Personal privacy is not only stored in public bodies; private bodies also contain a large amount of personal data. In the digital age, data has become the new oil, fueling innovation and economic growth.
It is true that the privacy of the persons concerned and the confidentiality of their personal information should be respected and protected.
However, the exponential rise in data collection and processing has also exposed individuals to unprecedented privacy risks.
As Nepal continues its digital transformation journey, it is imperative to have a robust legal framework that safeguards citizens’ personal information, regardless of whether it is held by public bodies or private entities.
The Privacy Act, 2075 (2018), while a commendable step forward, falls short in providing comprehensive protection, particularly when it comes to holding private companies accountable for data breaches.
The Privacy Act, 2075 (2018), imposes stringent obligations on public bodies to implement reasonable security measures and protect personal information under their control.
It will also mandate private bodies to make their data safe, ultimately creating a safe data system in Nepal. Amending the Privacy Act: A Necessity Amending the Privacy Act of Nepal to extend data protection obligations to private companies has become an urgent necessity in today’s present situation.
Section 25 of the Act mandates that public bodies take appropriate measures to prevent unauthorized access, use, disclosure, or transmission of personal data.
Individuals can seek compensation from public bodies for damages resulting from non-compliance with these provisions.
However, the Act overlooks a crucial aspect: the role of private companies in data protection. While the definition of “public bodies” encompasses government entities, constitutional bodies, and state-owned enterprises, it fails to address the responsibilities of purely private companies that collect and process vast amounts of personal data daily.
In today’s digital landscape, companies across sectors collect and analyze personal data to enhance their products, services, and marketing strategies.
From e-commerce platforms to ride-sharing apps, fitness trackers to social media networks, personal data has become the lifeblood of countless businesses.
The absence of a legal framework holding these private entities accountable for data breaches and inadequate security practices leaves individuals vulnerable and without recourse.
If this section is amended, which is section 25 that states public bodies, then a person can file suit against the hacker for failing to adequately protect the personal data under its control, which led to the data breach and subsequent damages to the individual.
Incorporating these crucial elements, the amended Privacy Act would comprehensively address the existing gap and extend robust data protection standards to both public bodies and private companies operating in Nepal’s digital landscape.
It will also mandate private bodies to make their data safe, ultimately creating a safe data system in Nepal. Amending the Privacy Act: A Necessity Amending the Privacy Act of Nepal to extend data protection obligations to private companies has become an urgent necessity in today’s present situation.
To bridge this critical gap, the Privacy Act, 2075 (2018), must undergo amendments to include provisions that hold private entities accountable for data breaches and inadequate security practices.
This is not the only major part that should be amended; there are many more aspects that are necessary to be amended.
Firstly, the amended Act should expand the definition of “public bodies” or introduce a separate category that encompasses private companies engaged in collecting and processing personal data.
This expansion would bring such private data handlers under the purview of the law’s data protection requirements. Secondly, the amended Act must impose clear obligations on private companies to implement reasonable and appropriate security measures, conduct regular risk assessments, and promptly notify affected individuals in the event of any data breaches.
Mandating these measures, the law would ensure that private companies prioritize data security and maintain transparency with their customers.
Thirdly, individuals must be granted the statutory right to seek compensation from private companies for any damages or losses resulting from non-compliance with the data protection obligations stipulated in the amended Act.
This provision would empower consumers and create a legal deterrent for companies to uphold data privacy standards.
The amended Act should provide clear guidelines and best practices for data collection, processing, and storage, promoting transparency and accountability while minimizing unnecessary regulatory burdens on businesses.
Furthermore, the amendments should pave the way for establishing a dedicated Data Protection Authority tasked with overseeing compliance, investigating complaints from individuals, and imposing penalties on private companies found in violation of the data protection laws.
This independent regulatory body would strengthen enforcement and ensure accountability across sectors.
Incorporating these crucial elements, the amended Privacy Act would comprehensively address the existing gap and extend robust data protection standards to both public bodies and private companies operating in Nepal’s digital landscape.
It is necessary to strike a balance between fostering innovation and protecting individual privacy.
Moreover, if we observe Section 12(4) – Privacy relating to data, this section only prohibits the sharing or publication of certain personal data without the consent of the individual.
However, it is necessary to expand or clarify to address specific types of personal data that have gained prominence in recent years, such as browsing history, location data, and metadata from digital communications.
Likewise, Chapter 9 – Electronic Means and Privacy: This chapter addresses privacy concerns related to electronic means, including CCTV cameras and drones.
However, it may need to be updated or expanded to address emerging technologies and practices, such as facial recognition, biometric data collection, and the use of artificial intelligence for processing personal data.
Amending the Personal Privacy Act, 2075 (2018), Nepal can safeguard the digital rights of its citizens, foster trust in the digital economy, and position itself as a leader in data protection in the region.
Similarly, Chapter 10 – Collection and Protection of Personal Information: This chapter outlines rules for the collection, processing, and protection of personal information by public bodies.
However, it must be revised to incorporate principles such as data minimization, purpose limitation, and data retention limits, which have become increasingly important in modern data protection frameworks.
Likewise, Chapter 11 – Offenses and Punishment: This chapter outlines offenses and penalties related to privacy violations.
However, it may need to be reviewed and updated to ensure that the penalties are commensurate with the potential harm caused by privacy breaches, particularly in the context of large-scale data breaches or misuse of personal data by corporations or other entities.
The amended Act should provide clear guidelines and best practices for data collection, processing, and storage, promoting transparency and accountability while minimizing unnecessary regulatory burdens on businesses.
As Nepal embraces digital transformation, it is imperative to have a comprehensive legal framework that protects citizens’ personal information, regardless of whether it is held by public bodies or private entities.
Amending the Personal Privacy Act, 2075 (2018), Nepal can safeguard the digital rights of its citizens, foster trust in the digital economy, and position itself as a leader in data protection in the region.
Comment