The 72-hour time period given for the amendment of the 'Information Technology and Cyber Security Bill, 2082' registered in the House of Representatives of the Parliament is ending on Sunday.

Meanwhile, Digital Rights Nepal, an organization of digital rights activists, published an analysis of the bill and concluded that some of the provisions contained in it are unclear, incomplete and problematic. Freedom of expression, data protection, liability of service providers, domain name management, legal protection against gender violence and other issues have been suggested for improvement. According to

bill stipulates that the service provider must keep the user's data only for a 'specified period', it has been commented that it weakens the basic principles such as 'data minimization and purpose limitation' as it is not clear which body will determine the period. It is said that the 'security standards' mentioned in Sections 63 and 112 are also unclear and should be legally clarified with a transparent process, mandatory consultation and regular review. Although the analysis, section 88 (1) of the bill states that the production or transmission of obscene material by any electronic system or means is punishable by imprisonment for two years or a fine of two lakh rupees, but there is no definition of 'obscene material'. In the analysis paper, it is called legal ambiguity. "Creations published in the media, expressed by ordinary citizens or created by an artist expressing his imagination may be misused by any regulatory body," the analysis says, "This may have a direct impact on freedom of expression, artistic freedom and the right to present independent ideas in digital media." And even though the basic rules for destruction have been introduced, it is mentioned that these rules are incomplete. "There is no provision in the bill about the rights of the data holder in personal details and information," the analysis said, "for example, the bill does not include the right of access to his data, the right to correct incorrect data, the right to delete his data, the right to stop or oppose the improper use of his data, the protection against automatic decision/profiling, etc." However, no special security measures other than encryption have been provided for such sensitive data. A warning has been given that data breach or misuse may result in major losses. It has been concluded that a comprehensive data protection law is necessary as there is no mention of special protective measures other than encryption for sensitive data, no standards have been set for cross-border data transfer, and no complaint procedure has been set for victims. Although section 65 of the

bill provides for continuous monitoring of sensitive information infrastructure, it has been criticized for not giving a definition. As this gives the government permission to declare arbitrary information structures as 'sensitive' through the Nepal Gazette, it is suggested to set a limited scope through a clear definition and risk assessment process as there is a risk of misuse. In the

bill, it is also mentioned that sexual violence through the use of technology like cyber stalking, sextortion, cyber bullying is not addressed. Although the government has said in the past that new laws are necessary to prevent such crimes, it is said that the lack of provision in this bill is a serious weakness. Sections 39 to 41 related to domain names have also been considered unclear and impractical in the analysis paper. In particular, the Nepal government can regulate even international domains such as dotcom, dotorg, dotnet, the protected name list is highly restrictive and there is no dispute resolution mechanism. It is mentioned that the definition of