Comprehensive Data Protection Law Critically Required: Supreme Court Advocate and Professor Dr. Newal Chaudhary

KATHMANDU - With growing digital connectivity and adoption of new technologies like AI, concerns around individual privacy and protection of personal data are escalating globally. However, Nepal still lacks a comprehensive legal framework governing privacy and data protection in the digital age.  To get expert perspectives on this issue, we spoke with renowned cybersecurity lawyer Dr. Newal Chaudhary at his office in Maitighar, Mission Legal Service Pvt.Ltd. Dr. Chaudhary has over 22 years of experience advocating for digital rights and advising governments on cyber legislation across South Asia. Dr. Chaudhary is also a book author of the Famous Book “The Art of Cyber Law & Cyber Crimes”.

"Nepal is in urgent need of enacting dedicated laws to safeguard citizens' informational privacy rights and impose strict limits on how institutions can collect and use personal data," emphasized Dr. Chaudhary during the interview. "With rapid digitization, vast amounts of sensitive individual data is being generated daily, but there are negligible checks on arbitrary or unethical use of such data currently."

Absence of Robust Privacy Protection Legislation

Dr. Chaudhary highlighted that although Nepal's Constitution guarantees right to privacy and IT Act vaguely references data protection, comprehensive legislation exclusively focused on regulating government and corporate collection, storage and utilization of citizens' personal data is missing. "The 2007 Right to Information Act primarily focuses on access to government records and has minimal privacy safeguards. Existing provisions in Electronic Transactions Act or Evidence Act are woefully inadequate for the data-driven digital age when technology allows unprecedented tracking, monitoring and profiling of individuals based on their sensitive personal information," explained Dr. Chaudhary.

"For instance, there are no purpose or collection limitations imposed on what kind of personal data can be gathered, for what specific purposes, or obligatory data anonymization and destruction requirements. Consent requirements are weak, citizens have little access or control over their own data, and oversight bodies empowered to penalize unethical data practices do not exist," he added.

Surveillance Infrastructure Being Developed Without Privacy Guardrails

Dr. Chaudhary expressed concerns that both government agencies like security and law enforcement as well as private corporations are rapidly enhancing technological infrastructure to gather vast amounts of citizens' personal data without simultaneous development of adequate checks to prevent misuse.  "Government schemes like Social Security ID system, vehicle registration databases or CCTV camera networks can enable surveillance state without balancing regulations. Similarly private firms like banks, insurers, tech companies can weaponized data analytics on customers without consent safeguards or purpose limitations," cautioned Dr. Chaudhary.

"Once such architecture of data collection is entrenched, bringing in rights protections becomes more challenging. We need limitations baked into the design of such systems from the start," he asserted.

Comprehensive Personal Data Protection Law Critically Required

To address Nepal's lack of privacy and data protection legislation, Dr. Chaudhary made a strong case for urgently enacting a comprehensive Personal Data Protection law based on global best practices but adapted for local context.  He highlighted key principles such a law should incorporate - limited collection of only necessary data for specified purposes, opt-in consent requirements giving citizens control over their data, strong security safeguards against leaks, mandatory data anonymization and defined retention periods, restrictions on cross-border transfer of sensitive data, establishment of Data Protection Authority to monitor compliance and penalize violations.  "The law should impose heavy penalties amounting to crores for unethical data use, mandatory data breach disclosures and compensation for affected individuals, and be applicable to government agencies and private entities alike. Nepal already has progressive privacy provisions and precedence in its constitution that can be translated into strong legislation," recommended Dr. Chaudhary.

Challenges in Enacting Robust Privacy Legislation

However, Dr. Chaudhary also acknowledged significant challenges in actually developing and passing sufficiently rigorous privacy and data protection legislation in Nepal.  "Government agencies like security, intelligence, law enforcement or regulatory bodies often resist external oversight or restrictions that could hamper their functioning," explained Dr. Chaudhary. "Corporations focused on profits and efficiency also lobby against regulations that give users control over their data."  Hence a comprehensive privacy law requires political will and ability to overcome institutional inertia and vested interests. Public advocacy raising awareness on digital rights will be crucial.

Further, once enacted the law should not remain just on paper but mechanisms have to be built for enforcement. "Merely formulating a data protection law will not suffice, if regulatory capacity for implementation monitoring is missing. The proposed Data Protection Authority needs to be made fully functional, independent and empowered," emphasized Dr. Chaudhary.

Special Protections Needed for Children and Vulnerable Groups

Dr. Chaudhary also strongly recommended including additional safeguards in the privacy legislation for children and vulnerable sections like women, marginalized communities, disabled and elderly who face higher risks of exploitation and exclusion. "Harsher penalties for breaching children's privacy, restrictions on tracking, targeting or profiling minors, and mandating tech platforms to adopt child-safe design are crucial," he said. Data collection from marginalized groups like informal workers or domestic staff also requires careful regulation.

Regulating Government Use of Emerging Technologies

The interview also covered how privacy principles should shape government adoption of emerging technologies like AI and surveillance systems.  Dr. Chaudhary asserted that before deploying AI for sensitive use cases like public benefits allocation, predictive policing or facial recognition surveillance, the technology's impacts on privacy and potential for embedded bias against marginalized groups must be assessed.  "Lack of transparency in AI systems development, lack of accountability for harmful outcomes, and absence of ethics review frameworks are major concerns," cautioned Dr. Chaudhary. "Nepal needs guidelines ensuring rights-respecting procurement and use of AI aligned with international human rights conventions it is signatory to."

Use of drones, stingray devices for cell phone surveillance or camera networks also need balancing regulations against indiscriminate mass data collection and tracking citizens' movements. However, he acknowledged providing legitimate security while respecting privacy is a complex balancing act for which extensive multi-stakeholder deliberations are necessary within Nepal's socio-cultural context.

Collaboration with International Privacy Groups

Given the cutting edge, technically complex nature of privacy issues in the digital age, cooperation with international civil society groups working on technology regulation will be helpful to strengthen local capacity, Dr. Chaudhary suggested. Groups like Electronic Frontier Foundation, Access Now, Algorithm Watch etc. combined with Nepali digital rights organizations can support Nepali policymakers and oversight bodies with expertise and global best practices.

Corporate Responsibility

Dr. Chaudhary emphasized that along with the government, private companies especially tech platforms like Google, Facebook, payment providers or insurers collecting vast customer data also need to self-regulate by designing transparent, ethical data practices aligned with human rights principles.  "Voluntary adoption of data minimization, anonymization, purpose limitation, and user control principles by firms even before legislation mandates it, will build public trust and demonstrate corporate social responsibility," he said.

In summary, during the extensive informal  interview Dr.Newal Chaudhary stressed Nepal urgently needs to develop comprehensive legislation exclusively focused on regulating government and private sector collection, storage, analysis and sharing of citizens' personal data to adapt to the realities of the digital age.  Mere Constitutional privacy principles and existing fragmented provisions are inadequate to protect citizens from emerging threats to informational privacy. A robust, forward-looking yet context-appropriate legal framework with enforcement capacity can balance safety, innovation, inclusion and rights in Nepal's digital transformation.  Public advocacy, institutional collaboration and corporate responsibility will be key to achieving strong privacy and data protection legislation that withstands inevitable pushback from interests preferring status quo.  "By taking decisive action now, Nepal has the opportunity to become a model in South Asia for rights-respecting governance of technologies impacting fundamental freedoms in the 21st century," Dr. Chaudhary asserted, concluding the highly illuminating informal interview.