The rapid adoption of digital technologies in Nepal has increased the generation and collection of personal data from citizens. However, the country lacks comprehensive legislation for data protection, exposing it to potential misuse and abuse. Recent incidents have demonstrated the real-world consequences of the policy failure on data protection. During the Covid-19 pandemic, government and private agencies collected extensive health data from citizens seeking tests or vaccines. The pandemic became an excuse to normalise disregard for Nepali citizens' fundamental rights to data privacy. The citizens had no control over their sensitive medical and personal information. No guarantees prevented their data from being shared with third parties, retained indefinitely, merged with other datasets, or used for unauthorised surveillance or profiling.

Cross-border transfer

Cases of tech giants acquiring major Nepali startups have further amplified fear over data protection. When Chinese and Indian firms purchased platforms like Daraz and Sastodeal, Nepali users' data came under foreign corporate control without explicit consent. Moreover, regulators couldn’t do much due to the lack of data localisation protections or cross-border transfer restrictions. Citizens were concerned about the risk of their personal information being accessed or processed in ways that violated their rights. There were widespread calls for the government to enact a comprehensive data protection law establishing clear consent requirements, purpose limitations and restrictions on excessive data collection, retention and sharing. Legal safeguards must be set to give Nepalis control over their data as well as ensure ethical handling of the data.

Nepal’s open data flow leads to citizens being subject to surveillance regimes like India's Central Monitoring System and China's cybersecurity laws without democratic checks. This results in users’ personal data being exploited, monetised and potentially manipulated by the state and corporate actors. These dangers came to pass in the Cambridge Analytica scandal during Nepal's 2017 elections. Investigations could not be conducted about the unethical influence of voters’ choices through psychographic profiling and targeted disinformation due to the lack of an empowered data regulator. The data of Nepalis were weaponised against their interests with impunity. The recent Ncell and NTC data breaches compromised citizens' financial information, call records, location data, etc. However, without security standards, Nepal Telecom faced no penalties from any empowered authority for such negligence. Citizens worldwide are now asserting control over their data through consent requirements, minimisation protocols, purpose limitations, etc. However, Nepal remains deprived of these internationally recognised rights. Comprehensive norms must be enacted for obtaining informed consent, collecting minimal data, imposing stiff penalties during violations and retention for limited purposes.

The responsibility of enforcing such standards cannot be left to profit-oriented corporations. An independent statutory body like Ireland's Data Protection Commissioner must guarantee citizens' rights in Nepal's digital transformation. Relying on self-regulation is optimistic to the point of recklessness. Despite undeniable urgency, no data protection bill has been tabled for parliamentary debate in Nepal. The policy paralysis compromises citizens' privacy, dignity and autonomy as increasing facets of their lives migrate online. India, Thailand, Taiwan, Sri Lanka and Pakistan have already enacted forward-thinking data protection laws.

Ambiguous law

Nepal is arguably where India was 10 years ago in data protection consciousness. India recognised privacy as a fundamental right in 2017 and operationalised a Data Protection Bill in 2019, which the parliament has now ratified. Nepal's Supreme Court has yet to affirm privacy as a constitutional right; granting privacy as a constitutional right differs from a fundamental right. Fundamental rights are considered essential natural rights that predate the Constitution and do not depend on the constitutional provision, though they may be enshrined. They are universally applicable moral principles rather than just legal protections. In contrast, constitutional rights are guaranteed and protected by a country's constitution and are legally enforceable by constitutional law against state infringement. While there are overlaps, all fundamental rights may not be fully codified as constitutional rights.

Privacy is increasingly recognised as a fundamental human right globally based on human dignity and autonomy principles. However, only some constitutions explicitly guarantee the right to privacy. The significance is that fundamental rights set a moral benchmark for legal systems. Constitutional rights formally entrench selected fundamental rights into enforceable supreme law but do not supersede the broader scope of fundamental rights.

There can be gaps where certain fundamental rights may lack unambiguous constitutional protection. India's Supreme Court ruling affirmed privacy as a fundamental right intrinsically protected under the right to life, establishing it as a broad moral benchmark for India's constitutional system even before its codification as an explicit constitutional right. Nepal lacks an express constitutional guarantee of privacy and a definitive Supreme Court ruling affirming privacy as a fundamental right. This results in greater ambiguity around privacy protections in Nepal.

Stakeholder consultations have occurred since 2018 on the data protection framework, but the process remains stalled at the drafting stage due to political instability and lack of urgency, enabling significant harm. The risks will multiply as an increasing amount of the citizen's intimate personal data are collected across public and private domains, from social media use to government ID databases. Data is power, and its deregulation is dangerous. Failure to legislate data protection risks further erosion of privacy amidst digital transformation. The state must protect citizens' rights online and offline.