Data Protection and Privacy Legislation in Nepal
19 August 2021
1. GOVERNING LAW:
Data protection and privacy matters in Nepal are governed by a number of different laws. Article 29 of the Constitution of Nepal ensures right to privacy and protection of personal information as a matter of fundamental right. With the view of giving effect (a) to the constitutional right to privacy of the matter relating to body, residence, property, document, data, correspondence and character of every person, (b) to manage the protection and safe use of personal information remained in any public body or institution and (c) to prevent encroachment on the privacy of every person, the Individual Privacy Act, 2075 (“The Act”) and the Individual Privacy Regulation, 2077 (“The Regulation”) were enacted.
Furthermore, the provisions related to privacy and data protection are incorporated in the Muluki Criminal Code, 2074. The Act prohibits various conducts such as listening to or recording other’s conversation, divulging confidential matter, taking photograph of any person without his/her consent, giving or selling one’s photograph to another without consent, opening letters or tapping conversation, breaching privacy through electronic means and unauthorized search of bodies or belongings of person.
Since the provisions stipulated in the Act overlap with the provisions under the Criminal Code, they have to be read in conjunction to understand the extent of protection of personal information.
This article provides a brief overview of the data protection laws in Nepal.
2. SCOPE OF THE ACT:
The Act strives to protect the fundamental right to privacy of every data subject ( “Individual”), such as privacy of body, family, residence, property, document, data, correspondence, and character, privacy of personal information through electronic means and protection of sensitive data. It imposes data protection and privacy obligations of individuals entrusted upon public bodies or entities.
The Act deals with both personal information and sensitive personal information and identifies respective obligations for each.
3. APPLICABILITY OF THE ACT:
The Act is applicable during collection, storage, processing, use, analysis and preservation of personal information of any individual residing in Nepal or individuals located in Nepal. However, the Act is silent on extra-territorial applicability and is unclear on whether it is applicable on foreign entities not having physical presence in Nepal.
4. PERSONAL INFORMATION:
Personal Information means the following information related to any person:
(a) Caste, ethnicity, birth, origin, religion, color or marital status,
(b) Education or academic qualification,
(c) Address, telephone or address of electronic letter (email),
(d) Passport, citizenship certificate, national identity card number, driving license, voter identity card or details of identity card issued by a public body,
(e) A letter sent or received by an individual mentioning personal information,
(f) Thumb impressions, fingerprints, retina of eye, blood group or other biometric information,
(g) Criminal background or description of the sentence imposed upon individual for a criminal offence or service of the sentence,
(h) A matter of opinion or view expressed by professional or expert in the process of any decision.
This definition takes a narrower approach to personal information as compared to the EU General Data Protection Regulations 2016 (“GDPR”). According to GDPR, personal information means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Furthermore, section 27(2) of the Act defines Sensitive Personal Information as personal information of the concerned person which reveals his/her caste, ethnicity, origin, political affiliation, religious faith/belief, physical/mental health, sexual orientation or event relating to sexual life and details relating to property.
5. COLLECTION OF PERSONAL INFORMATION:
The Act permits only an official authorized under law (“Authorized Person”) or the person permitted by such official to collect, store, protect, analyze, process or publish the personal information of any individual. The Authorized Person has to (a) fully inform the individual regarding the purpose for which the information is collected and (b) obtain consent from such individual.
While collecting information, the individual has to be provided with the following information:
(a) Time of collecting information,
(b) Content of information,
(c) Nature of information,
(d) Objective of collecting information,
(e) Method and process of testing information,
(f) Certainty of the matter of maintaining privacy of the collected information, and
(g) Matters including the protection of the collected information.
6. PROCESSING/USE OF PERSONAL INFROMATION:
The Act permits the personal information collected by public entity to be processed or used upon obtaining consent of an individual. The data so collected can be used only for the purpose for which such data has been collected. Using information so as to inflict or insult in the personal life of an individual is strictly prohibited. The public entity has to make appropriate arrangement against unauthorized access likely to occur to personal information, or against the possible risk of unauthorized use, change, disclosure, publication or transmission of such information.
Furthermore, the Act mandates consent of the guardian or curator of the minor for using information relating to the privacy of minors, persons of unsound mind provided that it benefits to the interest of such persons. However, the personal information so collected by public entity can be processed without consent of an individual in the following conditions:
– If there is a provision incorporated for collecting such information by the Authorized Person under the existing laws,
– If such information is collected during investigation, prosecution of criminal offence or under the order of the Court, or
– If it is collected or processed for the maintenance of national security or peace and order.
In addition, the Act prohibits public entities to process sensitive information unless (a) required for diagnosis, treatment, management and delivery of health services or emergency rescue to an individual and (b) if an individual himself/herself makes such information public.
7. RETENTION OF PERSONAL INFORMATION:
The Act imposes obligations upon an Authorized Person to collect, store, protect, analyze, process, retain or publish the personal information of any individual. However, the Act and Regulation are silent on providing for a specific procedure or time duration for retention of personal information.
8. TRANSFER OF DATA:
The Act and Regulations provide no specific provision so as to regulate data transfers. The term “transfer” indicates transferring of personal information to the third party thereby requiring consent from a concerned individual.
Pursuant to the Act, consent of an individual is sufficient enough for transferring the data. The Act prohibits disclosing or transferring of personal data of an individual without obtaining consent from such an individual:
– Details relating to health examination,
– Details relating to property and income generation,
– Details relating to employment,
– Details relating to family matters,
– Biometric details and thumb impression,
– Signature or electronic signature,
– Details relating to political affiliation and election,
– Details relating to business or transaction.
9. RESPONSIBILITY OF THE PUBLIC ENTITY:
The Act puts obligation upon public entities to protect and preserve the personal information that has been collected or remained under the responsibility or control of such entity. The information so collected by a public entity cannot be transferred or disclosed to the third party without obtaining consent of an individual.
The Act has mandated public entity to make appropriate arrangement against unauthorized access likely to occur to personal information, or against the possible risk of unauthorized use, change, disclosure, publication or transmission of such information. Furthermore, the sensitive personal information collected by a public entity cannot be processed or used.
In addition to this, the Act also aims at regulating public entity to correct the collected information upon submitting sufficient evidence by an individual so as to why such information has been wrong or upon providing justification for his/her claim. However, such application is not entertained if an individual has already taken advantage of the facilities based on the information provided.
10. RIGHTS OF INDIVIDUALS:
10.1 The right of access and being informed
The Act provides that an Authorized Person who collects, stores, processes, analyzes and protects the personal information to inform the individuals regarding the subject matter of collected information and the purpose of collecting such information. The individuals have the right to confirm if the Authorized Person has made necessary arrangements against unauthorized access likely to occur to personal information, or against the possible risk of unauthorized use, change, disclosure, publication or transmission of such information as provided in section 25 of the Act.
Likewise, the Act grants individuals the right of access to the information such as time, nature, content, objective, method of information collection.
10.2 The right of rectification
In the event that personal information remaining under the responsibility, protection or control of any public entity is either wrong or is not based on the fact, the Act provides right to an individual to file an application to correct such information.
The Act requires a public entity to communicate the decision of rectification of personal information in case an individual submits notice of rectification along with the relevant evidence substantiating the rectification. However, such applications can only be filed before taking advantage of the facilities based on the information provided. This right of rectification is limited to the personal information under the control of a public entity.
10.3 Right to restriction of processing
Upon obtaining consent from an individual, the Act and Regulation do not provide for specific provision relating to restriction of processing.
11. GOVERNING AUTHORITY:
The Act is silent on providing any provision related to data protection regulator/authority in Nepal. There is also an absence of an alternative or central regulator that governs issues related to data protection and privacy.
12. BREACH OF DATA:
The right to privacy is a fundamental right and violation of which would amount to criminal offence. The aggrieved party can initiate the criminal proceeding either as a private party or a state party for violating provisions of the Act. The offences such as collection of personal information by any person other than the Authorized Person, collection of personal data without mentioning the purpose of collecting such information, disclosing the personal information without his/her consent are criminalized by the Act.
For acts amounting to offences as stipulated under the Act, punishment of imprisonment for a term not exceeding three years or fine not exceeding thirty thousand rupees or both will be applicable. Additionally, the party aggrieved by an offence can claim compensation for any damage, loss or pain incurred. The court can grant reasonable compensation to the aggrieved party if the court is of the opinion that such damage, loss or pain is incurred.
Disclaimer: This article is for informational purposes only and shall not be construed as legal advice, advertisement, personal communication, solicitation or inducement of any sort from the firm or its members. The firm shall not be liable for consequences arising out of actions undertaken by any person relying on the information provided herein.
Phone: +977 9808811027, +977 9849093540
Location: 4th Floor, Gravity Center (Big Mart Complex), Anamnagar-29, Kathmandu 44600, Nepal
09:00 AM – 06:00 PM