Nepal’s legal system has undergone massive changes recently. Nepal became a federal republic following the promulgation of the new constitution in 2015. Further, new Civil Code and Criminal Codes were introduced in 2017. They are considered to be a milestone in modernization of legal system of Nepal.
Article 28 of the Constitution has declared the right to privacy and protection of information as a fundamental right. Although privacy was protected in some way under the Criminal Code, the Individual Privacy Act 2018 (“Privacy Act”) was introduced with the purpose of giving effect to the constitutional right.
1. Criminal Code Provisions
Muluki Criminal (Code) Act 2017 has a separate chapter on laws related to offence against privacy. The Criminal Code criminalizes conducts such as unauthorized tapping of a voice conversation, breach of confidentiality, taking and editing photos of a person without consent, breach of privacy of information in electronic media, unauthorized search of body or belongings of person, and trespassing.
They are considered to be private criminal cases and the states will not proceed the case on behalf of the victim. The victim has to file a complaint within 3 months from the date of the event at the relevant District Court. The Court can impose fine up to 30,000 Nepalese rupees or imprisonment of maximum of 3 years. Further, victim will also be entitled to compensation.
2. The Privacy Act
The Privacy Act became effective from 18 September 2018. Privacy Act seeks to ensure the right to privacy of body, residence, property, documents, data, communication and character of a person, and states how the private information available and stored in public entity will be utilized along with the liabilities for breach. However, Privacy Act also duplicates many provisions that are already stipulated in the Criminal Code. Although overlapping laws are not desirable, victims may choose to file complaints under any of the two laws.
3. Definition of ‘Personal Information’
Privacy Act defines the following information as a personal information:
- Caste, ethnicity, birth, origin, religion, race or marital status of an individual;
- Educational qualification an individual;
- Address, telephone or email address of an individual;
- Passport, citizenship number, national identity card number, driving license number, election identity card number or any other details provided by public entity;
- Letter sent or received by a person which states personal information;
- Thumb impression, palm lines, retina of eye, blood group or biometric information of a person;
- Criminal background and punishment served by a person for any criminal offense; and
- Issues relating to nature of opinion and view presented by any professional or expert presented during a procedure to render any judgement in any decision-making process.
This definition is relatively restrictive compared to approach of OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data 1980 (“OECD Guideline”), and EU General Data Protection Regulations 2016 (“GDPR”).
The OECD Guideline and GDPR define personal data as any information relating to an identified or identifiable person. GDPR states the identifier that can help to identify the person such as name, identification number, location data, online identifier and other aspects as mental, physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.
In contrast with OECD Guideline and GDPR, Nepalese law has taken restrictive approach as it specifies type of personal information without a room for wider interpretation.
4. Scope of the Privacy Act
A. Privacy of body, family life and residence
The Privacy Act ensures privacy over body and private life of every person. Accordingly, any information related to person’s physical and mental state is inviolable except in relation to health examination or emergency rescue.
Privacy Act further recognizes genetic identity of a person, sexual orientation, sexual life, fertility of a person and other related information as personal information.
Similarly, the right to privacy is broad enough to cover privacy relating to family life and information relate to private lives of spouses is inviolable unless any related information is required during court proceeding between them.
In addition, section 5 of the Privacy Act prohibits body search of any person without consent unless required for criminal proceedings conducted with a proper authority.
The act of trespassing has also been prohibited in the Privacy Act. No one can enter into a residence of a person without consent. Entering into someone’s residence without consent, however, will not amount to violation at the time of disaster management or emergency rescue.
Furthermore, the Privacy Act has incorporated provision criminalizing installation of CCTVs in residence of a person without consent.
B. Privacy of property, data and communication
The Privacy Act provides stronger protection of the information related to property owned by an individual. The information related to property of a person is private, and it can in not be disclosed without consent.
In addition to the protection of various private information, the Privacy Act aims at regulating unauthorized and haphazard data and information collection. Consent of a person is now required before collection of private information, and even if the consent is acquired, the collected data should only be used for the purpose for which it was collected pursuant to section 12.
Section 13 of the Privacy Act concerns the confidentiality of the communication availed on letters, emails or any other medium of communication between persons which is also provisioned in the Criminal Code. The Privacy Act has criminalized activities such as taking or selling a photo, editing a photo to create new one or merging photographs or publishing such photo without consent of the concerned person.
Having said this, the Privacy Act, however, does provide a margin of consideration to press and media houses since publication and dissemination of information, data and photo of a person holding or retired from a public office, or public figure for public interest, transparency and news is not treated as an offence.
Despite this, since the Privacy Act does not define ‘public figures’, and amid growing amok online media in Nepal, it will be a challenge to safeguard private individuals. On the other hand, media may be faced with frequent challenges to clarify that their coverage is indeed related to the public interest.
C. Data collection and preservation
The Privacy Act prohibits collection, storage, preservation, analysis, procession or publication of data without approval of an authorized person or a person acting under authority of such person. However, information can be collected for the purpose of study or research in any specific issues with permission of the related person.
For the purpose of study, issues such as time of information collection, subject matter of the information, nature and purpose of a data, methodology of information collection and protection of a collected information have to be disclosed to the concerned person beforehand.
This requirement creates added responsibility on the businesses operating primarily from internet domain as they require data collection from their users on a regular basis. Further, their responsibility will also extend to limitation on data sharing with third parties.
D. Responsibility of the public entities
The new law puts huge responsibility on public entities to protect and preserve the data they keep in their control. They are restrained from handing over such data to any other person or entity without a consent of the concerned person.
The Privacy Act has excluded certain information related to person holding a public office as exception to the aforementioned. This includes information related to identification of the public office where one is employed, contact information related to the public office, name and position of a person as stated in the letter or documents issued by a public entity, details of the work executed by such person, and issues related to the terms and conditions of the service.
Further, the Privacy Act has restricted the processing or causing to process the sensitive data in control of a public entity. The following are termed as a sensitive data:
- Caste, ethnicity and origin of a person
- Political affiliation
- Religion or faith of a person
- Physical or mental health of a person
- Sexual orientation
- Property details
These data can only be processed during the diagnosis, treatment, management of public health and delivery of the health service to a person and if such data has been made public by the concerned individual themselves.
An individual has right to correct information related to them in the public entity if such data are wrong or is not based on a true fact. However, to have such information corrected, the individual should not have received any benefits based on such data.
E. Offences and filing of complaints
Violation of the Privacy Act is treated as a criminal offence for which criminal proceeding can be initiated either as a private criminal case or a state party criminal case.
The government of Nepal can initiate cases on the offences relating to activities such as conduct of body search without a warrant, taking a photograph without consent, espionage, unauthorized use of drones, collection and making changes in the personal information by any person other than an authorized person or by his/her approval, and collection of data without disclosing purpose and unauthorized collection of personal information while recourse for other violation will have to be sought by the victim itself.
An individual can file a complaint at the respective district court within 3 months from the date of cause of action for the violation of other provisions. The victim is further be entitled to damages caused by the violation.
The offender is liable for punishment up to 3 years of imprisonment or NPR 30,000 fine or both with additional departmental punishment if the offender is a person holding a public office for violation.
5. Issues of Concern
A. Overlapping provisions in the Privacy Act and Criminal Code
Although the Privacy Act embodies many provisions similar to Criminal Code, these two laws have certain overlapping provisions.
Firstly, the Criminal Code sets out specific punishment for each offences unlike the Privacy Act which states that the violation of the Privacy Act will result in punishment of up to NPR 30,000 or imprisonment of maximum of 3 years or both.
The provisions related to punishment for same kind of offence under Criminal Code and Privacy Act is divergent. For instance, if anyone commits offence related to unauthorized search of body or belongings of person without consent, the offender would be liable for punishment of imprisonment up to 1 year or fine up to NPR 10,000 or both under the Criminal Code whereas, the offender, if prosecuted under the Privacy Act, would be liable for imprisonment up to 3 years or fine up to NPR 30,000 or both.
Secondly, the Criminal Code states that all offences provisioned therein are to be filed as a private party case whereas the Privacy Act states the offences like body search without a warrant and taking a photograph without consent is to be prosecuted by the state.
These issues will create ambiguities in filing of the case and in seeking specific remedy for violation of Act.
B. Failure to cover emerging issues of data protection
There are certain important aspects which the Privacy Act has failed to address. The definition of the personal data only incorporates the specific forms of data. With the existing definition, the Privacy Act doesn’t leave any room for the wider interpretation of personal data. For example, while ‘email’ address is considered as a personal data, the IP address or even a social network or website of a person will not be considered as a personal information if interpreted in a strict sense.
Importantly, the Privacy Act does not define or specify about some of the vital issues in data protection such as “controller” and “processor”. The Privacy Act does not and make any differences between a controller and processor of a data. This will add difficulty to the issues of data management, data protection and liability for breach of privacy difficult in practice.
The Privacy Act provides for the power to frame necessary rules to government of Nepal to implement the Privacy Act. It is yet to be seen how far would the rules clear the ambiguities of the Privacy Act, but it can be hoped that it will give way for better implementation of protection of privacy of a person and data management.
Authors: Anjan Neupane (Partner) and Saurav Karki (Associate); First published by DataGuidance.
Please note that this guide is published for information only and should not be considered as legal advice. You are requested to seek legal advice for specific factual situations. If you need further information on this matter please Contact Us.