Data has become the new oil in the digital age, fueling innovation and economic growth. However, the exponential rise in data collection and processing has also exposed individuals to unprecedented privacy risks. As Nepal continues its digital transformation journey, it is imperative to have a robust legal framework that safeguards citizens’ personal information, regardless of whether public bodies or private entities hold it.
The Privacy Act, 2018, while a commendable step forward, falls short of providing comprehensive protection, particularly when it comes to holding private companies accountable for data breaches.
The public-private divide: A critical oversight
The Privacy Act, 2018 imposes stringent obligations on public bodies to implement reasonable security measures and protect personal information under their control. Section 25 of the Act mandates that public bodies take appropriate measures to prevent unauthorized access, use, disclosure, or transmission of personal data. Individuals can seek compensation from public bodies for damages resulting from non-compliance with these provisions. However, the Act overlooks a crucial aspect: the role of private companies in data protection. While the definition of “public bodies” encompasses government entities, constitutional bodies, and state-owned enterprises, it fails to address the responsibilities of purely private companies that collect and process vast amounts of personal data daily.
In today’s digital landscape, companies across sectors collect and analyze personal data to enhance their products, services, and marketing strategies. From e-commerce platforms to ride-sharing apps, and fitness trackers to social media networks, personal data has become the lifeblood of countless businesses. The absence of a legal framework holding these private entities accountable for data breaches and inadequate security practices leaves individuals vulnerable and without recourse.
Amending the Privacy Act: A necessity
Amending the Privacy Act of Nepal to extend data protection obligations to private companies has become an urgent necessity. To bridge this critical gap, the Privacy Act, 2018 must undergo amendments to include provisions that hold private entities accountable for data breaches and inadequate security practices. Firstly, the amended Act should expand the definition of “public bodies” or introduce a separate category encompassing private companies collecting and processing personal data. This expansion would bring such private data handlers under the purview of the law’s data protection requirements.
Secondly, the amended Act must impose clear obligations on private companies to implement reasonable and appropriate security measures, conduct regular risk assessments, and promptly notify affected individuals in the event of any data breaches. Mandating these measures, the law would ensure that private companies prioritize data security and maintain transparency with their customers.
Thirdly, individuals must be granted the statutory right to seek compensation from private companies for any damages or losses resulting from non-compliance with the data protection obligations stipulated in the amended Act. This provision would empower consumers and create a legal deterrent for companies to uphold data privacy standards. Furthermore, the amendments should pave the way for establishing a dedicated Data Protection Authority tasked with overseeing compliance, investigating complaints from individuals, and imposing penalties on private companies found in violation of the data protection laws. This independent regulatory body would strengthen enforcement and ensure accountability across sectors. Incorporating these crucial elements, the amended Privacy Act would comprehensively address the existing gap and extend robust data protection standards to both public bodies and private companies operating in Nepal’s digital landscape. It is necessary to strike a balance between fostering innovation and protecting individual privacy.
The amended Act should provide clear guidelines and best practices for data collection, processing, and storage, promoting transparency and accountability while minimizing unnecessary regulatory burdens on businesses. As Nepal embraces digital transformation, it is imperative to have a comprehensive legal framework that protects citizens’ personal information, regardless of whether public bodies or private entities hold it. Amending the Privacy Act, 2018 to hold private companies accountable for data breaches and inadequate security practices is not only a legal necessity but also a moral imperative. closing this gap, Nepal can safeguard the digital rights of its citizens, foster trust in the digital economy, and position itself as a leader in data protection in the region.