Highlights of Data Protection and Privacy Legislation in Nepal

The Constitution of Nepal, 2015 (2072) under Article 29 has protected the fundamental rights relating right to privacy, which protects the privacy in relation to the person and their residence, property, documents, records, statistics and correspondence, and their reputation are inviolable. The specific Acts regarding privacy of individual are; Individual Privacy Act, 2075(" Act") and Individual Privacy Regulation, 2077("Rules").

In addition, National Penal (Code) Act, 2017 under the Chapter of offence against privacy which incorporated the provision on prohibition of listening to or recording other's conversation, prohibition on divulging confidential matter, prohibition of taking or disfiguring photograph of any person without his or her consent, prohibition of giving or selling one's photograph to another without consent, prohibition of opening letters or tapping telephone conversation, prohibition of deceitfully making telephone calls or transmitting messages, prohibition of breaching privacy through electronic means, prohibition of search other's body and prohibition of unauthorized entry into other's residence.

 

Act protects the privacy of an individual on the following matters;

a) Property,

b) Document,

c) Data,

d) Correspondence,

e) Character,

f) Personal information remained in electronic means,

g) Maintain privacy on sensitive data.

 

The Act is enacted to manage the protection and safe use of personal information remained in any public body or institution ("Authorized body"), and to prevent encroachment on the privacy of every person.

 

The Privacy Act do not explicitly address their applicability to foreign entities that lack a physical presence in Nepal but engage in the collection, use, or processing of personal information belonging to Nepalese citizens, residents of Nepal, or individuals located within Nepal.

 

Generally, laws passed by Parliament only possess jurisdiction beyond the country's borders when explicitly stated in the legislation itself. Therefore, when strictly interpreting the Privacy Act, it appears to lack extraterritorial applicability and is restricted to entities registered in or operating within Nepal. The definitive interpretation of privacy laws, including their extraterritorial reach, remains pending, with no clear rulings from the courts as yet.

 

The Privacy Act and the Privacy Regulation do not establish a data protection authority or regulatory authority responsible for the administration and enforcement of privacy and data protection matters in Nepal. The Act provides provisions for establishment of a National Data Office ('Data Office') for the sole purpose of acting as an entity to engage in tasks relating to data, i.e., a central data bank. Nonetheless, the Data Office hasn't been empowered to act as a regulatory agency.

 

Pursuant to the Act, personal information means the information relating to a person which are as mentioned:

a) Caste, ethnicity, birth, origin, religion, color or marital status,

b) Education or academic qualification,

c) Address, telephone or address of electronic letter (email),

d) Passport, citizenship certificate, national identity card number, driving license, voter identity card or details of identity card issued by a public body,

e) A letter sent or received by a person from anybody mentioning personal information,

f) Thumb impressions, fingerprints, retina of eye, blood group or other biometric information,

g) Criminal background or description of the sentence imposed on him or her for a criminal offence or service of the sentence,

h) A matter as to what opinion or view has been expressed by a person who gives professional or expert opinion, in the process of any decision.

 

The scope of personal information seems to be narrow in comparison with the definition provided by various international data protection regulation.

 

As per the Act privacy of physical and mental condition of a person shall be protected and no one shall disclose the privacy matters regarding physical and mental condition of a person. But, in the following conditions, the privacy matters relating the physical and mental condition of a person can be disclosed:

a) A matter involving the consent of the person concerned,

b) A matter already made public by the person concerned with his or her own will,

c) A matter investigated in the course of any offence, by the investigating or prosecuting official,

d) A matter related to physical condition or private life of a person has to be disclosed for obtaining any facility or concession, and a person obtains or desires to obtain such facility or concession.

 

*Note: The consent of guardian or curator shall be obtained for thedisclose of personal information in the case of: 

a) The person, who is below 18(eighteen) years old,

b) The person, who is of unsound mind,

c) The person, who is intellectually disable.

 

No one shall except the Authorized body under law or the person permitted by such Authorized body shall collect, store, protect, analyze, process or publish the personal information of any person.

Without the consent and informing purpose of collecting such information to such individual, no one shall collect, store, protect, analyze, process or publish the personal information.

While collecting of such information, the following matters shall be clearly disclosed:

a) Time of collecting information,

b) Content of information,

c) Nature of information,

d) Objective of collecting information,

e) Method and process of testing information,

f) Certainty of the matter of maintaining privacy of the collected information and

g) Matters including the protection of the collected information.

 

*Note: The collected information shall be protected. The Authorized body to do such shall have to make appropriate arrangement against unauthorized access likely to occur to personal information, or against the possible risk of unauthorized use, change, disclosure, publication or transmission of such information.

 

 

The Act permits only the Authorized body to collect, store, protect, analyze, process or publish the personal information of concerned person after informing, taking consent of him or her and purpose of collecting such information. Misuse of such data is strictly prohibited under the law.

 

The personal information shall be collected for the following purposes:

a) If the Authorized body shall collect the personal information under the existing law,

b) If it is collected for investigation, prosecution of criminal offence or action under the court proceeding or enforcement of law,

c) If the person regarding whom anybody corporate or public body collects information, holds or is about to hold any post of such a body, or if such information remains under the approved programs of such a body corporate or body and

d) If it is collected for the keeping the national security or peace and order.

 

The Act does not directly mention about the transfer of data. But the Act has protected the right to have a privacy of data that every person has right to maintain confidentiality regarding his or her personal information. The Authorized body can use the personal information only for the purpose for which it is collected.

 

No person shall, without obtaining the consent of another person, provide the following data related to that person to anyone else or publish, or cause to be published, such data:

a) Details relating to health examination,

b) Details relating to property and income generation,

c) Details relating to employment,

d) Details relating to family matters,

e) Biometric details and thumb impression,

f) Signature or electronic signature,

g) Details relating to political affiliation and election,

h) Details relating to business or transaction.

 

The Act has provided the obligation to Authorized body for the protection and preservation of any personal information of an individual. They are obliged to protect the collected personal information. The Authorized body is mandated by Act to make appropriate arrangement against unauthorized access likely to occur to personal information, or against the possible risk of unauthorized use, change, disclosure, publication or transmission of such information.

 

An individual can make an application to the Authorized body, if he or she thinks that any information relating to him or her is wrong. An application can be given to the Authorized body by an individual for the correction of such information.

 

 

If any conduct is done against the Act, the aggrieved party can complain to the concerned District court. The complaint shall be made within 3(three) months from the date of the commission of such act.

 

The Act has protected the personal information of an individual. The Authorized body only has right and obligation to collect, store, protect, analyze the personal information after informing and taking consent of an individual. No one shall breach such obligation of an Authorized body.No one than the Authorized body shall collect, store, protect, analyze the personal information of the individual. If such act is done, it is violation of right to privacy of an individual.

 

When anyone violates the right to privacy and does conduct prohibited by Act is liable for the imprisonment for a term not exceeding 3(three) years or fine not exceeding 30(thirty thousand rupees) or both shall be imposed.

If any kind of damage, loss or injury is caused to any person due to commission of conduct against the Act, concerned person or victim may make a complaint to the concerned District Court to get compensation paid for such damage, loss or pain, as well.

 

The Muluki Criminal Code 2074 has also protected right of the individual privacy and prestige and provides the provisions relating offence against such individual privacy and prestige.

 

The Act fails to cover the extra territorial issues, if any Nepalese citizens suffered by the attacks of data, there is no place to complain for their grievances. There is no regulatory authority for looking after the issues of data protection of an individual. The district court is only the complaint hearing authority. The Act doesn't make it obligatory to notify data subjects or the regulatory authority in the event of a data breach. This means that when a data breach happens, the affected individual might not receive any notification regarding the compromise of their information. It is essential to establish a clear timeframe and criteria for determining when a data breach should be reported to both data subjects and regulatory authorities. This way, swift action can be taken in the event of a data breach.

 

The privacy law fails to outline the rights of data subjects, including their right to access their own data, the right to have their data erased (commonly referred to as the right to be forgotten), the right to data portability, and the right to object or opt out, among others. These rights are crucial in ensuring data subjects' data security and giving them control over their personal information. Furthermore, The Act lacks provisions specifying the responsibilities and duties of data processors and data controllers.

 

The recurrent occurrences of data breaches in Nepal can be attributed to the absence of a strong compensation mechanism. To hold companies accountable for their careless handling of personal data and to provide fair compensation to victims, it is imperative that The Act includes a comprehensive compensation scheme.

 

a) Baburam Aryal v. The Government of Nepal [N.K.P. 2074, 25]:

The Supreme Court laid down that the right to privacy guaranteed by the Constitution is a fundamental right that may not be violated by the State or third parties. The Supreme Court further ruled that under the right to privacy, matters relating to a person's body, residence, property, documentation, data, communications, and character are inviolable, except as permitted by the law. An organisation or department that collects information and has undertaken the responsibility of such information must not use such information at its discretion. Instead, such an organisation or department must protect such a 'data bank' of information at any cost. The Supreme Court further laid down that such an organisation or department must not allow unauthorised access to such a data bank, even as an exception in the absence of a clear legal basis.

 

b) Sapana Pradhan Malla v. Office of the Prime Minister and Council of Ministers et. al. [N.K.P. 2064, 1208]:

The Supreme Court held that the right to privacy guaranteed by the Constitution must be protected. An exception to this general principle is that information relating to a person may be shared with third parties only in cases where prior consent from the concerned person has been obtained.

 

c) Roshani Poudel et. al. v. Office of the Prime Minister and Council of Ministers et. al. [N.K.P. 2077, 1232]:

It is imperative to ensure the right to privacy to protect people from discrimination and condemnation. Disclosure of personal information of a person or a citizen, except for the specific and legal purpose, violates the right against exploitation of the person or citizen, the right against violence, the right to privacy, the right to live with dignity and the established jurisprudence that govern the right to non-discrimination on the basis of health as well as international laws, the Constitution, the Preamble and Section 3 and 7 of the Privacy Act.

 

d)  Adv. Baburam Aryal et.al. Vs. Government of Nepal, office of ministers and council of ministers et. al. [ N.K.P. 2074, D.N. 9740]

The supreme court held that privacy right of privacy and it is a fundamental right of an individual. The government cannot interfere in the personal matters. The government, during the situation of state emergency only can interfere in the communication process of an individual. The government in the name of criminal investigation has no right to search and investigate each and every information like call detail, messages of an individual. In accordance with the established international standards, telecommunication service provider companies, when providing telecommunication services to any individual, must guarantee the protection of that individual's privacy and the protection of data related to that individual. In the absence of a definite legal order or formal document with advance authority, failure to give notice to another due to coercion or inducement.

 

Date of Publication: 07 November 2023

 

Disclaimer: Bhandari Law and Partners is one of the leading law firm in Nepal  with team of best professional lawyers in Nepal.This article published on website of the law firm is just for information purpose only. It shall not be taken as the legal advice, advertisement, personal communication, solicitation or inducement. Bhandari Law and Partners or any of the team members of the firm shall not be liable for the consequence arising of the information provided. As the factual situation may be different on your case, thereof if you need further legal advice on the subject matter, please Contact Us.