Every day, you likely receive promotional messages or alerts from unknown organizations on your phone. Sometimes, you might even get messages on WhatsApp from countries as far away as the Gulf or Africa. But have you ever wondered, how did your number reach them?
In this report, we explore what personal data is, why it matters, how it travels beyond Nepal’s borders, and why the government has been largely absent in protecting it.
Personal data isn’t just information, it’s power
Your phone number, citizenship number, property records, biometric info, email, financial transactions, IP address, or live location may seem like ordinary information. But in the digital world, these are highly sensitive and valuable data points. That’s why most countries around the world have strict privacy laws in place.
Nepal, however, still lacks a personal data protection law. According to Gajendra Thakur, spokesperson for the Ministry of Communication and Information Technology, “There is no legislation yet. A policy draft is reportedly being prepared by the Prime Minister’s Office. Only after that can we move toward drafting a law, likely next year.”
From ride-sharing apps and online payments to applying for a passport or driving license, Nepalis routinely share their personal details. Much of this data is being transferred abroad.
Nepal has over 16 million Facebook users. Platforms like Facebook, WhatsApp, TikTok, and Viber, which are widely used in Nepal, collect user data—but where this data goes and how it’s secured is unknown to the government.
Even after repeated government orders, Facebook hasn’t registered in Nepal. And it’s not just Facebook. Other global platforms collect massive amounts of personal information from Nepali users without proper oversight.
Why other countries take data protection so seriously?
- India passed the Digital Personal Data Protection Act in 2023, after a Supreme Court ruling recognized privacy as a constitutional right.
- Germany and most of Europe follow the GDPR, one of the world’s strongest privacy regulations.
- USA protects personal data under the Fourth Amendment and imposes strict penalties for misuse through the Federal Trade Commission.
- China introduced the Personal Information Protection Law in 2021, requiring mandatory consent before data is collected and full transparency on its use.
In contrast, Nepal continues to collect citizen data through various digital services without any clear rules on how it’s stored, shared, or deleted.
Even apps like ride-sharing and e-passport systems send your data abroad, Social media isn’t the only source of data collection. Ride-sharing apps like Pathao, Indrive, and Yango also collect:
- Names
- Addresses
- Mobile numbers
- GPS locations
- Travel behavior
- Payment methods
- Profile photos
These companies do not store data in Nepal. Pathao sends its data to Bangladesh. Indrive is Russian-owned. Yango is headquartered in Dubai.
Even government systems such as the Smart License Management System and e-passport infrastructure collect biometric data that may not be safely stored within Nepal. In fact, the smart license system’s source code is still owned by an Indian company, while the e-passport system was only recently transferred from a French provider.
Nepal doesn’t have a law that requires foreign companies to establish local data centers or hand over data ownership. Even companies that claim to have data centers in Nepal haven’t actually transferred control of that data to Nepali authorities.
Cybersecurity expert Rajiv Subba, who teaches in Norway, explained that he’s not allowed to communicate with students via WhatsApp because of strict data protection laws there. “We must use university-approved systems,” he said. “But in Nepal, even top government officials use Gmail and WhatsApp for official communication. How can data be secure this way?”
Nepal must urgently:
- Pass a dedicated Data Protection Act
- Ensure data localization for foreign companies operating in Nepal
- Establish clear legal ownership of government IT systems
- End reliance on foreign vendors for sensitive services
Without these reforms, Nepali citizens remain exposed, their data vulnerable to misuse, and the government unable—or unwilling—to protect them.
Why this matters to investors and listed companies
Nepal still has no stand-alone personal data protection law. The moment a robust act lands (as the government hints it might draft next year), sectors that live on data—banks, insurers, merchant banks, DP/brokers, telecoms/ISPs, fintechs, payment processors, ride-sharing platforms, e-commerce, ad-tech/marketing agencies, health-tech and even government IT vendors—will face new costs and liabilities. That can hit earnings, cash flow and, ultimately, share prices.
Potential cost impacts if a data law passes
• Data localization: Foreign or cross-border platforms serving Nepali users could be forced to host and process data inside Nepal. Expect fresh capex for local data centers or paid third-party hosting.
• Security uplift: ISO 27001, SOC 2, regular penetration testing, red teaming, DPO hiring, encryption at rest/in transit, full audit trails—these are not free.
• Vendor lock-in exit costs: Government and many corporates still do not own source code or full rights to core systems. Exiting or renegotiating these contracts to meet localization and audit requirements will be expensive.
• Mandatory breach notification and fines: If Nepal mirrors GDPR-style regimes, penalties can be turnover-linked and material enough to dent quarterly profits. Remediation (credit monitoring for users, system rebuilds, PR/crisis spend) adds to the bill.
• Process re-design: Consent capture, purpose limitation, retention/deletion policies, data subject access requests (DSARs) and audit logging will require new workflows and software.
Regulatory risk across the market infrastructure
• Banks/insurers (listed): Hold the most sensitive KYC, financial and health-adjacent data. Breaches or non-compliance could trigger NRB/Beema Samiti fines, provisioning hits, or higher cyber-insurance premiums.
• Brokers, DP, CDS & Clearing, NEPSE: Trade/order data, portfolios, PANs, bank links—if leaked—can be market-moving. A 72-hour mandatory breach reporting rule (global norm) would create headline risk and short-term volatility.
• Telcos/ISPs and large IT vendors: Often the custodians or transporters of traffic and logs. If they are forced to localize and segregate data, margins may compress.
• Ad-tech/digital marketers: If explicit consent, purpose limitation and easy opt-outs become mandatory, targeting efficiency could drop, reducing campaign ROI assumptions many listed companies use.
• Ride-sharing and super-app style platforms: Heavy GPS and behavioral data collectors. If localization and explicit consent are enforced, compliance costs surge; growth narratives may be repriced.
What regulators should quickly do to reduce systemic risk
• SEBON and NEPSE: Require listed firms to disclose material cyber incidents, data breaches and privacy regulatory actions within a fixed time window.
• Harmonize with NRB, Beema Samiti and NTA: One breach, one notification framework, shared taxonomy of severity.
• Enforce source code escrow and vendor lock-in free clauses on all critical national systems (smart license, passport, national ID, payment switches).
• Mandate baseline controls: independent annual infosec audits, board-level cybersecurity oversight, DPO appointment for data-heavy firms.
• Stress tests and tabletop exercises: Prove readiness, not just policy existence.
Investor due diligence checklist
Before you buy—or as you monitor your holdings—ask or look for:
- Does the company have a data protection officer (DPO) and board oversight of cyber risk?
- Is it ISO 27001 (or equivalent) certified, and how recent is the audit?
- Where is customer data stored? Is there a Nepal-based replica and who owns the source code?
- Are third-party vendors contractually bound to Nepalese data localization, breach notification and deletion timelines?
- How fast must the company disclose a breach to regulators, customers and the market?
- Are encryption, tokenization, and least-privilege access enforced across production systems?
- Has the firm run (and disclosed) breach simulations or penetration tests in the last 12 months?
- Does the firm have cyber insurance, and what are the exclusions?
- What capex/opex uplift is management modeling for an eventual Data Protection Act?
- How does the company handle consent, purpose limitation, retention/deletion, and DSARs?
The bottom line for the market
Privacy regulation is coming—if not in 2082/2025, then soon after. When it does, compliance laggards will pay—in cash, credibility, and potentially in valuation. Proactive governance today can be a moat tomorrow. As an investor, start pricing that in.
