting Nepali citizens' data may not be covered.
Criminal offences under National Penal Code:
- Recording others' conversation without consent
- Divulging confidential matters
- Taking/disfiguring photographs without consent
- Opening letters or tapping phone calls
- Deceitfully making calls or transmitting messages
- Breaching privacy through electronic means
- Unauthorized body search
- Unauthorized entry into residence
Current limitations:
| Gap | Description |
|---|---|
| Extraterritorial Scope | Foreign entities not covered |
| Regulatory Authority | No dedicated data protection regulator |
| Breach Notification | No obligation to notify breaches |
| Individual Rights | No erasure, portability, or objection rights |
| Processor/Controller Duties | No specific provisions |
| Compensation | Weak mechanism for victims |
