Data and Privacy Protection in Nepal : A 2026 Legal Guide
In an era of rapid digital transformation, personal data has become one of the most valuable assets held by both public authorities and private organizations. At the same time, the risks of data misuse, unauthorized access, and privacy infringement are growing, spotlighting the urgent need for clear and effective privacy protection laws in Nepal.
This article explains the current legal landscape of data protection and privacy in Nepal, identifies key legal instruments, outlines compliance obligations, highlights enforcement challenges, and explores recent calls for legislative reform.
1. Constitutional Foundation of Privacy Rights
Under Article 29 of the Constitution, it protected the fundamental rights relating right to privacy, which protects the privacy in relation to the person and their residence, property, documents, records, statistics and correspondence, and their reputation are inviolable. The Constitution of Nepal recognizes privacy as a fundamental right, protecting individuals against unlawful interference with their personal information, communications, residence, and reputation. This constitutional guarantee provides the legal basis for all privacy and data protection laws in the country.
2. Core Legal Framework for Data Protection
Unlike many countries with comprehensive standalone data protection laws, Nepal’s data privacy regime is fragmented across several statutes. Key laws that govern various aspects of privacy and personal data protection include:
a. The Individual Privacy Act, 2075 (2018)
This is the principal privacy law in Nepal, focusing on the protection of personal information and private data. It defines protected personal information broadly to include details such as identity information, contact details, biometric identifiers, correspondence, education records, and even opinions or views expressed by an individual.
i. The Act also regulates:
ii. Collection, storage, and processing of personal data
iii. Required consent and purpose specification
iv. Obligations of authorized bodies collecting data
v. Security safeguards against unauthorized use
vi. Rights to correct and update inaccurate personal information
b. Privacy Regulation, 2077 (2020)
This subsidiary regulation provides procedural guidance for enforcement and interpretation of the Privacy Act but does not create a separate regulatory authority.
c. Electronic Transactions Act, 2063 (2008)
This law deals with electronic records, digital signatures, and cybersecurity measures, requiring reasonable security practices in digital environments and giving legal effect to electronic transactions.
d. National Penal (Criminal) Code, 2074 (2017)
The Penal Code criminalizes unauthorized access, interception, disclosure of private communications, and breaches of privacy involving recording or distributing personal data without consent.
3. What Constitutes Personal Data?
Under the Privacy Act, personal information spans:
i. Basic identifiers like name, address, contact information, and identity card numbers
Biometric data such as fingerprints and retinal scans
Personal correspondence and documents
Criminal or legal history
Opinion and professional evaluations linked to an individual
This scope is often considered narrow compared to international frameworks like the GDPR, which includes broader categories of personal and sensitive data.
4. Consent, Collection, and Data Handling
Entities — whether public bodies or private organizations — must receive explicit, informed consent before collecting and processing personal data. Information provided to individuals at the time of collection must disclose:
What data is being collected
Why it is needed
How it will be used
How it will be secured
Information cannot be processed or shared for purposes other than those communicated without fresh consent.
5. Obligations of Data Collectors
Organizations that handle personal information bear responsibility for:
Securing data against unauthorized access and breach
Maintaining proper documentation and privacy safeguards
Ensuring transparent use and limiting processing to lawful purposes
Individuals can also request correction of inaccurate or outdated information held about them by a data collector.
6. Enforcement and Complaint Mechanisms
The current legal framework does not establish an independent data protection authority to oversee compliance. Complaints and disputes must generally be brought before the district courts or through existing judicial mechanisms under privacy and criminal laws.
This enforcement structure has led to practical challenges in data protection compliance, with limited capacity for audits, oversight, and penalty imposition.
7. Penalties for Privacy Breaches
Violations of privacy provisions can lead to:
Fines (e.g., up to NPR 30,000)
Imprisonment (up to 3 years)
Compensation for damages caused by misuse of personal data
Penalties can apply to individuals and entities that handle personal data without obtaining consent or fail to protect collected information.
8. Gaps and Limitations in the Current Law
Despite existing protections, Nepal’s data protection framework has notable shortcomings:
No extraterritorial jurisdiction: Laws do not clearly address foreign entities collecting Nepalese citizens’ data without a local presence. It has strictly maintained that foreign entities must store that data collected in local data centres in Nepal.
Lack of an empowered regulator or data protection authority.
Absence of detailed rights for data subjects, such as access, erasure (“right to be forgotten”), data portability, or objection rights.
No explicit breach notification requirement to alert affected individuals or authorities in case of a data breach.
Limited clarity on private sector obligations compared to public bodies.
These gaps have raised concern among legal experts and digital rights advocates about Nepal’s readiness to protect personal data in the digital age.
9. Judicial Interpretations and Emerging Case Law
Nepal’s courts have affirmed privacy as a fundamental right, emphasising that personal data and communications must be protected from unwarranted intrusion. Landmark decisions in Baburam Aryal v. The Government of Nepal [N.K.P. 2074, 25], Sapana Pradhan Malla v. Office of the Prime Minister and Council of Ministers et. al. [N.K.P. 2064, 1208], Roshani Poudel et. al. v. Office of the Prime Minister and Council of Ministers et. al. [N.K.P. 2077, 1232], Adv. Baburam Aryal et.al. Vs. Government of Nepal, office of ministers and council of ministers et. al. [ N.K.P. 2074, D.N. 9740] have reinforced that unauthorized use of data, digital or physical, violates constitutional rights and cannot be justified without law.
10. Reform and Best Practices
Legal scholars and policy advocates have called for:
A comprehensive dedicated data protection law aligned with international standards
A data protection authority with regulatory powers
Clear rights for data subjects and detailed enforcement mechanisms
Mandatory breach notification requirements
Provisions governing cross-border data transfers and data controller / processor obligations
These reforms would close critical gaps in the current framework and align Nepal more closely with global practices such as those in the EU and other jurisdictions.
Nepal’s approach to data protection and privacy remains evolving. While the Constitution and existing laws provide important protections, the absence of a comprehensive, modern, enforceable privacy regime limits both legal certainty and practical data safeguards. Businesses, public bodies, and organisations operating in Nepal must carefully navigate this complex landscape to ensure compliance and protect individual privacy. As digital engagement deepens and data risks grow, reform efforts are essential to fulfilling privacy rights in the digital age.