Data protection & privacy laws in Nepal (2026)

The Individual Privacy Act, 2075 (2018) is Nepal's principal data-protection statute, applying generally to public bodies and corporate bodies. It came into force on 18 September 2018 and is operationalised by the Privacy Regulation, 2077 (2020).

Article 28 of the Constitution of Nepal (2015) makes privacy of body, residence, property, documents, data, correspondence and reputation a fundamental, inviolable right except as provided by law.

Neither the Act nor the Regulation creates an independent data-protection authority. There is no dedicated regulator; the District Court is the sole forum for privacy complaints, and a contemplated National Data Office serves only as a central data bank, not an enforcement body.

Collection, storage, analysis or publication of personal data requires the data subject's consent and may be used only for the stated purpose. Individuals have rights to be informed, to access, to rectification, to erasure, to object to processing of sensitive data, and to complain and seek compensation.

Sensitive personal information includes caste, ethnicity, origin, political affiliation, religious belief, physical/mental health, sexual orientation and property details (Sec. 27). The personal-data definition is narrower than GDPR — it does not expressly cover identifiers such as IP addresses, cookies or online behaviour.

Violations under the Privacy Act carry up to 3 years' imprisonment and/or a fine of up to NPR 30,000, with complaints filed at the District Court within 3 months. The Act lacks mandatory breach notification, data portability and clear cross-border transfer rules.

Privacy offences also appear in the National Penal Code 2074 (2017) and the Electronic Transactions Act 2063 (2008). A proposed IT Bill (pending since 2022) would add stricter obligations such as 48-hour breach reporting and higher penalties, but it has stalled amid free-expression concerns.