With over 4 billion people online 1, the internet has reshaped how we do business, communicate and conduct governance 2. As the digital economy evolves, digital security has taken on a distinct urgency. Governments face a complex array of cyber-security threats with the potential to significantly damage economic growth and infrastructure critical to essential services 3. This is especially true for countries in Asia, where unlike the West, internet expansion has risen amidst the internet revolution 4. Keen to leverage the benefits of the digital economy while preserving national security in a post-internet world, Asian states tend to adopt policies that are protectionist and less aligned with international standards 5.

Bangladesh leads the world in percentage of mobile malware İnfections 6 while Sri Lanka 7 and Nepal 8 have experienced a sharp rise in the number of cyber-security attacks Therefore, with the aim to address these vulnerabilities, Bangladesh passed the "Digital Security Act, 2018" 9 ("Digital Security Act"), while Sri Lanka has presented a "Cyber Security Bill" 10 ("Cyber Security Bill"), and a "Framework for Proposed Data Protection Bill" 11 ("Data Protection Bill"). Nepal recently enacted the "Individual Privacy Act, 2018" 12 ("Privacy Act") and formulated the "Information Technology Bill, 2075" ("IT Bill") 13. While each bill/act proposes to address concerns with digital security, they are still located within a broader IT regulatory ecosystem. The following paragraphs will briefly outline the regulatory framework within each country:


Rapid take-up of internet and mobile wireless communications is a key trend shaping digital transformation in Nepal 14. As such, the "National Information and Communication Technology Policy, 2015" 15 ("ICP") has been a significant policy intervention. Stressing the need to leverage the economic and transformative potential of IT, the ICP was formulated to establish the foundation for an overarching vision of "Digital Nepal" 16. Significantly, the ICP also laid the groundwork for an extensive cyber-security policy, which though formulated 17, never saw the light of day.

In September 2018, Nepal passed the Privacy Act. Implementing the constitutional right to privacy 18, the Privacy Act has had a significant impact on legal usage of "personal information" 19. It stipulates how 'personal information' available and stored with public entities is to be utilized 20, along with liabilities for breach 21.

Seeking to replace the existing Electronic Transaction Act 22, the Nepal government proposed a comprehensive IT Bill in early 2019. It lumps together every cross-cutting IT sector, and may impact everything from social media use to surveillance, e-commerce and tech innovation 23. While providing broad definitions for "social network" 24 and "service provider" 25, the IT Bill prescribes a licensing regime for various services such as social networks 26, data centers 27. It also penalizes offences such as cyber terrorism, publishing/display of obscene materials, acts against morality etc. 28 , and empowers investigating agencies to access and intercept data 29.


As South Asia becomes increasingly digitized, vital questions around the security of information arise. While each country has recognized the need for a robust digital security framework, problems are still abound. Larger issues stem from freedom of speech and surveillance concerns 67, and issues pertaining to strict regulation have also been raised by industry 68.

The next post in this series will delve further into the challenges faced by each regulatory regime. Additionally, it will attempt to chart a path that may negotiate these challenges, and provide recommendations for the same.

(This post has been authored by Vijayant Singh, Associate, with inputs from Nimisha Dutta, Counsel at Ikigai law)


1 Simon Kemp, digital in 2018: World's internet users pass the 4 billion mark, available at

2 Anmar Frangoul, 10 ways the web and internet have transformed our lives, CNBC, available at

3 Victoria A. Espinel, Cybersecurity threats defy national borders, so countries should collaborate, not clam up, South China Morning Post, available at

4 Centre for Long Term Cybersecurity, Asian Cybersecurity Features, available at

5 Victoria A. Espinel, Cybersecurity threats defy national borders, so countries should collaborate, not clam up, South China Morning Post.

6 Security Magazine, Which Countries Have the Worst and Best Cybersecurity? Available at

7 Roartech, Can Sri Lanka's Cyber Security Strategy Protect Us? available at

8 Kathmandu Post, 19 govt sites breached in latest cyberattack, available at

9 Bangladesh Digital Security Act, 2018 available at

10 Sri Lanka Cyber Security Bill, 2019, available at

11 Framework for Proposed Data Protection Bill, 2019, available at

12 Nepal Privacy Act, 2075 (2018), available at

13 Nepal Information Technology Bill 2075 (2018).

14 Para 4, National Information and Communication Technology Policy, 2015.

15 National Information and Communication Technology Policy, 2015, available at

16 Para 5.1, National Information and Communication Technology Policy, 2015.

17 Nepal Draft Cyber Security Policy, 2016, available at

18 Article 28, Constitution of Nepal: "The privacy of any person, his or her residence, property, document, data, correspondence and matters relating to his or her character shall, except in accordance with law, be inviolable."

19 Section 2 (c), Nepal Privacy Act, 2075 (2018):

"Personal information" means the following information related to any person:

(1) His or her caste, ethnicity, birth, origin, religion, color or marital status,

(2) His or her education or academic qualification,

(3) His or her address, telephone or address of electronic letter (email),

(4) His or her passport, citizenship certificate, national identity card number, driving license, voter identity card or details of identity card issued by a public body,

(5) A letter sent or received by him or her to or from anybody mentioning personal information,

(6) His or her thumb impressions, fingerprints, retina of eye, blood group or other biometric information,

(7) His or her criminal background or description of the sentence imposed on him or her for a criminal offence or service of the sentence,

(8) Matter as to what opinion or view has been expressed by a person who gives professional or expert opinion, in the process of any decision."

20 Chapter 10, Nepal Privacy Act, 2075 (2018).

21 Chapters 11, Nepal Privacy Act, 2075 (2018).

22 The Electronic Transaction Act, 2063 (2008), available at

23 The Kathmandu Post, Everything you need to know about the Nepal government's new IT bill, available at

24 Section 2 (z), Nepal Information Technology Bill 2075 (2018).

25 Section 2 (ff), Nepal Information Technology Bill 2075 (2018).

26 Section 91, Nepal Information Technology Bill 2075 (2018).

27 Section 73, Nepal Information Technology Bill 2075 (2018).

28 Chapter 15, Nepal Information Technology Bill 2075 (2018).

29 Chapter 16, Nepal Information Technology Bill 2075 (2018).

67 The Kathmandu Post, Everything you need to know about the Nepal government's new IT bill, available at; Sandaran Rubatheesan, Flaws in draft cybersecurity bill under review, available at; Rock Ronald Rozario and Stephan Uttom, Bangladesh's digital security act: old wine in new bottle? UCA News , available at

68 The Kathmandu Post, Everything you need to know about the Nepal government's new IT bill, available at; Ruwandi Gamage, IT industry wants more say in Cyber Security Bill, available at; S. Barik, Banladesh's Digital Security Bill can have a 'chilling effect on free speech': Asia Internet Coalition, available at

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.