Not a long time ago, the Supreme Court of Nepal reaffirmed privacy as a fundamental constitutional right in its verdict on September 10, 2024. The ruling mentioned that Nepal Telecom’s procurement of a new ‘billing’ system could expose sensitive customer data—threatening privacy, dignity and national security.
The telecom company had issued a tender on March 31, 2024, to replace its integrated billing system with the Convergent Real Time Billing (CRTB) system. However, Rita Karki’s writ petition challenged the process, citing flaws, high costs, and data breach risks.
A bench of Justices Dr. Nahakul Subedi and Mahesh Sharma Paudel deemed unauthorised data access a serious rights violation and ordered Nepal Telecom to ensure privacy safeguards in its procurement process.
This ruling is in line with a 2016 Supreme Court verdict on the misuse of personal data in criminal investigations. The case, filed by Baburam Aryal, alleged that Nepal Police had mishandled SMS and other sensitive data from Judge Ran Bahadur Bam’s murder probe, turning the data into a source of entertainment.
In response, the Court issued a Mandamus directing Nepal Telecom to uphold user privacy and prevent unauthorised data access. It also stressed the need for stronger data security laws, urging authorities to enact comprehensive privacy protections.
The Privacy Act, 2018 (2075), which took effect on September 18, 2018, marked Nepal’s first dedicated legislation on individual privacy. While Article 28 of the Constitution had long guaranteed privacy as a fundamental right, enforcement mechanisms remained absent until this Act provided a concrete legal framework. Recognising privacy as a fundamental right not just for citizens but for all ‘persons’ within Nepal, the constitutional article builds on earlier constitutional provisions dating back to 1990.
However, its implementation remained sluggish due to the lack of dedicated legislation. Today, the Privacy Act, 2018, along with the Privacy Regulation, 2020, forms the core legal foundation for privacy protection in Nepal, supplemented by other laws governing limited aspects of privacy related matters.
One of the key provisions of the Privacy Act, 2018 is the definition of personal information to strengthen privacy protections.
According to Section 2(c), personal data includes details such as caste, ethnicity, religion, marital status, education, contact information, national identity numbers, biometric data, criminal records, and expert opinions used in legal decision-making.
More critically, Section 27(2) classifies Sensitive Personal Information, covering an individual’s caste, ethnicity, political affiliation, religious beliefs, health status, sexual orientation, and property details. This distinction ensures that public bodies cannot process such sensitive data without strict legal safeguards.
Nepal’s Constitution guarantees privacy as inviolable across seven domains—body, residence, property, documents, data, correspondence, and character. The Right to Privacy Act expands on these protections, dedicating separate chapters to each category. For instance, Chapter 2 details the privacy of an individual’s body and family, while Chapter 3 addresses privacy related to one’s residence.
The Privacy Act, 2018, reinforces the inviolability of an individual’s physical and mental condition under Section 3. It explicitly prohibits any intrusion into a person’s bodily privacy without consent, except for medical examinations, treatments, or emergency relief efforts.
The Act further safeguard’s biometric identity, gender identity, sexuality, sexual relations, conception, abortion, virginity, potency, and physical health information, restricting their disclosure without the individual’s explicit approval.
Publishing, writing, or electronically disseminating such personal details is strictly prohibited—unless the person voluntarily makes them public, legal investigations require disclosure, or specific benefits necessitate it.
Extending these protections, Section 5 affirms that an individual’s body and personal belongings cannot be searched without consent, except law enforcement and security checks in criminal or security-related matters.
The Act also upholds family privacy under Section 4, ensuring that personal relationships and household matters remain confidential. Notably, it reinforces the mutual privacy of spouses, making any intrusion impermissible except when required for legal proceedings between them.
Under Section 7 of the Privacy Act, 2018, every individual has the right to residential privacy, ensuring that unauthorised entry, search, or intrusion into a person’s residence is strictly prohibited unless backed by legal authority.
Even in legally sanctioned cases, Section 8 mandates that residents must receive a written notice specifying the purpose of entry before a search is conducted. However, exceptions apply in emergency situations, such as disaster response or rescue operations.
Beyond residential privacy, the Act also reinforces privacy of property and assets. Section 10 upholds an individual’s right to keep property details confidential, prohibiting unauthorised entry into houses, land, vehicles, or other assets without consent.
Public bodies, corporations, and officials responsible for maintaining property records cannot disclose such information without the owner’s consent, except in cases of legal investigations or court orders.
The Privacy Act, 2018, safeguards personal documents and financial records, ensuring that sensitive information remains protected from unauthorised access or disclosure. Section 11 explicitly defines confidential documents, including educational certificates, medical records, identity documents (passport, citizenship card, voter ID, etc.), bank account details, financial statements, biometric data, and property ownership certificates.
The Privacy Regulation, 2020, further expands this list to include documents like birth and marriage certificates.
Unauthorised publication or misuse of such records is strictly prohibited. However, exceptions exist in cases involving court orders, criminal investigations, or when identity verification is required to access public services.
Section 12 ensures that individuals have the right to keep their personal and family data confidential, restricting its collection without prior consent. Any public body or corporate entity handling such data must ensure its secure use, prohibiting disclosure without authorisation. However, exceptions exist for national security or public order, allowing relevant authorities access under legal provisions.
Beyond data protection, Section 13 reinforces the privacy of communications, including letters, emails, and electronic conversations. Unauthorised access, interception, or publication of private correspondence is strictly prohibited. Authorities, however, may access such information only with the individual’s consent or under a legal order in criminal investigations.
The Privacy Act, 2018 places a strong emphasis on protecting an individual’s character and reputation as a fundamental aspect of privacy. Sections 15 to 18 explicitly shield individuals from defamation, insult, and any actions that harm personal dignity. The Act prohibits damaging actions such as unauthorised alterations of photographs or the disclosure of confidential information obtained in professional settings.
In addition to individual protections, the Act also regulates government actions, ensuring that state authorities uphold citizens’ privacy rights. Section 17 specifically prohibits the publicising of individuals under investigation before a charge sheet is filed. This restriction prevents the premature exposure of the accused, ensuring that “innocent until proven guilty” is respected and reputations are protected from irreversible damage.
Chapter 9 of the Privacy Act, 2018 addresses digital privacy under Sections 19 to 22, recognising that the right to privacy is essential in a technologically advanced society.
It affirms that individuals have the right to keep electronically stored personal information confidential. Unauthorised access, sharing, or surveillance of electronic data is prohibited, and any entity maintaining a database is obligated to ensure the confidentiality and security of that data, as emphasised in the Privacy Regulation 2020.
Furthermore, conversations held electronically cannot be recorded without the consent of the individual or legal authorisation. However, the law allows security agencies or investigative bodies to intercept, monitor, and decrypt electronic communications, which raises critical concerns about unregulated surveillance. Section 19(4) grants officials the power to intercept or record communications, provided there is either consent or an order from an authorised official. However, the Act does not specify clear grounds or criteria for these actions, nor does it outline the strict procedures to be followed.
In many liberal democracies, such interception is tightly regulated, generally allowed only when less intrusive methods are insufficient and the crime being investigated meets certain severity thresholds. Unfortunately, the Privacy Act lacks these essential safeguards.
Sections like 12(5) and 12(6) give authorities unchecked access to data, further risking the erosion of privacy rights. Such legal loopholes are also found, but not limited to, Section 11(4d), Section 34 and Section 25(3) making individuals liable to disclose all personal details to security agencies.
Without clearer provisions and additional safeguards, these legal gaps could lead to the rise of a surveillance state, where individual privacy is easily overridden by government actions.
With the rapid growth of digital technology, both the state and private sector are amassing large quantities of personal data, making robust regulation crucial.
Sections 23 to 28 of the Privacy Act outline specific compliance obligations for entities handling personal information. Data collection, storage, processing, and publication can only be conducted by an Authorised Person or a designated official.
However, individuals may voluntarily provide their information for purposes such as research, studies, or public opinion surveys, as long as they are fully informed about the purpose, nature, and privacy protections involved.
The Act operates under three core principles: (a) approval from the Competent Authority, (b) consent from the data subject, and (c) the right to be informed.
Public bodies and corporate entities have significant responsibilities.
Section 25 mandates that public bodies must protect collected data from unauthorised access, misuse, or disclosure, unless the law permits otherwise.
Section 26 further ensures that public and corporate bodies cannot use or share personal data with third parties without the individual’s consent, except under specific legal circumstances.
The Privacy Regulation 2020 reinforces this by emphasising that data should only be used for the original purpose of collection. However, while the Act enforces data integrity and confidentiality, it lacks detailed minimum-security standards or a designated regulatory authority to enforce these protections.
Another significant provision is the right to rectification under Section 28, which allows individuals to request corrections to inaccurate personal data by providing adequate evidence. However, if the individual has already benefited from the incorrect data, the Act does not entertain such rectification requests. The application process for this is outlined in Annex 3 of the 2020 Regulation.
To ensure compliance, Section 31 of the Act outlines penalties for violations, which include imprisonment of up to three years, fines of up to NPR 30,000, or both.
Affected individuals have the right to seek compensation through the District Court for any harm caused by privacy breaches. The aggrieved party can initiate criminal proceedings either as a private party or as a state party for violations of the law.
Nepal has made significant progress in privacy laws, both in terms of legislation and judicial interpretation. The scope of privacy litigation has evolved over time, as evidenced by the examination of multiple dimensions of privacy by our supreme court.
While recent cases focus primarily on data protection, one of the earliest landmark decisions on the right to privacy was made in 1998 in the case of Annapurna Rana v. Gorakh Shamsher JBR and Others regarding a virginity test. In this case, the Supreme Court had ruled that even the judiciary cannot compel an individual to undergo such a virginity test, as it would infringe upon their right to privacy, which is an inherent part of the right to liberty.
However, in today’s digital age, data protection has become the forefront issue in privacy matters. While the Privacy Act addresses data protection, its provisions remain incomplete and unclear. To address this, lawmakers can either create a separate Data Protection Act to complement the Privacy Act or enhance the current law with clearer and more comprehensive data protection provisions.
Given the significance of data security in today’s world, a standalone law—developed in consultation with stakeholders—would be the ideal solution. This emphasis on data protection is also crucial because, as a constitutional fundamental right, the right to privacy primarily applies only against government actions.
To bind non-state actors, such as private corporations collecting data, a strict and comprehensive data protection law is the only way out. This law must regulate the unauthorised collection, storage, processing, disclosure, or misuse of personal data, clearly defining the responsibilities and liabilities of private entities.
At the same time, raising public awareness is vital—individuals must recognise the value of their data and avoid sharing it frantically to ensure their personal information remains secure.
Read More Stories
Kathmandu’s decay: From glorious past to ominous future
Kathmandu: The legend and the legacy Legend about Kathmandus evolution holds that the...
Kathmandu - A crumbling valley!
Valleys and cities should be young, vibrant, inspiring and full of hopes with...
Soybean oil accounts for 30% of country’s exports, inflation stabilises
The Nepal Rastra Bank released its eight-month macroeconomic and financial data this week....
Business + Finance + Economy + Tech + Environment + Nepal & South Asia + In-depth Analysis + News + Investigation + Research + Expert Opinion + Anatomy of Complex Issues.
