Privacy Laws in South Asia

Data Privacy Insights > Posts > Data Privacy Culture > Confidential Information > Privacy Laws in South Asia
Privacy Laws in South Asia
Raksha HR

Penultimate year law student, School of Law, CHRIST(Deemed to be University), Bengaluru

The southern region of Asia includes India, Sri Lanka, Nepal, Bhutan, Bangladesh, Pakistan, Afghanistan, and the Maldives. The association between these nations is the South Asian Area of Regional Co-operation (SAARC). The growth of data protection laws in these countries has been significant since 2013. Even though the laws in these countries are based on European standards, yet they are unique due to the socio-economic, cultural, and geopolitical context.

i. Unlike the European context, there is no single international organization in Asia to oversee the development of privacy laws in the continent and there have been no developments in this regard from the SAARC agreements. Hence, a bottom-up approach must be adopted to understand the development of these laws from national legislations.

ii It is pertinent to understand the privacy laws and policy developments in these nations since it has an impact on trade and the transfer of information among nations.

In India, the Personal Data Protection Bill has been placed before the parliament in 2019, pursuant to the Puttaswamy Judgement in 2017 which ruled that Privacy is a fundamental right under the constitution. As an overview, the bill which is based on GDPR provides the regulation for processing and storing the personal and sensitive information of an individual to whom the data belongs. A data protection authority is to be instituted for redressing grievances. Further, it also provides for transparency and accountability measures and exemptions of processing personal data.

Sri Lankan Ministry of Digital Infrastructure and Technology has recently drafted the bill for Regulation and Processing of Personal Data, 2021. The bill is based on the principles of GDPR. The territorial scope extends to any service or goods that are accessed through an online medium by a data subject in the country. This is wider than GDPR because the law applies to all the services that are accessed from the country even though it may not be specifically for data subjects in the country. The regulatory authority is a public corporation or statutory authority that is controlled by the government and it will monitor the compliance requirements of controllers and processors of personal data. It provides a consent-based model, wherein the processing of personal data is legal if the data subject permits out of free will. It also legal to process the data in furtherance of a contract, for establishment of claims for legal proceedings and if it is in public interest such as promoting health. It is mandatory for the controller to carry out Data Protection Impact Assessment (DPIA) to monitor and mitigate the risk of privacy violation. The bill imposes a penalty of up to LKR 10 million which is around 50 thousand US dollars.

In Nepal, Article 28 of the constitution grants the fundamental right to privacy for all individuals. The laws on privacy are provided under the Privacy Act, Privacy Regulation, Civil Code, Criminal Code, Labour Regulation and Information Technology (IT) bill. These laws do not specify the territorial applicability and upon strict interpretation it does not apply extra-territorially. But the IT bill provides that the law is applicable to any information within and outside the country if it is processed by individuals located in Nepal. The Privacy act and the regulations are rudimentary since it does not establish any data protection authority. It does not provide the definition for key terms such as data controller and data processor. The laws prescribe that the information must not be collected without consent from the individuals, but the process of confirming this compliance is not provided. It provides that personal and sensitive personal data can be processed for health reasons with the permission of a registered medical practitioner. It does not provide exemptions to the data controller to protect their interests. The Privacy Act prescribes the penalty of NPR 30 thousand which is 260 US dollars(approx.).

In Bhutan, the Information Communications and Media Act of 2018 provide provisions on data protection under chapters 17 and 21 of the legislation. This is a comprehensive law that deals with the regulations on all aspects of telecommunication, broadcasting, media, electronic governance, consumer protection, domain names, cybersecurity and data protection. Chapter 17 of the law states that Information and Communication Technology (ICT) and media companies must protect the privacy of individuals’ personal and sensitive personal information which is collected from them. All the ICT and media companies must draft a privacy policy providing information about details that are collected and how they will be processed. This must be easily accessible to the users. Further, it provides that sharing data with third parties must be avoided and if it is done with consent, the terms must be as per a contract which is as per this law. Chapter 21 states that written permission is necessary for the collection, processing, collation of any personal information and the same must be deleted by the controller of the data after it is no longer necessary. The penalty for violation of these rights is to be determined by the court in the form of damages. The issue with this law is that it applies only to ICT and media companies which reduces the scope of data protection. It also states that data collection shall be limited to that which a reasonable person considers appropriate in a circumstance and this makes it ambiguous.

Pakistan has proposed the Personal Data Protection Bill of 2020. Article 14(1) of the constitution of Pakistan prescribes the right to privacy of the home. The laws that are in force for data protection are the Prevention of Electronic Crimes Act, 2019 and the Payment Systems and Electronic Fund Transfers Act 2007 which is applicable for the financial sector. It also has sector specific regulations in heath and telecommunication. The bill when made into law will be applicable for any person who has control or directs that personal data must be collected or processed of any data subject in Pakistan. The controller shall nominate a person from Pakistan if he is not established in the country. Additionally, the bill provides similar provisions as seen in the other countries concerning data protection authorities and the rights of data subjects.

In Afghanistan, there is no specific law or bill for data protection. The constitution under Article 37 guarantees the right to privacy and freedom of confidentiality. There is a brief mention of these rights in sectoral laws such as telecommunication, penal code, tax, public health and mass media law. In Bangladesh, the courts have read the right to privacy under the fundamental rights of thought and conscience, freedom of speech under Article 39 and right to life and personal liberty under Article 32 of the constitution. There is no specific law on data protection. However, the Information Technology Act 2006 and Digital Security Act 2018 briefly addresses the protection of privacy in addition to cybersecurity and electronic crimes. Similarly, in Maldives there is a lack of separate law for data protection and the bill that was circulated in 2016 has not been passed. The right to privacy is provided under Article 24 of the constitution and the remedies available are in the nature of unlawful surveillance under Section 231 of the Penal Code and there is a brief mention in sectoral laws.


Ayottaz can help you understand more about how to become Data Privacy-aware and become future-ready.

No comments to show.

Leave a Reply

Your email address will not be published. Required fields are marked *