- Individual Privacy Act, 2018 (2075) (“Privacy Act”)
- Individual Privacy Regulation, 2020 (2077) (“Privacy Regulation”)
- National Penal Code, 2017 (2074) (“Penal Code”)
- Advertisement Act, 2019 (2076) (“Advertisement Act”)
- Advertisement Regulation, 2020 (2076) (“Advertisement Regulation”)
- National Broadcasting Regulation 1995 (2052) (“National Broadcasting Regulation”)
Definition of Personal Data
Privacy Act defines "Personal information" as the following information related to any person:
- his or her caste, ethnicity, birth, origin, religion, color or marital status;
- his or her education or academic qualification;
- his or her address, telephone or address of electronic letter (email);
- his or her passport, citizenship certificate, national identity card number, driving license, voter identity card or details of identity card issued by a public body;
- a letter sent or received by him or her to or from anybody mentioning personal information;
- his or her thumb impressions, fingerprints, retina of eye, blood group or other biometric information;
- his or her criminal background or description of the sentence imposed on him or her for a criminal offence or service of the sentence;
- matter as to what opinion or view has been expressed by a person who gives professional or expert opinion, in the process of any decision.
Definition of Sensitive Personal Data
Privacy Act has listed following information as the “sensitive information”:
- his or her caste, ethnicity or origin;
- political affiliation;
- religious faith or belief;
- physical or mental health or condition;
- dexual orientation or event relating to sexual life;
- fetails relating to property.
The collection of data by any public body or body corporate is allowed with the consent of the concerned person. In addition to this, the Privacy Act provides an exclusive provision in the context of the collection of data. It provides that no one except the official authorized under law or the person permitted by such official shall collect, store, protect, analyze, process or publish the personal information of any person. Officer authorized under the law means those officials who have been authorized by other laws to collect the information such as investigating authority, collection of prescribed information by the civil service officer.
Privacy Act prohibits to process the sensitive information. However, the sensitive information can also be processed in following circumstances:
- in the course of alleviation of disease, public health protection, disease identification, health treatment, management of health institution and providing health service by the health worker, without insulting or letting the concerned person feel inferior;
- if the concerned person has published the information himself or herself.
The 11th amendment to National Broadcasting Regulation which has been effective from 3rd March 2022, has mandated Over the Top ("OTT") service providers to store their customer data within servers in Nepal. Such requirements only extend to OTT service providers and the regulation has defined OTT as “the service of delivering any program according to the consumer's demand through the internet and without the use of cable or satellite television, and the term also refers to media streaming services on other platforms via the internet.” However, the National Broadcasting Regulation is silent on the methods / procedure / requirements for the transfer of such data outside Nepal.
Furthermore, the Information Technology Bill, 2019 (2075) (which is currently tabled in the parliament of Nepal), if implemented in its current form, then the prescribed data held by governmental, public, financial, and health-related authorities would be prohibited for export outside Nepal. Also, Bill to amend Record Protection Act 1989 (2046) would further prohibit to export records of national importance outside Nepal.
The collected data should only be used for the purpose for which such data have been collected. Further, the Privacy Act obligates the public body which has the collected information, to make appropriate arrangements for the protection of collected information.
As aforementioned, the prevailing laws have not designated Data Protection Authority. Nonetheless, the Privacy Act and Criminal Code provide a complaint mechanism.
Complaint of the offense under the Privacy Act is processed either by filling a plaint at the concerned district court by the concerned person or filling FIR at the relevant police office. In relation to the latter one, the concerned police office through the government office would file a charge sheet in the concerned district court. Such procedure of directly filing a complaint at the concerned district court or police office is determined based on the nature of the offense. In relation to an offense under the Criminal Code, the FIR process as aforementioned is adopted.
The matters related to marketing are regulated by the Advertisement Act and Advertisement Regulation. The definition as provided under the Advertisement Act also includes inter alia advertisement done through electronic medium, online or social media.
Advertisement-oriented SMS or Email cannot be sent to any person without obtaining the said concerned person’s consent.
Every person has the right to privacy in terms of data available in electronic means. Such data cannot be used or share such data without the consent of the concerned person. In relation to the cookies and location data, there is no exclusive provision for it. However, if a data subject’s personal information or location data is collected using cookies or otherwise, the concerned entity must adhere to the Privacy Act and further such information must be used for the same purpose as it was collected for.