The debate between national security and data privacy involves nuances related to fundamental rights, national defense, and individual privacy. Striking a balance between the spheres of national security and data privacy is difficult, but not impossible. There are significant gaps in Nepal’s legal setup regarding data protection, which in the long run could affect the national security of the country.

According to the International Telecommunication Union, Nepal ranked 94th  out of 182 nations worldwide in the Global Cybersecurity Index 2020. Furthermore, frequent data breaches have been reported from widely used companies like Vianet, Esewa, and Foodmandu are due to flaws in data protection laws. Weaker cybersecurity and frequent data breaches mean less reliability and a greater chance of data expropriation.

Nepal has yet to address data privacy through a single consolidated law. The National Penal Code prohibits the breach of privacy through electronic means. Still, it fails to address whether companies are separate from persons, which means that, if a company commits a data breach, it cannot be held liable under the Penal Code. Similarly, the Privacy Act 2075 (2018) and the Electronic Transactions Act 2063 (2008) delve into individual privacy protection.  The newly introduced Information Technology and Cybersecurity Bill-2082 also does not cover fundamental rights for data subjects, such as the right to access, correct, delete, or object to the misuse of their data, and does not address cross-border data transfers. These laws and newly proposed bills are missed opportunities to address the actual need of the hour. While attempts are being made for online platforms like TikTok, Facebook, etc., to register or have a local contact point in Nepal,  very few have complied.  Businesses that aren't registered in Nepal cannot be held accountable for data breaches. This comes with enormous consequences for governing data misappropriation. Tech companies have found loopholes to compromise data by cryptically listing the terms and conditions on their website, which falls on the consumers to read. This can be particularly challenging for Nepal with its low digital literacy rate.

Digital infrastructures comprising hardware, software, networks, data centres, cloud computing, and cybersecurity systems are expensive to build, and developing countries like Nepal rely on foreign investment for this purpose. While attracting such investments, it is also the government's responsibility to analyze any existing risks that might threaten the privacy of its citizens.  Countries worldwide have made an effort to protect their digital privacy, such as India's DPDP Act and the EU's GDPR Act, which seek to restrict the transfer of data and prioritize data localisation. Tech-booming countries like Bangladesh are looking to adopt the Personal Data Protection Ordinance, 2025. According to the Ordinance, if any foreign company violates any provision of this Ordinance, then an administrative fine of not more than 5% of the total turnover of the company in Bangladesh for the preceding financial year, or 150% of the loss resulting from the violation of the provisions, may be imposed upon the company. Similarly, the Ordinance applies to citizens within and outside Bangladesh. Such protective laws allow legal oversight of foreign companies and minimise the security vulnerabilities of their citizens.

Nepal's technology sector, in particular, has attracted not just domestic but also foreign investors. China has leveraged its position as one of the biggest telecommunications exporters to Nepal. By 2022–2023, the import value of telecom equipment from China to Nepal had increased to NPR 36,027.4 million in the post-pandemic period. This sharp rise represents a significant shift in digital transformation. However, with scale comes a great need for oversight.  For instance, China's National Intelligence Law, Article 7 and Article 8, prescribes that any company of the People's Republic of China has to help aid in information and data to foster their national intelligence. Although there are no prescribed mechanisms to do so, the Chinese companies must abide by the law. In light of the same insecurity, countries such as the USA, Australia, and Denmark have put blanket bans on Chinese companies like Huawei. The Chinese tech company Huawei has provisions in its privacy policy that it can transfer data from its international centres to its headquarters, the parent company in China. Despite these concerns,  Huawei enjoys a monopoly in Nepal's telecommunications sector. Experts in Nepal have cried foul as almost all NTC tenders were given to Chinese companies like Huawei. This makes Nepal digitally dependent, and there might be unreliability or misuse of data of Nepali consumers.  Nepal has also signed the Mutual Legal Assistance Treaty with China. It is speculated that Nepal is signing the same agreement with India, which requires Nepal to assist in any legal matter on which they seek information if it threatens their sovereignty. These laws require Nepal to provide data of its citizens when posed with a security risk. Such agreements pose a risk to citizens of Nepal with the increasing cross-border data transfer.

Vague laws can blur the lines between national security and privacy.  Data privacy and Data Security aim to address two different circles as depicted in the adjacent Venn diagram. Data privacy governs how data can be used and controlled and imposes restrictions on government and private entities, whereas data security looks into shielding data from threats. However, data privacy is not possible without data security. This close interconnectedness illustrates how data protection is of utmost importance for both individual privacy as well as national security. Countries around the world have tried to come up with legislation to combat data security threats to protect the overall national security.

A robust national security stance is reflected in Australia's metadata retention framework, which mandates that platforms and telecom providers keep device and location data for two years. By giving law enforcement and intelligence organizations strong capabilities to monitor movement patterns and stop threats like organized crime or terrorism, this technology guarantees that security services can take prompt, decisive action. This system places a greater emphasis on agency discretion and has less judicial scrutiny. This shows that strong national security is difficult to balance with individual liberties by integrating accountability into security frameworks.

Government of Nepal, on the other hand, is attempting to draft legislation that will let the National Investigation Department monitor call messages and social media posts without requiring prior court approval. This illustrates how online data can easily be used for surveillance in the name of national security. Individual data privacy should not be curtailed in the name of national security. While digital security is crucial for protection against cyber threats, it should not come at the expense of individual privacy rights. The challenge for the Nepal government lies in creating a legal framework that effectively addresses security concerns without undermining personal freedom.

Data Privacy laws should define the limits of data collection and surveillance, ensuring accountability and providing clear guidelines on data collection, storage, cross-border transfer, and sharing, with strict penalties for violations without interfering with the data privacy of individuals.