By Rupin Chopra and Apalka Bareja
Internet revolution has opened the gates for states to exploit the digital landscape and leverage the benefits of digital economy. Internet has become a part of everything that we do- from communicating to our friends to conducting businesses. This virtual world has undoubtedly been a boon to mankind but we can’t deny that it has its downside too.
In recent years the cases of cyber security threat have tremendously increased making states with weak data privacy regime the most vulnerable. These security threats have the potential to damage economic growth of the country and displace the whole data system of a nation in one go. Incidents of data breach also shakes the trust of public and makes them doubt the capabilities of authorities in providing protection to their data. With over billion of people on the internet sharing their personal information, stringent data privacy laws has become the need of the day.
What is a data breach?
Data breach refers to a security violation wherein the personal, protected or sensitive information of an individual is leaked to a third party without his/her consent. The information may be related to his/her banking information, health records, trade secrets, etc.
In the past couple of years, data breach incidents have been frequently observed in Nepal wherein the customers’ data including their names, phone numbers, mailing id were leaked in public raising concerns of data security and confidentiality among the public[1].
This piece will examine the laws and judicial precedents regarding data protection in Nepal.
The Constitution of Nepal, 2015[2]
The Constitution of Nepal has recognized right to privacy as a fundamental right under Article 28. This inviolable fundamental right guarantees the right to individuals to decide who may enter their residence and protects them from unauthorized intrusions. It also restricts a third party to use or disclose their property, documents, correspondence, etc.
The Privacy Act, 2018 (“The Act”)[3]
Implementing the constitutional right to privacy, in September 2018, Nepal passed The Privacy Act, 2018 which had a major impact on the data privacy and security in Nepal.
However, this is not a unified law on privacy and it must be read in conjunction with the general laws of Nepal like Criminal code and Civil Code.
The Act contains provisions regarding privacy of body, character, family, residence, property, document, data, correspondence and privacy through electronic means. The Act defines personal information to include caste, education, address, thumb expression, criminal background, etc., of a person. Such personal information cannot be collected or used except in accordance with law. The Act mandates taking of prior consent from the person before using or collecting his/her personal information. Furthermore, The Act lays down the mandatory disclosure requirement to intimate the concerned person about the purpose, objective, time, content, nature of the information so collected.
The Criminal Code of Nepal, 2017[4]
Part 3 Chapter 1 of the Code deals with offences against privacy. This chapter puts various prohibitions like listening to or recording other’s conversation, divulging confidential information, taking or disfiguring photograph of any person without his consent, selling photographs without consent, tapping telephone conversation, unauthorized entry into someone’s residence, etc. Section 298 specifically prohibits breaching privacy of a notice, information or correspondence through electronic means by obtaining, transferring or causing it to be transferred in an unauthorized manner.
Nepal Rastra Bank Information and Technology Guidelines, 2012[5]
Data threats in banking system is not so uncommon in Nepal and keeping this into consideration the Nepal Central Bank issued IT guidelines in 2012. The guidelines provide that banks should identify and document all electronic attacks and suspected electronic attacks in their system and report to Nepal Rastra Bank monthly. It also mandates that the customers should be made aware of fraud identification, avoidance and protection measures.
Case laws
The courts are yet to interpret the provisions of The Privacy Act. However, the following cases give an insight to the court’s stand in relation to privacy matters
Baburam Aryal v. GON [N.K.P. 2074, 25][6]:
In this case, the Supreme Court of Nepal laid down that the right to privacy cannot be violated by a third party as it is a fundamental right granted under the constitution. The Supreme Court further ruled that matters relating to person’s body, property, residence documentations, etc., are inviolable except as permitted by law. An organisation or department collecting information must protect the data bank and avoid unauthorized access to such data bank.
Sapana Pradhan Malla v. Office of the Prime Minister and Council of Ministers et. al. [N.K.P. 2064, 1208]:[7]
The Supreme Court of Nepal held that the right to privacy guaranteed under the Constitution of Nepal is a fundamental right and the information relating to a person can be shared by third parties only when a prior consent has been obtained from the concerned person.
Drawbacks of existing Privacy law in Nepal
- Extra territorial effect
The Act is silent on its extra territorial effect and as such Nepali citizens who are victims of data attacks from outside Nepal have no place to go to for their grievances. In case of offences falling outside the Nepal jurisdiction all that the local government can do in such cases is to work in coordination with the government of other countries to punish those who are liable and mitigate such incidents in future.
- Regulatory Authority
There is lack of data protection regulatory authority in Nepal to administer and enforce data privacy laws. The Act only provides for the complaints to be made to the District Court in reference to any offence under the Act within three months from the date of commission of the offence.
In order to make entities compile with the minimum security standards, to dig out loopholes and keep the privacy laws relevant, a regulatory authority is must.
- Notification requirement
There is no mandatory requirement in The Act for data breach notification either to the data subjects or regulatory authority. Whenever a data breach occurs, the affected person may never be notified of breach of his information. There should be a proper timescale and threshold test for accessing the data breach incident for reportablity to data subjects and regulatory authorities so that timely action can be taken in the event of any data breach.
- Right of Data Subject
The privacy law does not provide for data subjects rights such as right to access their data, right to erasure (right to be forgotten), right to data portability, right to object/opt out etc. These rights ensure that the data subject has data security and has control over their data.
Moreover there is no provisions ascertaining the duties and obligations of the data processor or data controller in The Act.
- Data Breach Penalty
The frequent incidents of data breach in Nepal are also the result of lack of robust compensation mechanism. In order to penalize the negligent behavior of companies who recklessly handle personal data and to compensate the victims an adequate compensation scheme must be provided in The Act.
Way forward
In early 2019 Nepal government has tabled a bill relating to Information Technology (“IT Bill”). This bill contains provisions relating to confidentiality, privacy and data security in electronic form. The bill also contains penal provisions for displaying/publishing obscene material, acts against morality, etc. This IT bill is expected to have a wide impact on social media use, tech innovation, surveillance, e-commerce etc[8].
Conclusion
The importance of privacy and data protection is increasingly recognized as most of the social and economic activities are taking place online. Various companies, digital platforms and even states have access to plethora of personal and sensitive information of users which they thrive on. As everything becomes extremely digitalize, nations must work on framing and implementing a robust and comprehensive data privacy law. The privacy laws in Nepal are still at a nascent stage and a lot more is required to be done by the law authorities to keep up with the digital security framework of other south Asian countries.
[1] https://kathmandupost.com/national/2020/04/08/vianet-suffers-data-breach-leaking-personal-customer-details-online
[2] https://www.mohp.gov.np/downloads/Constitution%20of%20Nepal%202072_full_english.pdf
[3] https://www.lawcommission.gov.np/en/archives/category/documents/prevailing-law/statutes-acts/the-privacy-act-2075-2018
[4] https://www.moljpa.gov.np/en/wp-content/uploads/2018/12/Criminal-procedure-code-Revised.pdf
[5] https://www.nrb.org.np/contents/uploads/2019/12/Guidelines-IT-Guidelines-2012.pdf
[6] https://www.dataguidance.com/notes/nepal-data-protection-overview
[7] https://www.globalhealthrights.org/wp-content/uploads/2013/09/SC-2005-Advocate-Sapana-Pradhan-Malla-v.-Office-of-Prime-Minister-and-Ors.1.pdf
[8] https://kathmandupost.com/national/2019/02/22/everything-you-need-to-know-about-the-governments-new-it-bill
Amisha Bhasin, Intern at S.S. Rana & Co. has assisted in the research of this article.