Nepal is standing at a very critical time regarding the realm of digital transformation. The protests led by Gen-Z this year were not all about politics; rather, they were about trust and accountability. A generation that grew up online now feels it must get openness, equity, and accountability from both governmental and private institutions. That demand, I believe, must extend to how Nepal governs one of the most valuable resources of the 21st century: Data.
Though we have constitutional guarantees of privacy and access to information, data-governance architecture remains fragmented, with citizens facing growing risks of data misuse and businesses conducting activities amidst uncertainty, while state institutions retain sweeping powers over collection and surveillance.
The government recently introduced the Personal Data Protection Policy, 2082 (2025) (PDPP), which is a welcome step, but its success depends on whether it can translate fine promises into enforceable rights.
A Patchwork System in Need of Reform
Nepal's data and privacy regime today remains a fragmented framework of overlapping acts and directives, many of which are outdated or inconsistently applied. The Constitution of Nepal under Articles 27 and 28 enshrines both the right to privacy and the right to information as fundamental rights, signalling a national commitment to personal dignity and transparency. Yet in practice, these twin ideals often pull in opposite directions.
The Electronic Transactions Act, 2063 (2008) was Nepal's first major digital-era legislation which recognized electronic signatures and criminalized hacking. However, it also granted the investigation agencies with sweeping powers to confiscate devices. Later, the Privacy Act, 2075 (2018) along with the Individual Privacy Regulation, 2077 (2020) defined personal and sensitive data, but it did not guarantee essential rights to information, erasure, rectification, or access. Whereas, the Right to Information Act, 2064 (2007) prescribes a proactive disclosure of information by public bodies, without digitized record-keeping and open-source systems, even well-intentioned government officials are unable to access information in a timely manner. Further, the Social Media Directive, 2080 (2023) focused more on restricting speech in the name of protecting national interest rather than protecting user data.
Together, these laws reflect the openness paradox: a situation where the government wants to collect more data while limiting both privacy rights and access to public information, resulting in a system where citizens’ data is overexposed and government information remains largely inaccessible.
Learning from the World
Two-day Huawei Digital Nepal Conclave 2022
Recently, a comparative joint regional study was conducted under LIRNEasia across South and Southeast Asia, placing Nepal's progress in perspective with the likes of India, Sri-Lanka, Pakistan, Thailand, Indonesia and Philippines. These are all developing countries that face constraints similar to Nepal in terms of state capacity, institutional maturity, and regulatory constraints. Each country has something valuable to teach from their own experiences about how to protect the citizens while promoting innovation.
The Digital Personal Data Protection Act, 2023 of India requires clear use consent by individuals for processing their personal information and mandates breach notification, though it also provides notable exemptions for the performance of state functions, certain employer uses, responding to medical emergencies, compliance with any judgment or order and few other specified purposes. Sri Lanka's Data Protection Act, 2022, stresses state-independent oversight via a national data protection authority. Meanwhile, Singapore's Personal Data Protection Act and Malaysia's PDPA 2010, supported by the government's MyDigital Blueprint, illustrate that robust data-privacy enforcement and digital economies can coexist in harmony.
Global examples such as the European Union's General Data Protection Regulation (GDPR) and the OECD Privacy Guidelines are often cited as reference points for rights-based data governance, but its economic impact remains the subject of ongoing debate. Critics argue that excessive regulation may constrain innovation and growth, particularly for smaller firms and developing economies. It is on the basis of such models that Nepal can now draw and fit into its democratic and institutional realities, learning primarily from developing countries while taking in mind the differences in state capacity and enforcement ability.
Reclaiming Openness and Control
One of the shortcomings of Nepal’s data governance laws is their failure to incorporate "openness" into their data governance framework. Openness here is not limited to one meaning. It includes access to all nonsensitive government data for citizens and businesses, which supports transparency, accountability and rule of law. And it also includes the use of open standards and interoperable systems that promote competition, innovation and vendor neutrality. At the same time, openness must be accompanied by safeguards to ensure that personal data is protected from unwarranted intrusion by the state or corporate agencies.
Therefore, true openness leads to meaningful control over their own information, such as the ability to know who uses it, consent meaningfully, correct errors, and to demand deletion when appropriate. Privacy and openness are closely connected parts of the same democratic ideal or complementary to each other, but balancing them requires careful judgment as discussed in the research paper. Openness in government data strengthens democratic accountability, while openness for citizens over their own data safeguards individual liberty.
The Digital Nepal Framework 2019 envisions this dream by considering digital priority sectors such as health, education, agriculture, and finance, including promoting interoperability across agencies. Key databases are being linked through platforms such as the Nagarik App via the Government Integrated Data Centre (GIDC), which has started making digital services accessible to millions. Yet integration without protection is risky. In the case of government data use, where the state is often a monopoly provider of essential services, consent alone cannot serve as an adequate safeguard. Instead, limits on government use of personal data grounded in necessity and proportionality, along with clear transparency obligations that inform what data is being used and why, are essential to prevent digital systems from amplifying vulnerability rather than reducing it.
The Promise and Pitfalls of PDPP
The recently promulgated Personal Data Protection Policy, 2082 (2025) addresses many issues put up by the research of civil society. It thus proposes a Data Protection Board and advocates for consent, accountability, and transparency.
It borrows language from global frameworks like the GDPR. However, much of it is only aspirational language. While the exclusion of rights such as the right to be forgotten, data portability guarantees, and mandatory breach notifications does not undermine the core of the data protection regime, it does limit the policy’s ability to respond to contemporary risks and expectations. Even where the policy recognises certain rights, it remains unclear how citizens would actually exercise such rights in practice, or how private companies are made accountable for misuse of personal data.
Additionally, it also leaves important questions around the limits on surveillance and judicial oversight undefined. More fundamentally, the effectiveness of any rights framework depends less on the number of rights declared and more on whether those rights can be enforced. A narrower set of clearly defined rights, supported by institutional mechanisms and judicial remedies that are realistically enforceable, may therefore prove more effective than an expansive but weakly implemented framework. Without such focus on enforceability of these rights, along with the openness framework, risk remaining aspirational, and the PDPP risks becoming another well-intentioned document that never reaches implementation.
Why Timing Matters
Digitization in Nepal is picking up pace, wherein QR payments, ride-sharing applications, e-commerce, Nagarik App, and e-governance applications have made their place in everyday life. But with rapid progress comes new risks when legal safeguards lag behind technological change. Neighboring countries have already paid the price for overlooking cybersecurity and privacy from large-scale data leaks linked to public databases like Aadhar in India, to financial cyberattacks in Bangladesh, and repeated breaches affecting public and private institutions across the regions.
An open and digital state is one that empowers citizens, not one that surveys over them and exposes them to avoidable harm. If Nepal fails to act now, a continued delay in modernizing its data governance framework will erode both public trust and investor confidence.
The Way Forward
Based on the comparative research and the field findings, a few reforms are pressing, and the PDPP should inculcate them into law. Firstly, the laws of Nepal must define personal data, sensitive data, and non-personal data to avoid ambiguity and ensure legal certainty. Then, we must also ensure the availability of rights, which include access, correction, erasure, restriction, portability, breach notification, and clarity over data localization and cross-border transfer.
The principles of necessity, proportionality, and judicial authorization are what should guide government access to private data to prevent the misuse of surveillance powers. It is equally imperative that an independent Data Protection Authority be independent, well-resourced, and shielded from any type of political influence to investigate violations and enforce accountability.
Nepal also needs to enhance open-government data through a single window national portal and participation in global initiatives like the Open Government Partnership. Lastly, digital literacy and capacity building of all public institutions, businesses, and citizens' groups are crucial for the realization of rights from paper to actual practice. These are not mere luxuries but are essential prerequisites for a secure digital economy and a democratic future.
Balancing Innovation and Accountability
Interviews across different government agencies bring about cautious optimism: some open their arms to free and open-sourced software that could bring better transparency; others are still unwilling to leave the comfort of ancient systems.
While the RTI Act guarantees access to public records in theory, in practice, such access is often impeded by poor digitization, fragmented databases and inconsistent record-keeping. This concern surfaced repeatedly during interviews conducted with government officials, including officials from National Information Commission, and also reflected in news reports on ministries failing to proactively update their information in compliance with the RTI Act. The Nagarik App Directive, 2078 (2021) has proved that interoperability can work perfectly provided data protection keeps pace. Encryption and audit trails along with regular risk assessments should be the rule, not an exception. Therefore, the challenge for Nepal is no longer whether it can innovate but whether it can do so responsibly in a manner that is accountable, secure and worthy of public trust.
Conclusion: Trust Building to Preserve Democracy
The future of Nepal is digital, and that no longer remains a question. However, technology without accountability will erode democracy as surely as would censorship. The Personal Data Protection Policy 2082 offers Nepal an opportunity to prove the truism that modernization and liberty can advance in tandem with one another.
To secure that future, we must protect citizens' data, make institutions transparent, and hold the leaders accountable. Only then can innovation strengthen democracy with technology rather than undermine it, and help regain trust of the citizens. Gen-Z is already demanding a government representative of their own values, i.e. openness, fairness, and trust. Therefore, at its digital crossroads, Nepal has the opportunity to turn those values into reality and build not just a smarter state, but one that is truly open and democratic.
(The author is currently pursuing LL.M. at University of California, Los Angeles. He was part of the research team at LIRNEasia, Sri Lanka, which conducted a comparative analysis of data governance frameworks in South and South-East Asia.)
-1773673205.webp)
