Privacy Laws in Nepal (2026): Privacy Act 2075 & Data Protection Guide

Privacy in Nepal is a constitutional right that finally became operational in 2018. Article 28 of the Constitution of Nepal 2072 (2015) declared the right to privacy of body, home, property, correspondence, and reputation inviolable. Three years later, the Individual Privacy Act 2075 (2018) translated that constitutional right into a working statute — defining personal information, setting out the obligations of public bodies and institutions handling that information, creating consumer rights of consent and rectification, and prescribing criminal penalties for breach. In 2026 the Act is the core privacy framework, with sectoral statutes (Banking, Telecom, Health, ETA 2063 cyber rules) layered on top.

This guide is the 2026 (2083 BS) practitioner's view of privacy laws in Nepal: the constitutional foundation under Article 28, the Individual Privacy Act 2075 architecture, the three core principles (authority approval, consent, right to be informed), Sections 23–28 obligations on data handlers, the rectification right under Section 28, the three-month strict limitation for filing complaints, the penalty band up to three years' imprisonment and NPR 30,000 fine, and how Alpine Law Associates handles privacy-breach matters from both complainant and defence sides.

Alpine Law Associates — Nepal Bar Council-registered privacy and digital-compliance team handling Privacy Act 2075 matters, data-breach defence, sectoral data-protection compliance and constitutional writ work.

Speak with our lawyers today →

What is the legal framework for privacy in Nepal in 2026?

Privacy law in Nepal sits in a layered framework. Article 28 of the Constitution of Nepal 2072 (2015) declares privacy a fundamental right — privacy of body, residence, property, document and data, correspondence, and character / reputation is inviolable and cannot be breached except as authorised by law. The Individual Privacy Act 2075 (2018) operationalises Article 28 through a working statute that defines personal information, sets out obligations on public bodies and institutions handling that information, creates consumer rights, and prescribes criminal penalties for breach.

Sectoral statutes layer on top of the Privacy Act for specific industries: the Electronic Transactions Act 2063 covers cyber-related privacy and data offences; the Banking and Financial Institutions Act 2073 imposes confidentiality obligations on banks; sectoral telecom rules govern subscriber data; the Health Insurance Act and medical regulations cover health data; the E-Commerce Act 2081 (2025) imposes consumer-data obligations on online businesses. Together they create the complete privacy compliance framework — but the Privacy Act 2075 is the central, sector-neutral spine that every entity handling personal information must follow.

Article 28 of the Constitution — the foundational right

Article 28 of the Constitution of Nepal 2072 reads (in essence): "Except in accordance with law, the privacy in relation to the person, residence, property, document, data, correspondence and character shall be inviolable." Six categories of privacy are constitutionally protected:

1. Body / person. Physical integrity, biometric data, medical information, sexual orientation, and bodily autonomy.
2. Residence. Home, premises, location data, real-time location tracking.
3. Property. Asset information, financial records, ownership data.
4. Documents and data. Personal files, records, written and electronic documents, databases.
5. Correspondence. Letters, emails, phone calls, text messages, instant messages, video calls — both content and metadata.
6. Character / reputation. Defamatory disclosure, exposure of private matters, intrusion into reputational interest — overlapping with the defamation framework, see our defamation law guide.

The "except in accordance with law" qualification means that lawful intrusions — search warrants, lawful surveillance under specific statutes, mandatory disclosure to regulators — are permitted within their statutory boundaries. Outside those boundaries, the constitutional right is enforceable through writ jurisdiction at the High Court and Supreme Court alongside the criminal and civil routes under the Privacy Act 2075.

Three core principles of the Privacy Act 2075

The Individual Privacy Act 2075 operates on three core principles that govern every interaction with personal information. These principles structure the obligations on data handlers and the rights of data subjects.

1. Approval from the Competent Authority. Where a public body or institution collects, stores, processes, or shares personal information, it must obtain authority from the prescribed competent person. This principle protects against unauthorised data handling within institutions and creates an accountability layer above the operational handler.
2. Consent from the data subject. Personal information cannot be collected, stored, processed, or published without the consent of the individual to whom the data relates. Consent must be informed (the data subject knows what data is being collected and for what purpose), specific (not general blanket consent), and freely given (not coerced or implied from inaction).
3. Right to be informed. The data subject has the right to know what personal information about them is held, by whom, for what purpose, and how it is being used. Data handlers must disclose this on request and provide access mechanisms for the data subject to verify.

The three principles work together. A data handler must have proper authority (principle 1), must obtain consent (principle 2), and must keep the data subject informed (principle 3). Failure on any one principle constitutes a breach.

Obligations on data handlers — Sections 23 to 28

Sections 23 to 28 of the Privacy Act 2075 codify specific obligations on entities handling personal information. The obligations apply to public bodies, institutions, companies, and individual data handlers regardless of the size of the operation.

• Section 23 — Authorisation requirement. Data collection, storage, processing, or publication must be conducted by an Authorised Person or designated official. Unauthorised handling — even by an employee within the institution — is a breach.
• Section 24 — Purpose limitation. Personal information collected for one purpose cannot be used for an unrelated purpose without fresh consent. A bank that collects customer data for account-opening cannot reuse it for unrelated marketing without separate consent.
• Section 25 — Storage and security. Data handlers must implement reasonable technical and organisational measures to protect personal information from unauthorised access, loss, alteration, or disclosure.
• Section 26 — Disclosure restrictions. Personal information cannot be disclosed to third parties except with the data subject's consent, under legal compulsion, or under specific statutory exceptions (court order, regulatory request, public-interest disclosure).
• Section 27 — Cross-border data transfer. Transfer of personal data outside Nepal requires compliance with safeguards — typically the data subject's specific consent and the foreign jurisdiction's adequate-protection framework.
• Section 28 — Right to rectification. Data subjects can request correction of inaccurate personal data by providing supporting evidence. Data handlers must process the rectification request within a reasonable time and confirm the correction to the data subject.

Data-subject rights under the Privacy Act 2075

The Act creates four principal rights for data subjects, supplementing the constitutional right under Article 28:

1. Right to consent. The data subject's consent is required before personal information is collected, stored, processed, or published. Consent must be informed, specific, and freely given.
2. Right to be informed. The data subject can ask what personal information is held, by whom, for what purpose, and how it is being used. Data handlers must disclose on request.
3. Right to rectification (Section 28). Where personal data is inaccurate, the data subject can request correction with supporting evidence. The data handler must process the request and confirm the correction.
4. Right to redress. Where any of the above rights is breached, the data subject can file a complaint at the District Court within three months and seek criminal prosecution, civil damages, and constitutional writ relief at the High Court.

The rights are individually enforceable and cumulative — a single breach can violate multiple rights, grounding parallel remedies. For broader consumer-rights frameworks see our Consumer Protection Act 2075 guide.

How a privacy breach is litigated in Nepal

1. Breach identification. The data subject identifies an unauthorised collection, storage, processing, or disclosure of their personal information. Documentation of the breach — screenshots, witness accounts, records of unauthorised access — is preserved.
2. Internal complaint to the data handler. Where the breach is by an institution or company, the first step is typically an internal complaint requesting cessation, deletion, and rectification. Many breaches are resolved here without formal litigation.
3. Pre-litigation legal notice. If the institution does not respond satisfactorily, a formal legal notice is sent to the data handler demanding cessation and compensation. The notice creates evidence of attempted resolution.
4. District Court complaint within 3 months. If the breach is not resolved, the aggrieved person files a complaint at the District Court of where the breach occurred or where the data handler operates. The complaint must be filed within 3 months of the incident — Section 29 of the Act sets a strict limitation.
5. District Court trial. The court hears evidence, examines whether the three core principles were respected, considers any defences (lawful authority, consent, public interest), and on conviction imposes punishment under Section 30.
6. Compensation order. Where harm is established, the court orders compensation alongside the criminal penalty. Compensation covers actual damages — financial loss, reputational harm, mental distress, and consequential losses.
7. Constitutional writ at High Court / Supreme Court. For systemic privacy violations or where the breach involves a fundamental-rights question, a writ petition can be filed at the High Court (Article 144) or Supreme Court (Article 133) for direct constitutional remedy. Writ jurisdiction runs in parallel to the District Court complaint.
8. Appeal. A District Court verdict can be appealed to the High Court within 35 days; further appeals lie to the Supreme Court on substantial questions of law.

Penalties under the Privacy Act 2075

Section 30 of the Act prescribes the penalty schedule:

• Imprisonment up to 3 years for serious breaches — unauthorised mass disclosure, breach by a person of trust, deliberate violation involving harm.
• Fine up to NPR 30,000 for the underlying breach offence; aggravated cases can attract higher fines under sectoral statutes running alongside.
• Compensation order alongside the criminal sentence. The court determines compensation based on actual harm — financial loss, reputational damage, mental distress, and consequential losses.
• Cessation and rectification orders requiring the data handler to stop the breach, delete unauthorised data, and rectify any inaccurate information.

Where the breach involves cyber elements — unauthorised electronic access, data interception, hacking — additional penalties under the Electronic Transactions Act 2063 run alongside. Where the breach is by a banking, telecom, or healthcare entity, sectoral penalties under those statutes apply additionally. The cumulative exposure for a serious privacy breach can be materially higher than the Privacy Act's headline numbers.

Common privacy breach scenarios in 2026

• Workplace data leakage. Employees of banks, hospitals, telecom, or government offices accessing customer / patient / citizen data without authorisation and disclosing or misusing it. Section 23 and 26 violations.
• Social-media exposure. Sharing private photos, messages, medical reports, or personal documents on social media without consent. Article 28 + Privacy Act + ETA 2063 cyber-defamation overlay.
• Surveillance camera misuse. CCTV footage accessed or shared by staff or third parties without authorisation; covert recording in private spaces.
• Telecom data disclosure. Telecom operators disclosing call records, location data, or subscriber information without proper authority. Sectoral telecom rules + Privacy Act apply.
• Health data breaches. Hospitals or doctors disclosing medical records or test results without patient consent. Particularly sensitive given the health-data category.
• Financial data leaks. Banks or finance companies leaking customer account information, transaction details, or KYC records. Banking-secrecy obligations under the Banking and Financial Institutions Act 2073 plus Privacy Act apply.
• E-commerce platform data misuse. Online platforms reusing customer data for unrelated purposes without fresh consent. E-Commerce Act 2081 + Privacy Act apply — see our E-Commerce Act guide.
• Private investigators / stalking conduct. Unauthorised data gathering, location tracking, or surveillance against an individual without lawful authority.

Defences in privacy breach cases

The Act recognises specific defences for data handlers facing privacy-breach allegations:

• Lawful authority. The collection, storage, or disclosure was carried out under a specific statutory authorisation — search warrant, court order, regulatory request, or compulsion of law.
• Data subject's consent. The data subject gave informed, specific consent for the activity. Documentary proof of consent (signed consent form, recorded acknowledgment, terms-of-service acceptance) is essential.
• Public interest. Disclosure was necessary in the public interest — investigative journalism on corruption, public-health emergency, prevention or detection of crime — within statutory boundaries.
• De-identified data. Where the data shared was sufficiently anonymised that the individual was not identifiable, privacy obligations may not apply. The threshold for "de-identification" is fact-sensitive.
• Procedural defects. The complaint was filed beyond the 3-month limitation, at the wrong forum, or without proper documentation.
• No actual identifying disclosure. The information disclosed did not allow the data subject to be identified — either inherently non-personal or the identifying context was absent.

Sectoral privacy compliance — banking, telecom, health, e-commerce

Specific industries face additional privacy obligations layered on top of the Privacy Act 2075:

• Banking and finance. The Banking and Financial Institutions Act 2073 imposes confidentiality obligations on banks and finance companies. Customer information cannot be disclosed except per specific exceptions — court orders, regulatory request from Nepal Rastra Bank, KYC sharing with credit bureaus, anti-money-laundering reporting. Breach attracts both statutory penalties and Privacy Act prosecution.
• Telecom. Subscriber data, call records, and location data are protected under sectoral telecom rules issued by Nepal Telecommunications Authority (NTA). Surveillance access requires proper legal authority; commercial reuse of subscriber data requires consent.
• Health. Medical records, test results, and patient information are protected by the Privacy Act plus medical-council ethics rules and health-insurance regulations. Doctor-patient confidentiality is both an ethical and legal obligation.
• E-commerce. The E-Commerce Act 2081 (2025) imposes specific disclosure and consent obligations on online platforms regarding consumer data. Cross-references with the Privacy Act apply.
• Government / public bodies. Public bodies handling personal information (passport offices, immigration, voter rolls, NID database) face the Privacy Act's strictest application. The Right to Information Act 2064 creates a parallel transparency framework that interacts with privacy obligations.

How can Alpine Law Associates help with privacy law matters?

Alpine Law Associates handles privacy work from both data-subject and data-handler sides. For data subjects whose privacy has been breached, we run the litigation as a sequenced engagement: limitation triage at intake (the 3-month window is critical), evidence preservation, internal complaint and pre-litigation legal notice, District Court complaint with criminal prosecution and compensation pleading, parallel constitutional writ at High Court / Supreme Court for systemic violations, and execution of compensation orders.

For data-handler defendants — companies, public bodies, banks, telecom operators, hospitals, online platforms — we structure defence around the Privacy Act 2075 defences (lawful authority, consent, public interest, de-identification), provide preventive-compliance advisory (consent management, internal authorisation policies, breach-response SOPs, sectoral compliance), and represent in District Court prosecution and any constitutional writ proceedings. As a full-service law firm in Nepal, we run privacy matters alongside related defamation, electronic-transaction, and sectoral compliance work.

Speak with our lawyers today →

Last reviewed: April 2026