Sleepwalking into a digital world

In May last year, I wrote on The Record that Nepal’s future was in danger in a post-Covid world and made some recommendations for recovery. As suspected, not much has changed since. Instead, the Nepali state has failed on several fronts in the handling of the crisis. 

And amidst the pandemic, the biggest digital transition of our lives is taking place. Big tech is conquering our individual and collective worlds, and we are sleepwalking into a lost war in the digital space. The digital sector of Nepal has a nascent understanding and implementation of technology. The utilitarian aspects are emphasized and glorified for good reasons, albeit understating the sociocultural, health and ethical narrative that has huge implications for society. We are at a cusp of a changing world that growingly threatens to undercut our progress.

Troubling developments

With that background, we travel to Tulsa, United States, where one of the largest hacks ever known took place in late 2020. The SolarWinds hack affected the company’s Orion software and clients that had employed it in their technology infrastructure. Companies and institutions like Microsoft, Intel, Cisco, the US government, EU, and NATO had their systems compromised. It is argued that the hack was an act of cyberespionage, but that isn’t the important point here. Hackers used sophisticated methods to penetrate into the software during development and implanted malicious code that would later subjugate the finished product at their will. The product was used by thousands of customers all over the world, making their systems and data open for manipulation. 

In July this year, the US justice department indicted Chinese security officials for breaching academic institutions and governments and stealing scientific research. China denied any involvement. A New York Times article elaborates on recent dangerous trends and indicates that firms in the financial, legal, health, real estate, and energy sectors were being targeted. The Pegasus software developed by an Israeli software company for clients looking to snoop into mobile phones was also exposed this year as a tool used secretly by governments to increase surveillance. 

At home, Nepali greyhat hacker Satan brought to light vulnerabilities in Prabhu Money Transfer in April last year. Throughout that year, Satan identified issues and alerted authorities at Daraz, Nepali Congress, and Kantipur Media Group while also claiming later that any website hosted on the .gov.np domain was open for intrusion. Lack of extensive media coverage of these incidents and serious disregard for such credible threats only make it clear how unprepared we are in case of a major IT breach. There is an evident sense of complacency and helplessness in both the citizens and institutions of the nation when it comes to tackling novel problems of the technological era. 

After much scrutiny, the Nepal Special Services Bill was passed last year after having removed its original provision to broadly intercept public communications without court order. Privacy violations by the state have been growing post-federalism. Meanwhile, the government’s push for digitization without proper safeguards is deeply concerning. Citizens App, launched last year, consolidates several government services such as Permanent Account Number, driving license, company registration into a single service platform. The government has assured the public of stringent security measures of their data, but in light of recent developments there are more reasons to believe in scenarios that could even put Nepali democracy at risk.

Existing laws and challenges

Article 28 of the Nepali Constitution lists the right to privacy as a fundamental right, aiming to protect privacy of individuals with regards to their residence, data, property, correspondence, and other related matters. The constitution also guarantees freedom of expression to the people of Nepal. Moreover, the Individual Privacy Act of 2018 has provisions to safeguard the right to privacy as guaranteed by the Constitution along with protection and safe use of personal data stored by public agencies and prevent intrusion on the individual’s privacy. The Individual Privacy Regulation 2020  addresses the practicality of the law. Likewise, the Country Civil Code 2017 and National Penal Code 2017 have some general provisions for data protection and privacy of individuals. 

In practice, however, privacy is often a mere afterthought. Apart from the weak data protection practices mentioned previously, state intervention in private matters of citizens has been increasing. CCTV cameras are widely used in the Kathmandu valley officially for security reasons but at the risk of undermining existing law. Intelligence and security agencies operate surveillance technology amidst declining rule of law, incompetent governance, and high-profile corruption cases shaking public faith in government institutions. The privacy of citizens is on the backburner in a weakening democracy.

On the other hand, the government proposed an Information Technology Bill in 2019 seeking to regulate the IT sector. The Bill, when passed, aims to replace the Electronic Transaction Act (ETA) of 2008. The Bill covers the regulation of “the validity, integrity and reliability of records and signatures; cybercrime and social media”. The ETA was already problematic in its use for curbing freedom of expression. Journalists were targeted using the ETA to control the media at the state’s will. Comedians and musicians were jailed for their art. Members of the public were persecuted for their social media posts. The IT bill is even more problematic. Like its predecessor, the bill's provisions have unclear definitions that could be interpreted in ways that intimidate the public and the media for expressing dissent at the state’s actions. The state has also sought to directly interfere in the appointment of judges for cybercrime related cases along with the intent to establish a separate court in direct violation of the principle of separation of power. Besides, the bill clashes with prior laws in its objectives. Further, examining the IT bill makes it apparent the erroneous and peripheral understanding of technology by the lawmakers. For example, a person involved in “repeatedly teasing, misleading, insulting, discouraging, rebuking and threatening, creating hatred or confusing the receiver of the information” will face a punishment of 5 years of jail or Rs. 1,500,000 in fines or both. In comparison, the punishment for attempted murder is 10 years of jail and Rs 100,000 in fines. Meanwhile, the bill includes undefined jargon and impractical proposals that could lead to legal quagmire. For example, Section 86 of the bill seeks to ban obscene materials. But there’s no clear definition of “obscene” specified in the bill. Section 91 seeks to get transnational social media companies to register with the concerned government department or face termination of service in Nepali territory. Therefore, the IT bill in its present form is not a document worthy of becoming law.

​GDPR: A model to emulate 

The General Data Protection Regulation (GDPR) is Europe’s data privacy and security law that sets specific requirements and penalties for companies that operate in the EU and/or with the EU citizens’ data. This means the GDPR applies to companies operating outside the EU as well. The regulation can be viewed as a model for nations around the world facing technological developments in their jurisdictions. The fines set by it are as high as upto 20 million euros or 4 percent of global revenues. Damages can be sought after by data subjects. Most importantly, unlike the Privacy Act and the proposed IT bill, the GDPR is comprehensive in scope. It defines legal terminologies with precision and clarity.

Above all, the GDPR establishes a data protection authority that has a central role in enforcement. The regulation defines data controller, data processor, and data subject as entities that interact with each other during the data lifecycle. The controller is a person who is able to decide why and how personal data will be processed. Data processing is described as “any action performed on data, whether automated or manual”. Nepal’s laws define personal data and sensitive data, meanwhile the GDPR also defines health data, biometric data, and pseudonymisation, bringing them within the legal boundary.

The GDPR establishes consent as primary. Unlike laws here, consent is defined and procedures for obtaining it specified. Rules are different when it comes to children under 13. Importantly, Nepal’s laws governing data protection abide by certain principles, but those principles only apply to public institutions. That leaves private institutions at the forefront of technological adaptation relatively free from legal repercussions should their systems be breached.

Data protection principles of the GDPR, like purpose limitation, data minimization, and storage limitation are noteworthy for inclusion within the legal framework. Purpose limitation restricts entities to process data for the purpose specified at collection while data minimization allows collection and processing of only the data that is required. Likewise, storage limitation limits the storage of data only for a necessary period for the specified purpose. The GDPR makes it mandatory to consider data protection “by design and by default” in Article 25. A list of privacy rights are defined, empowering data subjects with control over their data. 

In a symposium that I attended last year, organized by the Knight First Amendment Institute at Columbia University, stakeholders referenced the GDPR as a model for formulating an umbrella law in the US. The conference served as a platform to discuss the evolving relationship between technology and society. Similar efforts are needed at home to formulate laws that are rich in scope and application.

Situation at the Asia Pacific

The Asia Pacific region is still coming to terms with the rapidly emerging place of technology in society. The GDPR has necessitated a review of existing laws across the region. I checked Singapore’s act termed PDPA and found it inadequate as compared to regulations in Europe. For example, the PDPA doesn’t apply to public agencies handling personal data. Hogan Lovells’ latest annual guide to data protection and cyber security in the region mentions that India and Thailand are seeking to introduce comprehensive regulations that are inspired by GDPR but consider local requirements.  

The report portrays a bleak state of enforcement of existing laws. In an example, data breaches that occurred in British Airways and Cathay Pacific in the UK and Hong Kong simultaneously resulted in GBP 183 million for the former while no financial penalty for the latter. China’s Cyber Security Law (CSL) was introduced in 2017, however many details are yet to be clearly specified. This has an effect on smaller countries in the region that follow on China’s lead. China’s recent stronghold on its technology sector will be creating a split in their approach in handling the companies at home. 

The report highlights that regulators are expected to become proactive in engaging the technology sector as data breaches incidents are on the rise and widely publicized. There’s a need to create a regional compliance guideline for the APAC that starts where the GDPR stops. Nepal’s lawmakers will have to consider developments in the region as well, perhaps most importantly to India that has tabled the Personal Data Protection Bill 2019. 

The main elements of the Bill are data protection authority (the regulatory body), extra-territoriality, data-protection officers for “significant data fiduciaries”, privacy by design policy, data subject rights, basis for processing, mandatory data breach notification, social media intermediaries among others. The Bill is comprehensive and takes considerable inspiration from the GDPR.

Nepal is facing an uphill battle with technology regulation as it struggles to contain the impact of the Covid-19 pandemic. Existing laws are amateurish while the proposed IT bill has several inadequacies and undealt-with challenges. Broad stakeholder participation is recommended to review the bill while looking at changing developments in the region and across the world. Doing that would only mean building a foundation for the impending future which will be guided by the country’s governance quality and business environment for technology companies.