To start the culture of protecting data, Nepali consumers have to demand accountability and transparency from the organizations which collect their data
Data is becoming the new oil. Governments are under substantial pressure from the citizens to protect their data. Organizations such as Google, Facebook and Apple make daily headlines for manipulating data of the consumers by selling them to marketing agencies.
Many countries in the world are looking at Huawei with suspicion. They are concerned that the company might be used by China as a tool of espionage. If the allegations are true, the main tool for spying will be the consumer data collected by Huawei. But while the world is concerned about data protection, government in Nepal does not seem to take this issue seriously.
Case of Nepal
In Nepal, data protection is governed by Privacy Act (2018). But it is not in line with OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Owners of hotels, travel agencies, and financial institutions do not seem to know much about the data protection of their customers. If they are caught for breaching data protection, they could be fined huge money under data protection law such as General Data Protection Regulation of Europe.
Essential tests
The standard followed by even large corporate organizations in Nepal is below the international standard of practice. Waiting for the law and asking the businesses to follow it might take longer time. But if the consumers themselves demand accountability from these organizations to protect the data, it might take less time. Businesses won’t go for compromising with the consumers’ trust.
There are cultural misconceptions regarding data protection. It is commonly viewed as an IT issue. Cyberattack is viewed as the premier threat. While these common views are true to some extent, other facts are most often not realized. Internationally, cyber security and data protection overlap under the same umbrella. Data protection is not only an IT issue. It should be incorporated in every process of the business in every business department and unit. The concept of privacy by design and default is incredibly being accepted by data protection laws around the world. It is crucial to understand the impact of data breach to understand the necessity of data protection. The common impact of data breach on an individual is financial loss, identity theft and mental and physical distress. The impact of the breach on the organization could be regulatory sanctions and lack of customers’ trust resulting in loss of business. The cases of property loss through identity theft are alarming, to the extent that government has classified property related data in high priority in Privacy Act 2018.
Lax law
However, Privacy Act has failed to address key issues in privacy and data protection. First, the definition of personal data is restrictive and narrow. For example, it classifies education and academic qualification in the same category as biometric details such as thumb impressions. In the case of a breach of such data, the impact of losing thumb print impressions is much higher than the impact of losing academic qualification details. Second, it does not establish a supervisory authority to monitor compliance. In the case of consumer complaint, the only measure is to file a legal case in the District Court which can be time-consuming and expensive. For data protection to be taken with responsibility by the organizations, it is crucial to have an authority that can address the issue in a short duration of time and is free of cost. Right to privacy and protection of information is a fundamental right under Article 28 of the Constitution. To practice the fundamental right, Nepalis should not be forced to pay or wait to file their concerns and complaints. Third, the enforcement measures are weak. The maximum amount for penalty is NRs 30,000 ($300) or three years of imprisonment. The balance of the impact of the data loss and the penalty is feeble.
Awareness and demand of accountability by the consumers themselves are the initial steps to force organizations to respond with responsibility of protection of consumer data. Goodwill and customers’ trust are crucial for any business. The primary responsibility of protecting the data falls on the organization which decides on the data—what to collect, how to store etc. Hence, the consumers should be made aware through privacy notices of how the data collected will be used, stored, transferred, and deleted after the purpose has been fulfilled. It is the right of the consumers to demand transparency as personal data is a personal property of the owner.
In Nepal, financial institutions need the data awareness the most. Due to the nature of the business, banks collect sensitive data that can pose high risk to the rights and freedoms of the individuals. The greatest threat of data loss or a breach is the insider’s threat—mainly the members of staff. The loss or a breach can be intentional or unintentional but the impact of the loss will always be huge on the individuals. Data processed and stored in the paper format (which is the case in Nepal) are always in high risk.
Thus the consumers need to be aware while sharing their data and demand accountability from any organizations that collect, use and process their data. People and employees should demand transparency regarding their data use by the organizations. Data, whether it is simply educational qualification or email address, is the personal belonging of the owner and it should not, like other personal properties, be allowed to process without the owners’ knowledge. The only way forward to start the culture of protecting data in Nepal is by consumers themselves demanding accountability and transparency from the organizations which collect their data.
The author, LLM in International Human Rights Law with specialization on Privacy Law from Oxford Brookes University, UK, is a certified information privacy professional for Europe and works in a consulting firm based in London