The Privacy Act, 2075 (2018) (enforced from 18 September 2018) is Nepal’s primary legislation that governs the collection, use, and protection of personal data and private information. It covers both physical privacy and informational privacy, ensuring that individuals are protected from unauthorized surveillance, data misuse, and privacy breaches in both public and private spheres.
While some of these protections were already included in the Muluki Criminal (Code) Act 2017, the Privacy Act consolidates and expands them in line with international privacy norms.
Why Was This Act Introduced?
Before the enactment of this law, privacy was addressed in a fragmented manner mainly under criminal provisions. However, the digital age required a dedicated legal framework. The introduction of the Privacy Act ensures:
- Protection of fundamental rights under the Constitution
- Regulation of data collection, storage, and processing
- Clear liability for data misuse and privacy breaches
This law is particularly critical for institutions relying on digital data and technology, including e-commerce platforms, digital service providers, and even academic institutions.
Learn more about your constitutional rights on Onesphere Law Associates’ legal insight portal.
What Does the Act Protect?
The Privacy Act classifies privacy into several protected categories:
1. Privacy of the Body and Residence
- Unauthorized body searches are prohibited unless conducted with due legal authority.
- Trespassing into someone’s private home without consent is illegal.
- Installation of CCTV in private homes without consent is criminalized.
- Personal physical, mental, and reproductive information is considered sensitive and protected.
2. Privacy of Communication
- Letters, emails, phone calls, and other communications cannot be intercepted or disclosed without consent.
- Even taking, editing, or publishing someone’s photo without permission is a punishable offense.
3. Privacy of Property
- Information related to a person’s property holdings is protected and cannot be accessed or disclosed without permission.
What Qualifies as Personal Information?
According to the Privacy Act, personal information includes:
- Full name, address, phone number, email
- Citizenship number, passport, voter ID, driving license
- Ethnicity, caste, religion, marital status
- Educational qualifications
- Biometric data (fingerprints, retina scans, blood type)
- Criminal history or past offenses
- Letters containing personal opinions or judgments
However, this list is exhaustive and narrow compared to international benchmarks like the GDPR (General Data Protection Regulation) or OECD Guidelines. These international frameworks use broader definitions, such as IP addresses, cookies, or online behavior, which Nepal’s law currently excludes.
What’s the Penalty for Violating the Privacy Act?
Violating any provision of the Act can lead to:
- Imprisonment up to 3 years
- A fine of up to NPR 30,000
- Departmental action if the offender is a public official
- Monetary compensation for victims
Victims must file a complaint at the District Court within 3 months from the date of the violation.
The law also allows state prosecutors to pursue certain types of offenses such as body search without a warrant, data theft, espionage, or drone surveillance which marks a departure from the private party model under the Criminal Code.
Need criminal representation? Consult Moksha Legal Group specialists in digital and criminal law in Nepal.
Responsibilities of Public Entities
Public institutions now face stricter obligations regarding data they hold. Specifically:
- They cannot share personal data without written consent from the concerned person.
- Individuals have a right to correct inaccurate records unless they have received benefits based on incorrect data.
- Public offices are allowed to disclose certain employment-related details (e.g., name, designation, work responsibilities) but must safeguard sensitive information.
Sensitive data includes:
- Caste, ethnicity, religion, political affiliation
- Health records
- Sexual orientation
- Property ownership
Such data can only be processed with consent, during healthcare delivery, or if the individual has voluntarily disclosed it.
What Must Businesses and Online Platforms Do?
Businesses, especially in the digital domain, must adopt transparent and accountable practices for data management. This includes:
- Obtaining explicit, informed consent before collecting user data
- Collecting only the data that is necessary for a disclosed purpose
- Stating the method, timing, and objective of data collection
- Prohibiting unapproved third-party data sharing
These rules directly affect e-commerce sites, app developers, social media platforms, and even HR firms that store employee data.
Failure to comply not only exposes the business to legal risks but also reputational damage.
Need help with data policy drafting or privacy compliance audits? Onesphere Law can assist.
What About the Media?
The law exempts some actions from being offenses if:
- The individual is a public figure or public officeholder
- The publication serves public interest or transparency
However, since the Act does not define “public figure”, the interpretation is ambiguous. This legal gray area puts online media houses at risk of litigation while allowing potential misuse of privacy claims by public personalities.
Media houses can consult Moksha Legal Group for defense strategy or legal interpretation.
Can Researchers Collect Personal Data?
Yes, but with several conditions:
- Researchers must take informed consent
- They must disclose the methodology, subject, scope, and data use
- Data must be used exclusively for research purposes
This enables academic freedom while still protecting the rights of individuals participating in studies or surveys.
Challenges and Ambiguities in the Act
Despite its intent, the Privacy Act still falls short in several areas:
1. Overlapping Jurisdictions
The Criminal Code and Privacy Act both govern privacy offenses—but with different penalties and enforcement mechanisms, causing confusion.
Example:
- Unauthorized body search:
- Under Criminal Code: Up to 1 year or NPR 10,000
- Under Privacy Act: Up to 3 years or NPR 30,000
2. No Concept of ‘Data Controller’ or ‘Processor’
Modern data regulations (e.g., GDPR) distinguish between entities that control and process data. Nepal’s law does not, creating ambiguity in assigning liability in case of breaches.
3. Narrow Definition of Personal Data
Information such as IP addresses, cookies, location data, or online identifiers are not included, limiting the law’s relevance in the digital ecosystem.
The Road Ahead
The Privacy Act authorizes the Government of Nepal to introduce detailed rules and regulations for implementation. It remains to be seen how effectively these will:
- Clarify ambiguous terms like “public figure”
- Expand the definition of personal data
- Introduce accountability for tech companies and data handlers
Until then, stakeholders—individuals, companies, and public bodies—should ensure strict internal compliance mechanisms, consult legal experts, and stay informed on upcoming privacy regulations.
Conclusion
The Privacy Act 2018 of Nepal is a foundational step toward a more secure and privacy-respecting society. However, much depends on its interpretation, enforcement, and evolution. With digital data becoming central to every aspect of life and business, understanding and complying with this law is not just about legal safety it’s about building trust.
Need legal advice on privacy compliance or facing a data dispute?