Sherpa Law Associates Logo

Menu

Back to Articles
Legal Insights

Individual Privacy Act 2075 (2018): Nepal’s Legal Framework for Privacy Protection

Advocate Suman Dhungana
January 23, 2026
Data Privacy Laws in Nepal
Nepal’s legal framework for personal privacy protection
Privacy protection in Nepal
Individual Privacy Act 2075 (2018): Nepal’s Legal Framework for Privacy Protection

In an era of rapid digital transformation and widespread data collection, the Individual Privacy Act, 2075 (2018) serves as the cornerstone of personal privacy protection in Nepal. Enacted to give statutory effect to the constitutional right to privacy, this Act establishes legal safeguards for personal information, private communications, and individual data held by public bodies and corporate entities.

This article provides a comprehensive overview of the Act’s key provisions, scope, rights, obligations, enforcement mechanisms, and practical implications for individuals and organizations in Nepal.

1. Constitutional Basis for Privacy Rights in Nepal

The Constitution of Nepal, 2015 recognizes privacy as a fundamental right. Article 28 guarantees that privacy over one’s body, home, property, correspondence, and reputation is inviolable and shall not be violated except as authorized by law. This constitutional foundation forms the legal basis for the Individual Privacy Act, 2075 (2018).

2. Purpose and Scope of the Individual Privacy Act

The Individual Privacy Act, 2075 was introduced to regulate the collection, use, storage, processing, and protection of personal information by public authorities and corporate entities. Its key objectives include:

  • Safeguarding the privacy of individuals and personal data;

  • Preventing unauthorized intrusion into personal information;

  • Regulating lawful collection and processing of personal data;

  • Providing remedies for privacy violations.

The Act covers privacy rights in respect of multiple aspects of an individual’s life, including:

  • Personal identity details

  • Property and financial information

  • Digital and electronic data

  • Medical or biometric information

  • Correspondence and communications

  • Personal character, reputation, and private records

3. What Constitutes Personal Information?

Under the Act, personal information includes a broad range of data relating to a person’s identity or personal circumstances, such as:

  • Caste, ethnicity, religion, marital status

  • Educational and professional qualifications

  • Contact details (address, email, phone)

  • National identity numbers (passport, citizenship, voter ID)

  • Biometric information (fingerprints, retina scans)

  • Criminal background or convictions

  • Professional opinions or assessments linked to an individual

This statutory definition provides a clear basis for categorizing sensitive personal data and enforcing privacy protections.

4. Rights Conferred by the Act

The Individual Privacy Act affirms several key rights for individuals:

        i.            Right to Data Privacy:

Every person has the right to keep personal information confidential, including data stored electronically or in physical records.

      ii.            Right to Consent:

No public body or corporate entity can collect or use personal information without the informed consent of the individual concerned.

    iii.            Right to Purpose Limitation:

Data collected can only be used for the purpose stated at the time of collection.

    iv.            Right to Lawful Disclosure:

Personal information may only be disclosed under defined legal circumstances, such as compliance with court orders or law enforcement requests.

5. Legal Obligations for Collecting and Handling Data

The Act requires that:

  • Individuals must be informed of the purpose, nature, scope, and intended use of the data collected.

  • Explicit consent must be obtained before collecting personal data.

  • Personal information must be protected against unauthorized access, alteration, or misuse.

  • The entity collecting data must implement reasonable security measures to preserve confidentiality.

Failure to meet these obligations may constitute a violation of the Act.

6. Lawful Exceptions for Disclosure

The Act recognizes certain exceptions where personal information may be disclosed without consent, such as:

  • When required by court order or authorized law enforcement action;

  • For national security, peace, and public order;

  • When data is already public or voluntarily disclosed by the individual.

These exceptions are strictly limited and must comply with legal provisions.

7. Enforcement and Remedies

Unlike many modern data protection regimes, the Act does not establish a dedicated data protection authority or regulator. As a result:

  • Individuals aggrieved by privacy violations must file complaints directly with the relevant District Court within three months of the incident.

  • If a violation is proved, the Act provides for penalties, including imprisonment of up to 3 years, fines up to NPR 30,000, or both.

  • Victims may also seek compensation for damages resulting from privacy breaches.

8. Limitations and Areas for Reform

While the Individual Privacy Act represents a significant step toward protecting privacy rights in Nepal, several gaps remain:

        i.            No Independent Regulator

The Act does not establish a data protection authority to enforce compliance or handle breaches, leaving courts as the primary forum for enforcement.

      ii.            Limited Extraterritorial Reach

The law’s application to foreign entities or data processors operating outside Nepal remains unclear.

    iii.            Lack of Comprehensive Data Subject Rights

Unlike international frameworks such as the EU’s GDPR, the Act does not clearly articulate rights like data portability, erasure (“right to be forgotten”), or automatic breach notification.

    iv.            Undefined Roles for Data Controllers/Processors

The Act does not distinguish between data controllers and processors, which can create ambiguity for organisations handling personal data.

9. Practical Implications for Individuals and Businesses

For Individuals

The Act gives individuals legal grounds to protect personal data, challenge unauthorized disclosures, and seek remedies for privacy violations.

For Businesses and Public Bodies

Entities that collect or process personal data must:

  • Obtain informed consent;

  • Implement appropriate privacy safeguards;

  • Limit data usage to lawful purposes;

  • Train staff on privacy principles.

Non compliance exposes organization's to legal risks, penalties, and reputational damage.

10. Looking Ahead: Evolving Privacy Landscape

Nepal’s privacy protection framework is evolving alongside technological and economic changes. Recent policy discussions have proposed the establishment of a Data Protection Board to enhance regulatory oversight and accountability, reflecting ongoing reform momentum.

Experts and rights advocates also urge updates to align Nepal’s privacy regime with global best practices, including detailed data subject rights and breach response mechanisms, to foster investor confidence and protect citizens in the digital age.

The Individual Privacy Act, 2075 (2018) marks a foundational milestone in Nepal’s legal framework for personal privacy protection. It translates constitutional privacy rights into actionable law, regulates data use, and provides remedies for violations. However, further reforms are needed to strengthen enforcement, define modern data rights clearly, and adapt to evolving digital realities.

For individuals and organizations navigating data privacy obligations in Nepal, professional legal guidance is essential to ensure compliance and uphold privacy rights effectively.

Related Articles

Legal Insights

How to File a Labor Case in Nepal: Step-by-Step Process under the Labor Act, 2017

Legal Insights

Termination of Employment under Labour Law of Nepal

Legal Insights

Labour Law in Nepal: Overview of the Labour Act, 2017 and Labour Rules, 2018