With a weak data privacy regime, Nepal is among the world’s least regulated data regimes putting forward an elevated obligation toward the regulator to rigorously work on drafting a regulation to regulate data privacy in Nepal.
Introduction
Our larger reliance on tech appliances has undoubtedly made our lives more leisurely and swifter. However, this advancement has also contested the protection of our internet privacy as there are numerous circumstances where we have been trading our data for free without acknowledging its consequences. Data has been regarded as the valuable mineral of this digital age. To ensure prudent mining of this mineral, there have been frequent regulatory efforts around the world to develop new policies and regulation to ensure and strengthen the fundamental privacy rights of individuals in this digital era.
Nepal cannot remain untouched by the technological upsurge where internet users have been increasing daily. The lack of awareness of digital privacy among the people has consequently resulted in free and unfettered trading of personal data by people. Further, there are also instances where personal data are largely compromised, and incidents of data breach have been observed more frequently. With the evolution of internet business and government also delivering its services through digital media, it is high time to push on swift effort in developing the data privacy regulation in Nepal.
Existing Scenario
Nepal lacks comprehensive data privacy laws which regulate the privacy and security of user’s data. The Privacy Act, 2018 (2075) and The Privacy Regulation, 2020 (2077) are the major laws that deal with the privacy of the person. The Privacy Act ensures the privacy of a person’s personal information that remains in an electronic medium and restricts unauthorized obtaining of such information without the consent of the person concerned. The Privacy Act requires the consent of the person concerned before the collection and use of his/her data. Furthermore, the Privacy Act mandates disclosure of details like the content of information, nature of information, the objective of collecting information, the certainty of the matter of maintaining the privacy of the collected information while collecting the data of any individual. It implies that the consent of the person concerned is mandatory in collecting and using the data, however, neither the term “consent” has been defined nor any procedure is laid down in this regard.
The Privacy Act tends to distinguish between personal information and sensitive information where the former includes any information linked with the person like name, caste, address, contact details (phone number, email, etc.) marital status, religion, education, etc., and the latter as that information related to caste, ethnicity, political affiliation, religious faith among others. The distinction, however, does not tend to place any obligation in terms of security and protection. The only relevancy of the distinction is placed to restrict the public body from processing such sensitive information which is under their control.
In the same way, the Privacy Act ensures the principle of integrity and confidentiality through ensuring the security of data under the control of entities, however, the Privacy Regulation only puts the general obligation to ensure the security of data and it fails to put forward any minimum-security standards to be complied by the entities to ensure the safety of the data and neither specifies any regulatory authority to administer and enforce data privacy in Nepal.
Assessing privacy law
The Privacy Act also recognizes the principle of accuracy where the individual can correct any information held by the public body if his/her information retained by such bodies are incorrect or outdated. However, such correction is only subject to public bodies and the same does not extend to the private entities.
Conclusively, with a weak data privacy regime, Nepal is among the world’s least regulated data regimes putting forward an elevated obligation toward the regulator to rigorously work on drafting a regulation to regulate data privacy in Nepal.
Way Forward
Primarily, the public should be aware of the importance of their data and should minimize trading it recklessly. The regulator of Nepal on the other hand needs to focus on the basic principle of data privacy in establishing a strong base for digital privacy in Nepal. The data privacy laws to be formulated should essentially ensure the fundamental principle of data privacy ensuring following fundamental compliance requirements:
a. Consent
Consent has been a triggering requirement around the world in data privacy. Consent is the fundamental requirement for anyone to collect and use data of any person. The law should be clear of the form of consent (explicit, implied, written) for the collection and use of the various types of data.
b. Notification requirement
There are a lot of instances where data breach has occurred in Nepal. However, in minimal circumstances, the notification has been provided to the affected users concerned. There should be a proper timeline and notification requirement (to the user and the supervisory authority) provisioned by the laws where the entity should notify the authorities and user in the event of any data breach.
c. Formation of Data Protection Authority
A separate authority should be created to administer and enforce data privacy in Nepal. This authority will primarily be responsible to obligate minimum security standards to be complied by the entities and shall also timely audit the security system of the company to ensure their compliance and point out any loopholes in their security system.
d. Right of Data Subject
A Data Subject is a person whose data has been collected and processed. The general principle of data privacy ensures that the data subject should be provided certain rights to ensure his/her right to privacy and security. The data privacy regulation should introduce various rights of the data subject like the right to be informed, right to access their data, right of rectification, right to be forgotten (erasure of data), right to data portability, etc. These rights ensure that the ultimate controller of the data is the data subject him/herself.
e. Data Localization
Data localization has been a burdensome requirement to the companies (especially to the foreign companies) as it will require setting up of data centers resulting in huge implications to the company. However, it is very essential from the security perspective as the native government will have easy access to the data stored in the local server. The regulator is requiring data localization obligation may distinguish any specific type of data (data of greater sensitivity) to be stored locally.
f. Cross Border Transfer of Data
The regulator may introduce an approval regime in transferring any specific type of data (having a greater sensitivity) outside Nepal. However, this will primarily require strengthening the native data piracy regime at first instance.
g. Data Protection Officer (DPO)
DPOs look after the internal security system of a company to ensure the compliance of data protection requirements through regular and systematic monitoring of the security system. It has been a general practice around the world where DPOs are mandatory to be appointed to those organizations dealing with personal data at large. However, the regulator should be mindful in distinguishing the companies rather than putting a general mandatory DPOs appointment requirement based on specific user threshold or the core activities of the company among others.
h. Data Breach Penalty
The prevailing law of Nepal fails to provide an adequate compensation mechanism which has also resulted in negligence of handling personal data by companies. The international practices on data privacy regimes show adverse and greater fines. Hence, the fines and penalties must be severe to those companies who recklessly compromise the security of the people.
Nepal has a substantial opportunity to promote the optimistic effects of digital society with a larger room for the growth of electronic businesses. However, this will also require the development of tech-friendly regulation along with the security of user’s data. The regulation should never be one-party centered and should always be balancing the digital progress along with the security of the concerned individual at large.