As data usage, digital platforms, and surveillance technologies continue to expand, understanding privacy rights has become essential for individuals, businesses, and institutions in Nepal.
This FAQs Guide 2026 answers the most common legal and practical questions relating to the Individual Privacy Act, 2075 (2018) Nepal’s primary legislation on privacy and personal data protection.
This guide is intended for business owners, HR teams, digital platforms, foreign investors, and individuals seeking clarity on privacy compliance in Nepal.
General FAQs on the Individual Privacy Act
1. What is the Individual Privacy Act, 2075?
The Individual Privacy Act, 2075 (2018) is Nepal’s principal law governing personal privacy and protection of personal information. It enforces the constitutional right to privacy by regulating how personal data is collected, stored, processed, used, and disclosed.
2. When did the Individual Privacy Act come into force?
The Act came into force in 2018 (2075 BS) following its enactment by the Parliament of Nepal.
3. Who does the Act apply to?
The Act applies to:
- Individuals
- Government bodies
- Public authorities
- Private companies
- Banks, hospitals, schools, employers, and digital platforms such as digital wallets.
- Any entity that collects or processes personal information in Nepal must comply.
FAQs on Personal Data and Privacy Rights
4. What is considered “personal information” under the Act?
Personal information includes:
- Name, address, contact details
- Citizenship, passport, or ID numbers
- Biometric data (fingerprints, retina scans)
- Education, employment, and financial records
- Medical data
- Personal correspondence and communications
- Criminal or legal records
- Opinions or professional evaluations linked to an individual
5. Is consent mandatory to collect personal data?
Yes. Informed consent is mandatory before collecting or processing personal information, except in limited circumstances allowed by law.
6. Can personal data be used for a different purpose later?
No. Personal data can only be used for the specific purpose disclosed at the time of collection unless fresh consent is obtained or disclosure is legally mandated.
7. Does the Act protect digital and online data?
Yes. The Act covers both physical and electronic data, including emails, online records, databases, and digital communications.
FAQs for Businesses and Employers
8. What obligations do businesses have under the Act?
Businesses must:
- Obtain lawful consent
- Inform individuals of data usage purposes
- Secure data against unauthorized access
- Prevent misuse, alteration, or leakage
- Use data strictly for lawful purposes
Failure to comply may result in legal liability.
9. Can employers collect employee personal data?
Yes, but only data that is necessary, proportionate, and relevant to employment purposes, and with proper consent and safeguards.
10. Are businesses required to notify data breaches?
Currently, the Act does not expressly mandate breach notification, but failure to protect data may still result in legal consequences.
FAQs on Disclosure and Exceptions
11. When can personal data be disclosed without consent?
Disclosure without consent is permitted only:
- Under a court order
- For law enforcement or national security
- When required by law
- If the information is already public
- If the individual voluntarily discloses it
12. Can personal data be shared with third parties?
Only with:
- Explicit consent of the individual, or
- Legal authorization under applicable laws
Unauthorized sharing is a punishable offense.
FAQs on Enforcement and Penalties
13. Is there a Data Protection Authority in Nepal?
No. Nepal does not yet have an independent data protection authority. Enforcement is primarily through the courts.
14. Where can a privacy violation complaint be filed?
A complaint must be filed with the concerned District Court within three months from the date of violation.
15. What are the penalties for violating the Individual Privacy Act?
Penalties may include:
- Fine up to NPR 30,000
- Imprisonment up to 3 years
- Compensation to the affected individual
- Or a combination of the above
FAQs for Foreign Companies and Cross-Border Data
16. Does the Act apply to foreign companies operating in Nepal?
Yes, if the foreign company:
- Operates in Nepal, or
- Collects personal data of individuals located in Nepal.
However, the Act lacks detailed extraterritorial enforcement provisions.
17. Is cross-border data transfer regulated?
The Act does not clearly regulate cross-border data transfers, creating uncertainty for multinational companies. Legal risk assessments are recommended.
FAQs on Future Developments (2026 Outlook)
18. Is Nepal planning a dedicated Data Protection Law?
Policy discussions are ongoing regarding:
- A comprehensive data protection statute
- Creation of a Data Protection Authority
- Alignment with global standards such as GDPR
19. Why is compliance important despite weak enforcement?
Non-compliance may still lead to:
- Criminal liability
- Civil compensation claims
- Reputational damage
- Tax Claims
- Contractual and regulatory risks.
Especially for regulated sectors like banking, health, telecom, and IT.
20. How can Sherpa Law Associates help?
Sherpa Law Associates assists clients with:
- Privacy compliance audits
- Data protection policies and consent frameworks
- Employee data handling protocols
- Risk assessment for digital platforms
- Legal representation in privacy disputes
The Individual Privacy Act, 2075 remains Nepal’s central privacy legislation in 2026. While it provides essential legal protection, its practical enforcement and scope continue to evolve. Individuals and organizations must adopt proactive compliance measures to safeguard privacy rights and reduce legal exposure.
For tailored advice on privacy compliance in Nepal, Sherpa Law Associates provides strategic and legally sound solutions.




