Nepal’s Personal Data Protection Policy 2082: What every citizen needs to know about their digital rights.
The new data protection framework, your rights as a digital citizen, and the gaps that still put your privacy at risk.
In 2026 (2082 BS), Nepal stands at a digital crossroads. As the Nagarik App integrates passports, licenses, and identity into a single digital ecosystem, and as digital payments become ubiquitous, a critical question emerges: Who owns your data, and who protects it?
The government has recently introduced the Personal Data Protection Policy 2082 (2025)—a landmark framework that promises to bring Nepal's scattered digital governance under legal discipline. For the first time, citizens have explicit rights to access, correct, and even delete their personal information. For the first time, a Data Protection Board is proposed to regulate how government and businesses handle your digital footprint.
But the picture is not entirely optimistic. The Information Technology and Cybersecurity Bill 2082, currently in Parliament, has been criticized by digital rights advocates for gaps that could undermine privacy rather than protect it. The new Policy, while aspirational, lacks enforcement mechanisms and leaves critical questions unanswered.
This post explains what every Nepali citizen—whether in Kathmandu or abroad, whether using smartphones or visiting cyber cafés—needs to know about their digital rights in 2026.
The 2026 Framework: Three Intersecting Laws
Nepal's data protection landscape in 2026 consists of three overlapping frameworks. Understanding their differences is essential:
| Legislation | Status | Key Provisions | Gaps |
|---|---|---|---|
| Individual Privacy Act 2075 (2018) | Currently Active | Defines personal/sensitive data; requires consent; prohibits unauthorized disclosure | No regulatory authority; limited rights; weak enforcement |
| Personal Data Protection Policy 2082 (2025) | Recently Promulgated | Proposes Data Protection Board; "right to be forgotten"; prior consent for transfers | Policy only (not Act); implementation unclear; board not yet operational |
| IT & Cybersecurity Bill 2082 | In Parliament (Pending) | Modernizes cybercrime provisions; addresses emerging threats | Criticized for incomplete privacy rights; vague "obscene content" definitions |
Important Distinction: The Personal Data Protection Policy 2082 is currently a policy document issued by the e-Governance Board, not a parliamentary Act. While it establishes important principles, it lacks the full legal force of legislation until Parliament enacts a corresponding Data Protection Act.
Your Digital Rights: What the New Policy Guarantees
For the first time in Nepali law, the Personal Data Protection Policy 2082 explicitly recognizes specific citizen rights over their personal information:
1. The Right to Access (Right to Know)
You now have the legal right to request and receive a copy of all personal data that any organization—government or private—holds about you. This includes:
- What specific data has been collected (name, address, biometric data, phone records)
- The purpose for which it was collected
- Who else has access to it or has received it
- How long it will be retained
Practical Application: When you register for the Nagarik App, you can request a complete data report showing exactly what information the government has linked to your National ID.
2. The Right to Rectification (Right to Correct)
If any organization holds inaccurate or incomplete information about you—whether a misspelled name, wrong address, or erroneous criminal record—you have the right to demand immediate correction.
3. The Right to be Forgotten (Right to Delete)
Perhaps the most significant new right: you can request the deletion of your personal data under specific circumstances:
- When the data is no longer needed for the original purpose it was collected (e.g., after a service contract ends)
- When you withdraw consent and there is no other legal basis for processing
- When the data was unlawfully processed (collected without proper consent or legal basis)
4. The Right to Restrict Processing
You can limit how organizations use your data—for example, permitting storage but prohibiting marketing use, or allowing record-keeping but blocking algorithmic profiling.
5. The "Minimum Necessary" Principle
The Policy establishes that government and businesses may only collect what is strictly necessary for the stated purpose. Random or excessive data collection is prohibited. When a business registers, for example, authorities cannot demand irrelevant personal details like family medical history or religious beliefs unrelated to the service.
What Data Is Protected? Understanding the Categories
The law divides your information into categories with different protection levels:
| Category | Examples | Protection Level | Consent Required |
|---|---|---|---|
| Personal Data | Name, address, phone, email, citizenship number, passport details, education, employment history | Standard | Informed consent required |
| Sensitive Personal Data | Caste/ethnicity, political affiliation, religious beliefs, physical/mental health records, sexual orientation, biometric data (fingerprints, retina scans), property details | Enhanced | Explicit prior consent mandatory |
| Public Data | Company registrations, published government statistics, public notices | Limited | Consent not required but usage regulated |
Critical Warning: Health records, financial information, and biometric data receive "enhanced protection" under the law. However, recent data breaches at companies like Vianet, eSewa, and Foodmandu demonstrate that technical security often lags behind legal requirements. Your data may be legally protected while remaining technically vulnerable.
The Enforcement Gap: Rights Without Remedies
While the Personal Data Protection Policy 2082 establishes impressive rights on paper, enforcement remains the critical weakness:
1. The Missing Data Protection Authority
Unlike the European Union's GDPR (which has dedicated Data Protection Authorities in each country) or India's Digital Personal Data Protection Act (which established the Data Protection Board of India), Nepal currently has no functioning Data Protection Authority.
The Policy proposes a Data Protection Board, but as of April 2026, this body has not been constituted. Until it is:
- There is no dedicated regulator to investigate complaints
- There is no standardized process for reporting data breaches
- There is no authority to audit government or corporate data practices proactively
- Your only recourse is the District Court—a lengthy, expensive process ill-suited to digital privacy disputes
2. Weak Penalties
Under current law (Individual Privacy Act 2075), violations attract:
| Violation | Maximum Penalty | Assessment |
|---|---|---|
| Unauthorized data processing | Up to 3 years imprisonment and/or NPR 30,000 fine | Inadequate deterrence for corporate violators |
| Data breach causing damage | Compensation as determined by court | Unpredictable; no statutory damages |
| Corporate data violations | Individual liability for officers; no corporate fines | No GDPR-style percentage-of-revenue penalties |
Compare this to the GDPR, where companies can be fined up to 4% of global revenue. Nepal's penalties are insufficient to deter major tech companies from sloppy data practices.
3. The Time Limit Trap
If your privacy is violated, you must file a complaint with the District Court within 3 months of the violation. In an era where data breaches may not be discovered for years, this limitation period severely undermines accountability.
4. No Mandatory Breach Notification
Unlike jurisdictions where companies must notify both authorities and affected individuals within 72 hours of a breach, Nepal has no mandatory breach notification law. You may never know that your data has been leaked, sold, or stolen.
The Controversial IT & Cybersecurity Bill 2082: Threats to Privacy
While the Personal Data Protection Policy offers promise, the Information Technology and Cybersecurity Bill 2082—currently pending in Parliament—has raised alarms among digital rights advocates. Digital Rights Nepal's analysis identifies critical flaws:
| Provision | Criticism | Risk to Citizens |
|---|---|---|
| Clause 88(1): "Obscene Material" | No legal definition provided; subjective interpretation | Potential weaponization against journalists, artists, critics; chilling effect on free expression |
| Missing Data Subject Rights | No right to access, correct, delete, or object to data processing | Citizens cannot control their data despite constitutional privacy guarantees |
| Cross-Border Data Transfers | No clear rules for international data flows | Data may be transferred to jurisdictions with weaker protection without citizen knowledge |
| Undefined "Sensitive Infrastructure" | Government can designate "sensitive information infrastructure" by notification without criteria | Risk of arbitrary surveillance and overreach against critics or opposition |
| Data Retention (Clause 61) | 35-day destruction requirement unclear; ambiguity creates surveillance risk | Uncertainty for service providers; potential for unnecessary data retention |
Advocate Baburam Aryal, who petitioned the Supreme Court for data protection legislation nearly a decade ago, notes: "In today's world, data are a person's lifeline, so protecting them is crucial. But the government has not yet fully understood this. Until a separate law is enacted, concepts like e-governance or Digital Nepal will remain mere slogans."
What Citizens Can Do: Protecting Your Digital Self
Until robust enforcement mechanisms are operational, citizens must be proactive about their own data protection:
1. Exercise Your Rights (Even If Difficult)
- Request your data: When using the Nagarik App or any government service, formally request to know what data is being collected and how long it will be retained.
- Question "mandatory" fields: Not all fields on forms are legally required. Challenge requests for excessive information (e.g., family details for simple services).
- Withdraw consent: If you previously agreed to marketing communications or data sharing, formally withdraw that consent in writing.
2. Technical Self-Defense
- Use encrypted messaging: The Police have cracked down on unlicensed VoIP services; use legitimate encrypted platforms for sensitive communications.
- Monitor your digital footprint: Regularly check if your data has been leaked using breach notification services.
- Minimize data exposure: When using digital services, provide the minimum information required.
3. Legal Recourse (Know the Process)
If your data is violated:
- Document everything: Screenshots, emails, call recordings (where legal)
- File a police complaint: Under the Electronic Transaction Act and Individual Privacy Act
- Approach the District Court: Within 3 months of the violation
- Contact the National Information Commission: For government data breaches under the Right to Information Act
Warning: When approaching government offices for data-related complaints, do not carry personal data on unsecured devices. If officials ask to check your phone, password, or accounts, know that they are legally barred from accessing your social media passwords or email accounts under Section 47(2) of the IT Bill 2081 (reiterated in 2082).
Special Concerns for the Diaspora
For Nepalis abroad, data protection takes on additional dimensions:
- Cross-border data transfers: When you use the Nagarik App from Australia, the UK, or the US, your data crosses jurisdictions with different protection levels. The new Policy lacks clarity on extraterritorial protection.
- Consular data: Embassies collect extensive biometric and personal data for passport renewals. How this is shared with Kathmandu remains opaque.
- Remittance data: Financial information flowing through digital payment systems creates detailed profiles of your economic activity that may be accessible to tax and security agencies.
The diaspora technical community has a unique role here: advocating for data protection standards that meet international norms, and potentially contributing expertise to build secure systems that protect citizen privacy by design.
The Path Forward: From Policy to Protection
Nepal's Personal Data Protection Policy 2082 is a necessary but insufficient step. To truly protect digital rights, the government must:
- Constitute the Data Protection Board immediately: Rights without enforcement are illusions. The Board must have investigative powers, technical expertise, and independence from political interference.
- Amend the IT/Cybersecurity Bill: Remove vague "obscene content" clauses; add explicit data subject rights; establish mandatory breach notification; create corporate liability for data violations.
- Extend the limitation period: Three months is inadequate for data breaches that may remain hidden for years. A 2-year limitation period would align with international standards.
- Increase penalties: Introduce percentage-of-revenue fines for corporate violators to create genuine deterrence.
- Enable class actions: Allow collective legal action for mass data breaches (like the Vianet or eSewa incidents).
"Data is the new oil, but unlike oil, it can be stolen without disappearing from your possession. You may never know it is gone until it is too late."
Has your data been mishandled by a Nepali company or government agency? Have you successfully exercised your right to access or delete your information? Share your experience to help others navigate this new landscape.