
Data Protection in Nepal
Collection and processing in Nepal
Data protection laws in Nepal
- Individual Privacy Act, 2018 (2075) (“Privacy Act”)
- Individual Privacy Regulation, 2020 (2077) (“Privacy Regulation”)
- National Penal Code, 2017 (2074) (“Penal Code”)
- Advertisement Act, 2019 (2076) (“Advertisement Act”)
- Advertisement Regulation, 2020 (2076) (“Advertisement Regulation”)
- National Broadcasting Regulation 1995 (2052) (“National Broadcasting Regulation”)
Definitions in Nepal
Definition of Personal Data
Privacy Act defines "Personal information" as the following information related to any person:
- his or her caste, ethnicity, birth, origin, religion, color or marital status;
- his or her education or academic qualification;
- his or her address, telephone or address of electronic letter (email);
- his or her passport, citizenship certificate, national identity card number, driving license, voter identity card or details of identity card issued by a public body;
- a letter sent or received by him or her to or from anybody mentioning personal information;
- his or her thumb impressions, fingerprints, retina of eye, blood group or other biometric information;
- his or her criminal background or description of the sentence imposed on him or her for a criminal offence or service of the sentence;
- matter as to what opinion or view has been expressed by a person who gives professional or expert opinion, in the process of any decision.
Definition of Sensitive Personal Data
Privacy Act has listed following information as the “sensitive information”:
- his or her caste, ethnicity or origin;
- political affiliation;
- religious faith or belief;
- physical or mental health or condition;
- dexual orientation or event relating to sexual life;
- fetails relating to property.
National data protection authority in Nepal
Not applicable.
Registration in Nepal
Not applicable.
Data protection officers in Nepal
Not applicable.
Collection and processing in Nepal
Collection
The collection of data by any public body or body corporate is allowed with the consent of the concerned person. In addition to this, the Privacy Act provides an exclusive provision in the context of the collection of data. It provides that no one except the official authorized under law or the person permitted by such official shall collect, store, protect, analyze, process or publish the personal information of any person. Officer authorized under the law means those officials who have been authorized by other laws to collect the information such as investigating authority, collection of prescribed information by the civil service officer.
Processing
Privacy Act prohibits to process the sensitive information. However, the sensitive information can also be processed in following circumstances:
- in the course of alleviation of disease, public health protection, disease identification, health treatment, management of health institution and providing health service by the health worker, without insulting or letting the concerned person feel inferior;
- if the concerned person has published the information himself or herself.
The revised Draft Information Technology and Cyber Security Bill, 2024 (“IT Bill”), which is yet to be passed and made into law by the Parliament, has also added provisions relating to privacy (Section 80). It states that personal details collected from an individual in an information technology system shall not be used, disseminated, or exchanged for any purposes other than the disclosed purpose without the consent of the data subject. It also stipulates that personal information collected and stored for a specific purpose shall be destroyed, with assurance to the data subject, within 30 days after fulfillment of that purpose. The applicable punishment for violation of this provision will result in fine of up to NPR 5,00,000 or three years of imprisonment or both.
Transfer in Nepal
The 11th amendment to National Broadcasting Regulation which has been effective from 3rd March 2022, has mandated Over the Top ("OTT") service providers to store their customer data within servers in Nepal. Such requirements only extend to OTT service providers and the regulation has defined OTT as “the service of delivering any program according to the consumer's demand through the internet and without the use of cable or satellite television, and the term also refers to media streaming services on other platforms via the internet.” However, the National Broadcasting Regulation is silent on the methods / procedure / requirements for the transfer of such data outside Nepal.
Furthermore, the Information Technology Bill, 2019 (2075) (which is currently tabled in the parliament of Nepal), if implemented in its current form, then the prescribed data held by governmental, public, financial, and health-related authorities would be prohibited for export outside Nepal. Also, Bill to amend Record Protection Act 1989 (2046) would further prohibit to export records of national importance outside Nepal.
Breach notification in Nepal
Certain offenses under the Privacy Act, and all offenses under the IT Bill and the Social Media Bill are state-party offenses listed under Schedule-1 of the National Criminal Procedure Code, 2017 (“NCP”). Pursuant to Section 4 of the NCP, anyone aware of a Schedule-1 offense must file a First Information Report (FIR) which may be submitted in written, verbal, or electronic form and should include any available evidence, with the prescribed format under Schedule-5 of the NCP. The obligation to notify a breach is also mandated by Section 96 of the National Penal Code, 2017 which states that a person under the legal duty to provide information regarding an offence when aware that such an offense has been committed, shall provide the concerned authority with such information.
Enforcement in Nepal
As aforementioned, the prevailing laws have not designated Data Protection Authority. Nonetheless, the Privacy Act and Criminal Code provide a complaint mechanism.
Complaint of the offense under the Privacy Act is processed either by filling a plaint at the concerned district court by the concerned person or filling FIR at the relevant police office. In relation to the latter one, the concerned police office through the government office would file a charge sheet in the concerned district court. Such procedure of directly filing a complaint at the concerned district court or police office is determined based on the nature of the offense. In relation to an offense under the Criminal Code, the FIR process as aforementioned is adopted.
Electronic marketing in Nepal
The matters related to marketing are regulated by the Advertisement Act and Advertisement Regulation. The definition as provided under the Advertisement Act also includes inter alia advertisement done through electronic medium, online or social media.
Advertisement-oriented SMS or Email cannot be sent to any person without obtaining the said concerned person’s consent.
Online privacy in Nepal
Every person has the right to privacy in terms of data available in electronic means. Such data cannot be used or share such data without the consent of the concerned person. In relation to the cookies and location data, there is no exclusive provision for it. However, if a data subject’s personal information or location data is collected using cookies or otherwise, the concerned entity must adhere to the Privacy Act and further such information must be used for the same purpose as it was collected for.
The Directives for Managing the Use of Social Networks, 2023 (“Social Network Directives”), prohibits users from breaching personal privacy, including editing, publishing, or broadcasting private photographs and videos without permission, except for content of a public nature. Violation of the Social Media Directives may lead to penalties under the Electronic Transactions Act, 2008, including a fine of up to NPR 50,000, imprisonment for up to six months, or both, depending on the severity of the offense.
The Social Media (Use and Regulation) Management Bill, 2024 (“Social Media Bill”) has received approval from the council of ministers and may either be introduced via ordinance or be tabled in the Parliament. Section 16 of the Social Media Bill mandates social media platforms to adopt necessary security measures to safeguard privacy of users’ personal information and ensure that such information is not publicly disclosed or used for any other purpose. Any social media platform acting in contravention to this requirement may be subject to a fine of up to NPR 10,00,000.
Section 42 of the Social Media Bill prohibits use of social media to breach a person’s privacy, including privacy of life, family, residence, property, documents, data, correspondence, or information. A person committing an offense under this section shall be referred to the concerned authority for further investigation and punishment in accordance with the prevailing law.
Collection
The collection of data by any public body or body corporate is allowed with the consent of the concerned person. In addition to this, the Privacy Act provides an exclusive provision in the context of the collection of data. It provides that no one except the official authorized under law or the person permitted by such official shall collect, store, protect, analyze, process or publish the personal information of any person. Officer authorized under the law means those officials who have been authorized by other laws to collect the information such as investigating authority, collection of prescribed information by the civil service officer.
Processing
Privacy Act prohibits to process the sensitive information. However, the sensitive information can also be processed in following circumstances:
- in the course of alleviation of disease, public health protection, disease identification, health treatment, management of health institution and providing health service by the health worker, without insulting or letting the concerned person feel inferior;
- if the concerned person has published the information himself or herself.
The revised Draft Information Technology and Cyber Security Bill, 2024 (“IT Bill”), which is yet to be passed and made into law by the Parliament, has also added provisions relating to privacy (Section 80). It states that personal details collected from an individual in an information technology system shall not be used, disseminated, or exchanged for any purposes other than the disclosed purpose without the consent of the data subject. It also stipulates that personal information collected and stored for a specific purpose shall be destroyed, with assurance to the data subject, within 30 days after fulfillment of that purpose. The applicable punishment for violation of this provision will result in fine of up to NPR 5,00,000 or three years of imprisonment or both.