The Individual Privacy Act, 2018 (2075) (the “Act“) came into force on September 18, 2018 (Ashwin 02, 2075) as the first specific legislation of Nepal governing the protection of individual privacy. The Government of Nepal (GON) has not issued implementing rules yet.
The Government has also drafted Information Technology Draft Bill and Cyber Crime Draft Bills and when these bills are enacted, provisions of these laws will also supplement the provisions of the Act.
The scope of the Act extends to ensure (a) the right to privacy of every individual such as his/her body, residence, property, documents, data, correspondence, personal information, character and information in online medium, (b) management, protection and secured utilization of personal information entrusted upon public authorities or entities, and (c) asserting restrictions on the infringement of individual privacy. The Act further classifies certain information as sensitive personal information and specifically restricts public authorities from processing such information.
Currently, in view of the definition of the personal information and sensitive personal information, it is not clear if the term “person” refers to information of a natural person or legal person. However, the specifications made in the definition (such as, caste, ethnicity, education, passport etc.) indicate that it is referred to the natural person. The protection and management of information of legal person or entities currently seems uncertain.
The Act is applicable to the collection or use of personal information. It intends to regulate data or information generally collected, retained, analyzed or processed by public authority or corporate entities incorporated under the laws of Nepal. The enforcement of the Act is uncertain in regards to the collection or use of personal information relating to a Nepalese resident- (a) from outside the territory of Nepal, or (b) is made by an offshore entity within Nepal.
The Act requires fulfillment of the following criteria to collect personal information of natural persons: (a) approval of the “Competent Authority”, (b) consent of the data subject, and (c) information to the data subject.
4.1. Approval of the Competent Authority
Generally, the Act restricts collection, storage, retention, analysis, processing or publication of personal information of any individual except by the – (i) Competent Authority, or (ii) person authorized by such competent authority (the “Authorised Person“). However, the Act has not defined what would be the “Competent Authority” and it is still to be seen as to whether the implementing rules might provide for separate competent data protection office or authority.
4.2. Notice to the Data Subject
The Authorised Person is required to comply with following requirement in respect of collection, storage, retention, analysis or publication of personal information:
The public authority or corporate bodies is restricted from using or disclosing personal information collected, stored or retained by them, without the consent of the concerned person. However, this restriction does not apply when it is used for the purpose it is collected during the course of criminal investigation or as per the order of court or as required by the competent official who is authorized to require/ask such information.
Similarly, the Act permits-(a) publication of personal correspondences or study, research, or verification of certain portion of such correspondence in situations where the person has consented; (b) document bearing personal information is necessary for the identification purpose for availing ‘public services’ or, (c) an order is issued by the court or competent authority in a pending case or during the course of investigation or prosecution of any criminal offense.
The personal information or data may be used or disclosed to others by the Officials, without obtaining consent of the data subject, under the following circumstances:
The Act imposes upon the public authority an obligation to protect the personal information collected or retained by them. Furthermore, the public authorities are required to arrange effective security measures against risks involving unauthorized access, use, alterations, disclosure, publication or broadcasting of such data.
The violation of the Act is a criminal offence where the case may be initiated by either an individual or the State as per the nature of the offense. The offender is liable for imprisonment up to 3 years or fine of up to NPR 30,000 (USD 300 approximately) or both. The aggrieved party is also entitled to compensation for the loss suffered due to the violation of the provisions of the Act.
Disclaimer: This Pioneer Law Briefing may not necessarily deal with every important aspect of the subject matter. This Briefing is intended for general information only and not to be construed as legal or other advice.
 The Privacy Act further defines “personal information” as the following information related to any individual: (i) caste, ethnicity, sexuality, gender disclosure, birth, origin, religion, race or marital status, (ii) education or educational degree, (iii) address, telephone or e-mail address, (iv) passport, citizenship certificate, national identity card number, driving license, voter identity card or details of identity cards issued by public authorities, (v) any documents sent or received by the individual which contains personal information, (vi) fingerprint, handprint, retina of eyes, blood group or other biometric information, (vii) criminal background or details regarding punishment awarded to or suffered by an individual for any offence, (viii) any professional or expert opinion or view delivered by an individual in the course of making a decision.
 Information relating to (a) caste, ethnicity or origin, (b) political affiliation, (c) religious belief, (d) physical or mental fitness or condition, (e) sexual orientation or incidents concerning sexual life, and (f) details of property.