Data & Privacy - Bhutan

The Information, Communications and Media Act 2018, enforced by BICMA, is Bhutan's broadest privacy-adjacent law. It covers online privacy, unsolicited commercial communications, and payment-transaction security for ICT and media service providers, but does not establish comprehensive data-subject rights or general data-processor obligations.

The Royal Monetary Authority issued sector-specific Guidelines on Data Privacy and Data Protection in 2021, binding on licensed financial institutions. These represent the most detailed data-handling obligations currently in force in Bhutan, but apply only to the financial sector.

Enacted by Parliament in 2023, the NDI Act establishes a self-sovereign identity framework (biometric digital wallet) giving citizens selective control over personal-data disclosure. It includes built-in data-protection principles for the national digital-identity system but does not constitute a general-purpose data protection law.

In 2024 BICMA issued a Code of Practice for Information Security, Cybersecurity and Privacy Protection for ICT Service Providers, extending specific security and privacy-protection obligations to regulated ICT operators under the ICMA framework.

Bhutan's government-published National Cybersecurity Strategy 2024–2029 explicitly identifies the lack of a dedicated data privacy law as a gap and calls for new or amended legislation covering data privacy and Critical Information Infrastructure Protection, signalling intent to legislate but no enacted law as of mid-2026.

Bhutan has no standalone Data Protection Authority. BICMA (under the Ministry of Information and Communications) oversees ICT/media privacy; the RMA supervises financial-sector data rules. There is no cross-sectoral supervisory body with general data-protection enforcement powers.