Last modified 20 March 2026

Data Protection in Nepal

Data protection lawyers in Nepal

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in Nepal

Individual Privacy Act, 2018 (2075) (“Privacy Act”)
Individual Privacy Regulation, 2020 (2077) (“Privacy Regulation”)
National Penal Code, 2017 (2074) (“Penal Code”)
Advertisement Act, 2019 (2076) (“Advertisement Act”)
Advertisement Regulation, 2020 (2076) (“Advertisement Regulation”)
National Broadcasting Regulation, 1995 (2052) (“National Broadcasting Regulation”)
Data Center and Cloud Service (Operation and Management) Directives, 2025 (2081) (“Data Center and Cloud Service Directives”)
E-commerce Act, 2025 (2081) (“E-commerce Act”)
Payment Systems-Related Unified Directives, 2025 (“Payment Systems-Related Unified Directives”)

Related resources

Definitions

Definitions in Nepal

Definition of Personal Data

Privacy Act defines "Personal information" as the following information related to any person:

his or her caste, ethnicity, birth, origin, religion, color or marital status;
his or her education or academic qualification;
his or her address, telephone or address of electronic letter (email);
his or her passport, citizenship certificate, national identity card number, driving license, voter identity card or details of identity card issued by a public body;
a letter sent or received by him or her to or from anybody mentioning personal information;
his or her thumb impressions, fingerprints, retina of eye, blood group or other biometric information;
his or her criminal background or description of the sentence imposed on him or her for a criminal offence or service of the sentence;
matter as to what opinion or view has been expressed by a person who gives professional or expert opinion, in the process of any decision.

Definition of Sensitive Personal Data

Privacy Act has listed following information as the “sensitive information”:

his or her caste, ethnicity or origin;
political affiliation;
religious faith or belief;
physical or mental health or condition;
dexual orientation or event relating to sexual life;
fetails relating to property.

Related resources

Authority

National data protection authority in Nepal

Not applicable.

Related resources

Registration

Registration in Nepal

Not applicable.

Related resources

Data protection officers

Data protection officers in Nepal

Not applicable.

Related resources

Collection and processing

Collection and processing in Nepal

The Privacy Act prohibits the processing of sensitive information. However, the sensitive information can also be processed in following circumstances:

in the course of alleviation of disease, public health protection, disease identification, health treatment, management of health institution and providing health service by the health worker, without insulting or letting the concerned person feel inferior;
if the concerned person has published the information himself or herself.

The revised Draft Information Technology and Cyber Security Bill, 2024 (“IT Bill”), which is yet to be passed and made into law by the Parliament, has also added provisions relating to privacy (Section 80). It states that personal details collected from an individual in an information technology system shall not be used, disseminated, or exchanged for any purposes other than the disclosed purpose without the consent of the data subject. It also stipulates that personal information collected and stored for a specific purpose shall be destroyed, with assurance to the data subject, within 30 days after fulfillment of that purpose. Violation of this provision will result in a fine of up to NPR 5,00,000, or three years of imprisonment, or both.

Related resources

Transfer of personal data

Transfer of personal data in Nepal

The Data Center and Cloud Service Directives envisages, in its preamble, the encouragement of secure and confidential storage of data, generated by the government, public and private sectors through the use of information technology within the country.

Data center and cloud service providers are required to be listed with the Department of Information Technology prior to providing their services. The Directives also mandates data center and cloud service recipients to only procure services from service providers enlisted with the Department of Information Technology.

This is also reflected in the Payment Systems-Related Unified Directives, whereby licensed payment institutions may only host their data centers with entities officially listed by the Department of Information Technology to operate as a data center, and are required to verify whether their existing data centers have been listed within the timeframe specified in the Data Center and Cloud Service Directive.

Related resources

Security

Security in Nepal

The collected data should only be used for the purpose for which such data have been collected. Further, the Privacy Act obligates the public body which has the collected information, to make appropriate arrangements for the protection of collected information.

Pursuant to the Data Center and Cloud Service Directives, data center and cloud service providers are required to:

adopt necessary security standards and arrangements to ensure security and continuity of data;
control unauthorized access and use;
appoint a compliance officer; and
conduct annual infrastructure security audit, among others.

Related resources

Breach notification

Breach notification in Nepal

Certain offences under the Privacy Act, and all offences under the IT Bill and the Social Media Bill, are state-party offences listed under Schedule-1 of the National Criminal Procedure Code, 2017 (“NCP”). Pursuant to Section 4 of the NCP, anyone aware of a Schedule-1 offence must file a First Information Report (FIR) which may be submitted in written, verbal, or electronic form and should include any available evidence, with the prescribed format under Schedule-5 of the NCP. The obligation to notify a breach is also mandated by Section 96 of the National Penal Code, 2017 which states that a person under the legal duty to provide information regarding an offence when aware that such an offence has been committed, shall provide the concerned authority with such information.

The Data Center and Cloud Service Directives also requires service recipients to inform the data center and cloud service provider in case of an unauthorized access to their system, and to notify the National Cyber Security Center if a forensic investigation is deemed necessary for the same.

Related resources

Enforcement

Enforcement in Nepal

As aforementioned, the prevailing laws have not designated Data Protection Authority. Nonetheless, the Privacy Act and Criminal Code provide a complaint mechanism.

Complaint of the offence under the Privacy Act is processed either by filling a complaint at the concerned district court by the concerned person or filling a FIR at the relevant police office. As regards the latter, the concerned police office through the government office would file a charge sheet in the concerned district court. Such procedure of directly filing a complaint at the concerned district court or police office is determined based on the nature of the offence. In relation to an offence under the Criminal Code, the FIR process as aforementioned is adopted.

See Collection and processing and Online privacy for details of fines for specific violations.

Related resources

Electronic marketing

Electronic marketing in Nepal

The matters related to marketing are regulated by the Advertisement Act and Advertisement Regulation. The definition as provided under the Advertisement Act also includes inter alia advertisement done through electronic medium, online or social media.

An advertisement-oriented SMS or email cannot be sent to any person without obtaining the said concerned person’s consent.

Related resources

Online privacy

Online privacy in Nepal

Every person has the right to privacy in terms of data available in electronic means. Such data cannot be used or shared without the consent of the concerned person.

In relation to the cookies and location data, there is no exclusive provision for it. However, if a data subject’s personal information or location data is collected using cookies or otherwise, the concerned entity must adhere to the Privacy Act; and such information must be used for the same purpose as it was collected for.

The Directives for Managing the Use of Social Networks, 2023 (“Social Network Directives”) prohibit users from breaching personal privacy, including editing, publishing, or broadcasting private photographs and videos without permission, except for content of a public nature. Violation of the Social Media Directives may lead to penalties under the Electronic Transactions Act, 2008, including a fine of up to NPR 50,000, imprisonment for up to six months, or both, depending on the severity of the offence.

The E-commerce Act requires e-commerce businesses to maintain the privacy of personal information or personally identifiable information in relation to e-commerce transactions. Such information must not be disclosed to anyone, or utilized by the business itself, except in accordance with the prevailing laws. This restriction does not prevent the exchange of transaction-related information between the buyer, the business, or the delivery person involved in the purchase and sale of the goods/services as per the contract. Businesses are also required to provide users with the facility to access the platform to input or amend personal information, or deactivate sources that identify them.