Introduction Data privacy is concerned with the protection and proper handling of sensitive data including personal information, confidential data, intellectual property, or any other such information. As users of the internet, who are sharing personal data with various websites, it is worth pondering on the way this data is being handled. This is especially important considering the fact that incidents of breach of data in Nepal have been observed in recent times. In an age where we use many applications for our day-to-day activity, such as internet or mobile banking, the prospect of our personal data being invaded may also result in financial loss. In light of this, understanding the major laws governing data privacy in Nepal can be a start to navigating Nepal’s regime on data privacy.
General Legal Framework Even though Nepal does not have a unified data protection law, the Constitution of Nepal (Constitution), Individual Privacy Act 2075 (2018) (Privacy Act) and the Individual Privacy Regulation 2077 (2020) (Privacy Regulation) along with other legislations such as the National Civil Code 2074 (2017) and National Penal Code (2074) 2017 can be regarded as laws which govern data protection in Nepal. Furthermore, a Bill relating to Information Technology has also been placed before the Parliament for consideration. This Bill seeks to govern several matters relating to privacy of data maintained in the electronic format. Among these laws, the Privacy Act is the major law that deals with data privacy in Nepal.
Major Laws: Privacy Act and Privacy Regulation The Privacy Act and Privacy Regulation give effect to the Right to Privacy guaranteed by Article 28 of the Constitution. The Privacy Act and Privacy Regulation contain provisions regarding privacy of body, family, residence, property, document, data, correspondence, and character of every person, even in electronic means. It ensures the right to privacy in matters relating to personal information including data and information protected by electronic means and restricts unauthorised access to such information without the consent of the concerned individual or entity. In seeking such consent, information as to the objective for data collection, content, and nature of information must be provided by the entity collecting the data. There are exceptions to this protection, which are outlined in the Privacy Act, such as in the case of investigation or adjudication of criminal offences. In such instances, personal data can be sought by the court or law enforcement officials with the approval or order of an authorised official. An authorised official has not been prescribed so far by the government. However, in practice, approval is being sought from the district court to make data disclosure requests by law enforcement officials. The Act identifies certain personal information as sensitive information, such as a person’s caste, ethnicity, origin, political affiliation, religious faith, physical or mental health condition, sexual orientation or event relating to sexual life, and details relating to property for the purposes of restricting public bodies from processing such information. The Privacy Act penalises acts relating to unauthorised access to data with a maximum of Rs 30,000 fine or up to three years’ imprisonment or both. The Privacy Act imposes general responsibility on public entities to protect the personal information collected and are required to maintain effective security measures against risks related to unauthorised access, use, disclosure and publication of such data.
Way forward While the Privacy Act and Privacy Regulation are important laws relating to data privacy in Nepal, there are still many gaps that need to be addressed. Some of these gaps have been identified below:
- While the data of any person cannot be obtained or used without the consent of the concerned individual, the laws remain silent on what constitutes consent itself.
- Furthermore, while law enforcement agencies or the court can obtain data with the approval of the authorised official or the district court, no standard of proof has been set which needs to be met in order to give approval for the collection of such data. The consequence of this is that any request made by law enforcement agencies for data may be granted by the court and is subject to its sole discretion. Setting reasonable standards for such disclosure requests would ensure that such requests respect individual privacy and avoid arbitrariness.
- The Privacy Act has not prescribed minimum effective security standards that need to be maintained by entities holding sensitive information.
- There is a need to create a regulatory body, such as the Data Protection Office to help ensure that entities have strong security systems to prevent any data breaches.
- It should be mandated that all users who provide data must be informed of any data breach and must be able to exercise various rights such as the right to be forgotten (erasure of data), right to opt-out of the consent once granted, right to access information about the personal information being collected or processed, right to rectification, and so on.
- Sufficient compensation mechanism also needs to be made to demonstrate the severity of data breach occurring due to intentional or negligent conduct of entities.
- The Act is also silent on cross-border collection, use or possession of data which contains personal information.
Conclusion With the increase in digitisation in Nepal, the need to have strengthened privacy laws has also increased. All in all, the Privacy Act requires major changes to be fully comprehensive. Until such reform, we should be aware of how we share data on the internet.
Authors: Kirit Mani Adhikari and Sabigya Pandey are Trainee Associates at Pioneer Law Associates and work extensively with the corporate and policy team at the firm. READ ALSO:
- E-wallets and Operation of Payment Service Providers
- Regulation of over-the-top platforms in Nepal
- Transfer of Shares of a Private Limited Company
- Starting A Business In Partnership?