Boom; your life is being recorded, analysed, traded, and sometimes hijacked. Every momo order, every Nagarik app login, every TikTok scroll – they're not just harmless actions. They're digital footprints of your life being collected. This is data, and it's the new oil fueling a silent revolution in Nepal, whether we realise it or not.

Data isn't just some fancy tech term. It's the digital version of who you are, what you like, where you go, what you watch, buy, read, and even think. From our phones, laptops, apps, forms, and even Facebook reactions, tiny pieces of us are collected, stored, analysed, and often sold. And yet, many of us don't even realise it.

In Nepal, we give away our personal information freely without a second thought. Signing up for a service? Fill the form. Ordering food online? Add your name, number, and address. Applying for a government document? Share your full personal history. We're conditioned to providing data without asking why, where it's going, or who will use it.

We fill out 'just-for-record' forms – name, address, phone – without question. Why does a local NGO need your blood group? Or a delivery app your geolocation? Once you hit submit, it's out there. Somewhere in a spreadsheet. Or a database. Or worse, the dark web.

Think about the last time you visited a local photocopy or printing shop. You handed over your USB drive, or forwarded your scanned citizenship or passport via email and simply said, 'Please print this.' Did you ask them to delete the file afterwards? Probably not. We assume it's gone, but it often sits in someone else's inbox or computer for days – and maybe forever. That one moment of convenience could be all it takes for your most sensitive data to live on in the wrong place, unprotected.

And it's not just local platforms collecting your life. Even global tech giants like Google quietly build detailed profiles on each of us. If you use Gmail, YouTube, Google Maps, or browse with Chrome while logged in, Google collects your location history, search habits, YouTube views, and even voice recordings. It knows your age, gender, interests, life milestones, and shopping behaviour – all without ever really asking for your permission in ways you understand.

Meanwhile, within our borders, telecom companies like Nepal Telecom and Ncell collect vast amounts of user data – call records, locations, and KYC forms. ISPs like WorldLink, Vianet, and Subisu track browsing patterns, devices, and usage histories. Mobile wallets like eSewa and Khalti have access to your financial behaviour. These platforms store everything, and yet most users have no idea where that data lives, how long it's stored, or who can access it.

The consequences are real. In 2020, Foodmandu suffered a significant data breach with over 50,000 customer profiles being leaked, including names, phone numbers, and delivery addresses. That same year, Vianet's data leak exposed the details of around 160,000 users. The information appeared online, available for anyone to misuse. And these are just the cases that became public.

We're now in a situation where data is being used not just to serve us, but to manipulate us. Spam calls. Targeted scams. Fake job offers. Phishing emails. Most of these don't happen randomly. They're triggered by leaked or sold data. Even something as simple as clicking on the wrong link could compromise your information.

So, who owns the data in Nepal? Right now, the answer is murky. It's not the person who generates it, i.e., you. It's the company that collects it, stores it, and profits from it. Whether it's a telecom provider, a delivery app, or an international tech giant, they treat your data as their asset. And without strong legal protections, you have little say in how it's used, how long it's kept, or where it ends up.

Nepal does have some legal provisions around privacy and electronic data, such as the Privacy Act of 2018 and the Electronic Transactions Act. There's also a Data Act draft from 2022 aimed at managing open and public data. But none of these laws form a strong, standalone data protection framework. They lack clear definitions of data ownership, a robust system for obtaining informed consent, a right to deletion, and a dedicated authority to enforce penalties on violators.

Compare this to India, which passed the Digital Personal Data Protection Act in 2023, giving users explicit rights to consent, deletion, and correction – all backed by real penalties for violations. China's Personal Information Protection Law is even stricter, requiring clear consent, imposing heavy penalties, and putting the state at the centre of enforcement. Bangladesh and Pakistan are still developing their frameworks, with draft laws that promise user rights but often fall short on enforcement or clarity.

Nepal, meanwhile, is stuck in a 'collect now, worry later' mindset. With over 39 million mobile connections and 14 million social media users, the country's digital landscape is expanding rapidly, but legal protections aren't keeping pace. As cross-border digital transactions with India grow and more Nepalis embrace online services, the risks of data misuse and breaches only increase.

The way forward is clear: Nepal needs a comprehensive data protection law that defines personal and sensitive data, requires explicit consent, and gives users the right to access, correct, and delete their information. Treating personal data like private property is not just a legal necessity but a fundamental shift in mindset. Until the government enacts strong protections and companies adopt international security standards, Nepalis will remain at risk of exploitation in the digital age. The real power in this new world belongs not just to those who collect data, but to those who understand and control it.

Sitaula is an IT entrepreneur, educator, and machine learning enthusiast