Data Protection Law in Nepal 2026 — Business Impact

Up to 3 years' imprisonment and NPR 30,000 fine under the Privacy Act 2075. Penal Code Sec 293 (eavesdropping) up to 2 yrs + NPR 20K. ETA 2063 Sec 47 up to 5 yrs + NPR 100K.

No statutory breach-notification rule. The Privacy Act 2075 does not require notification to data subjects or to a regulator. Voluntary disclosure is often advisable but not mandated.

Article 28 of the Constitution of Nepal 2015 guarantees the right to privacy in the body, residence, property, documents, data, correspondence and character of every person. The express inclusion of "data" makes Nepal one of the constitutions globally to recognise data privacy at the constitutional level. Article 28 is justiciable through High Court (Article 144) and Supreme Court (Article 133) writ jurisdiction, and is the constitutional anchor for the Privacy Act 2075.

The Privacy Act 2075 covers collection, recording, storage, processing, use, analysis and disclosure of personal information of persons residing in or located in Nepal. Personal information is broadly defined — name, address, telephone, biometric data, health information, financial information, citizenship and identification details, and any data identifying a person. The Individual Privacy Regulation 2077 sets operational detail on consent, storage, processing and disclosure. The Act applies to government, private and not-for-profit entities.

Section 12 and adjacent provisions of the Privacy Act 2075 require informed, freely given consent from the data subject for the collection, recording, processing or disclosure of personal information. Consent must specify the purpose, scope, recipients and retention period. Implied consent or pre-ticked consent boxes are typically insufficient for sensitive data categories (health, biometric, financial). For business, this means privacy notices on websites, app onboarding flows, and KYC processes must capture explicit consent and document it. Withdrawal of consent must be honoured.

The IT and Cybersecurity Bill 2082 was registered in the House of Representatives on 10 June 2025 and tabled by the Communications Minister on 14 August 2025. It will replace the Electronic Transactions Act 2063 (2008) with a consolidated framework covering electronic records, digital signatures, cybercrime and data handling. Clause 61 requires entities to inform individuals about data use and to destroy data within 35 days of the purpose being fulfilled. The Bill is currently in amendment / public-comment phase. Significant gaps flagged: no data-subject rights, no cross-border transfer rules, no breach-victim complaint mechanism.

Section 293 of the Muluki Aparadh Sanhita 2074 criminalises unauthorised eavesdropping or recording of conversations. The offence covers covert audio recording, telephone tapping, and surveillance interception. Penalty up to 2 years' imprisonment and NPR 20,000 fine. The section is the principal anti-eavesdropping provision in Nepali criminal law and runs in parallel with the Privacy Act 2075 — a single act of unlawful recording with disclosure can attract both charges. Lawful interception by Nepal Police / NID under court order is exempted under the standard exceptions.

No. Nepal does not have a dedicated data-protection regulator equivalent to India's Data Protection Board, the EU's national DPAs under GDPR, or the UK's ICO. The Privacy Act 2075 is silent on a regulator — enforcement runs through the District Court (criminal prosecution) and High Court / Supreme Court writ jurisdiction (constitutional remedy under Article 28). For sectoral matters, the relevant sectoral regulator (NRB for banking, NTA for telecom, IRD for tax data) is the operational supervisor. A dedicated regulator is on the policy agenda.

Nepal currently has no comprehensive cross-border data-transfer statute. The Privacy Act 2075 does not impose specific localisation or transfer-mechanism requirements. Sectoral rules apply — banking data must comply with NRB IT Guidelines including any localisation conditions; telecom data is subject to NTA directives. For Nepal-based businesses using global cloud services (AWS, Google Cloud, Azure), the cross-border transfer is a current practical reality with no statutory bar but no specific safe harbour either. The pending IT and Cybersecurity Bill 2082 does not currently address cross-border transfer (a gap flagged by civil society).

The NRB IT Guidelines 2012 require licensed banks and financial institutions (BFIs) to implement confidentiality, integrity and availability controls on customer and operational data; conduct annual IT audits; report security incidents to NRB; maintain business-continuity and disaster-recovery plans; restrict third-party data sharing; and apply role-based access controls. The Guidelines operate under NRB's general supervisory authority and are enforced through periodic inspection. BFIs facing a data incident must coordinate with NRB on response and reporting, even where the Privacy Act 2075 itself does not require notification.

Yes — through three overlapping frameworks. The Privacy Act 2075 covers health information as personal information requiring consent for processing and disclosure. The Penal Code 2074 Section 294 covers professional confidentiality (medical, legal, banking) — unauthorised divulging is criminalised. The Public Health Service Act 2075 patient-rights provisions and the Nepal Medical Council Code of Ethics impose confidentiality on medical practitioners. Hospitals and clinics face exposure across all three regimes for unauthorised disclosure; the practical compliance focus is on access controls, written consent forms, and staff training.

E-commerce platforms in Nepal are subject to the Privacy Act 2075 and Regulation 2077 like any other business — privacy notice, consent, lawful basis, secure storage. The E-Commerce Act 2081 (2024-25) supplements with platform-specific obligations on grievance redressal, refund policy and seller registration but does not displace the data-protection framework. Cross-border e-commerce (Nepali consumers buying from overseas platforms) sits in legally ambiguous space — the consumer remains protected by the Constitution Article 28 but enforcement against an overseas platform is practically limited.

The Privacy Act 2075 does not codify a "right to erasure" / "right to be forgotten" of the kind in GDPR Art 17 or India's DPDP Act 2023. A data subject can withdraw consent (which should stop further processing) and can request deletion as a courtesy, but there is no statutory enforcement of a deletion right. The pending IT and Cybersecurity Bill 2082 Clause 61 introduces a 35-day data-destruction obligation once purpose is fulfilled — this is closer to a mandatory deletion but still not a data-subject-initiated right. For now, deletion requests rely on the controller's voluntary compliance and the implicit consent-withdrawal framework.

Nepal has no cookie-banner statute equivalent to the EU's ePrivacy Directive. The Privacy Act 2075 captures online tracking to the extent the tracker collects personal-identifying information requiring consent. Best practice for Nepal-based websites — particularly those with EU or US-resident users — is to implement a GDPR / CCPA-style cookie banner regardless of Nepali statutory minimum, given the cross-border audience. For Nepal-only audiences with no PII collection via cookies, the legal minimum is lower, but a clear privacy notice referencing cookies is recommended for transparency.

Nepal's national Computer Emergency Response Team (CERT-NP) operates under the Department of Information Technology to handle cybersecurity incident response and coordinate sectoral responses. CERT-NP is not a data-protection regulator — it focuses on technical incident response, vulnerability advisories and capacity building. Where a data breach has a cybersecurity dimension (ransomware, intrusion, data exfiltration), CERT-NP coordinates with Nepal Police Cyber Bureau on investigation and with sectoral regulators on response. CERT-NP advisories are publicly published and businesses should subscribe.

Government data collection — for citizenship, passport, tax, social security, criminal records — operates under the relevant statutory authority (Citizenship Act 2063, Passport Act, Income Tax Act 2058, Social Security Act 2074, etc.). The Privacy Act 2075 applies to government entities; specific exceptions exist for law enforcement, national security, and statutory functions. Constitution Article 28 governs the constitutional limits on government surveillance and data retention, but operational rules on inter-agency data sharing are less developed than in jurisdictions with comprehensive data-protection frameworks.

Biometric data — fingerprints, facial recognition, iris, voice — is captured by the Privacy Act 2075's definition of personal information and is subject to the same consent and disclosure rules. Nepal's National ID Card (Rashtriya Parichaya Patra) collects biometric data under the National ID and Civil Registration Act 2076; the framework includes biometric-data-handling obligations on the Department. Private-sector biometric collection (corporate access control, banking liveness verification) is subject to the Privacy Act framework, with consent and security controls being the principal obligations. Sensitive-data treatment in international privacy frameworks (GDPR Art 9) is not formally replicated in Nepal.

Three routes. (1) Criminal prosecution under Privacy Act 2075 (up to 3 yrs + NPR 30K) and Penal Code 2074 Sec 293-298 (up to 5 yrs + NPR 100K with ETA 2063 Sec 47) at the District Court. (2) Civil damages claim under the Civil Code 2074 framework for the loss caused by the privacy breach. (3) Constitutional writ under Article 28 + Article 46 / 133 at the High Court / Supreme Court for fundamental-rights violation, particularly where a government entity is the respondent. The three routes can run in parallel where appropriate.

For privacy-policy drafting (website, app, KYC processes) and consent-framework design; for breach response (advisory on disclosure, regulatory engagement, litigation defence); for sectoral compliance (NRB IT, NTA telecom, healthcare patient data); for incident investigation following an employee leak, insider exfiltration or external attack; and for advance planning around the pending IT and Cybersecurity Bill 2082. A lawyer also drafts data-processing agreements with vendors, employee confidentiality clauses, and breach-notification protocols.