The Bhutanese Leading the way.
As the debate on the 10% tax on fixed deposits raged online, as proposed in the Income Tax Bill 2025, the Finance Minister, Lekey Dorji, entered the debate through his personal Facebook page sharing a series of data on individual and institutional fixed deposit holders.
The data shared by the Finance Minister, and particularly that 856 accounts made up around half the Nu 18.558 billion in fixed deposits, out of 12,933 individual fixed deposit holders, had a major impact as it got amplified online and was reported on by media outlets. It even changed the debate as more people came out to support the tax.
However, this may have come at a major violation of the privacy of fixed deposit holders. This paper has learnt that the Finance Minister was not only given the overall data on fixed deposit account holders, but the information also contained the names of the account holders and their individual deposits, and especially so for larger depositors.
In fact, this information was leaked out to the point that a media report could even pinpoint the highest and second highest amounts in fixed deposits. There were more whispers, and the fixed deposits of a major social media personality opposing the tax on the deposits were also known, though no media house published the name and the amount.
This is a major violation as the personal financial information of a person can be got from a bank, only after a court order, and that too, after convincing the court for the need of such information.
This reporter repeatedly called and messaged the Finance Minister over two days to find out from where he got the Fixed Deposit information but there was no response.
Violation of Constitution and CCPC
The Civil and Criminal Procedure Code (CCPC) in Chapter 9 titled ‘Information Privileged from Discovery’ while in court proceedings under section 56 titled Financial Information says, “Discovery of defendant’s financial situation is generally not permitted except when punitive damages are sought.”
Since the CCPC is a procedure law the section 56 overrules everything and makes it clear that personal financial information is to be kept secret unless authorized by the court for specific purposes.
A retired senior Judge, on the condition of anonymity, said Article 7 section 19 of the Constitution guarantees the right to privacy to Bhutanese citizens as a fundamental right. The section says, “A person shall not be subjected to arbitrary or unlawful interference with his or her privacy, family, home, or correspondence nor to unlawful attacks on the persons honour and reputation.”
The former judge said this information includes financial information apart from medical records and others. He said even investigative agencies have to get court orders to access SMS messages.
A senior lawyer said, “After the Finance Minister posted the lists and break up on his Facebook, my family members were discussing the list, and I told them not to as it is a violation of privacy. In a small society like Bhutan, we don’t even need names as everybody can guess who the person is. The actions of the minister are an infringement of not only the Right to Privacy but also the Right To Property.”
“Unless you have a court warrant, you cannot give private financial information and even if you get such a court warrant, you cannot go announcing that information on the social media. A person doing so can be sued,” added the lawyer.
The lawyer said that, as an example, if the Department of Revenue and Customs suspects a person or company is not being truthful with income taxes then the Department has to approach the court and get an order to get the information.
The lawyer said the Financial Institutions, or whichever institution, has handed over this information to the minister has committed a breach of trust.
“The Bank is the custodian of the money and information, and sharing such information is a breach of trust. If this was done by banks in other countries, they may even be bankrupt by now, with customers losing confidence,” said the lawyer.
The lawyer said that the court will also consider if the offences are cognizable (serious crimes) or not.
Bankers say it wasn’t me
The paper talked to three senior bankers, on the condition of anonymity, from three major banks and all of them insisted that their banks had not given the information of the clients to the Finance Minister.
One of the bankers said, “Even if we know, a husband and wife couple, and next day the wife comes and wants to know about her husband’s account statement, we do not share it with her and instead ask her to get an authorization from the husband.”
The banker said that they will disclose client information only after getting a court order.
Two of the senior bankers said that it is likely that somebody from RMA must have given the information.
The third banker confirmed that they share not only the fixed deposit details, but also the account holder’s names with the RMA which they are supposed to do so by law. The third banker also checked with his relevant department officials and said they did not provide any information to the Finance Minister.
This paper then called two senior RMA officials.
The first RMA official said his particular department did not share any information, unless the Finance Minister got some overall information on total number of deposits as the RMA publishes information in the Monthly Statistical Bulletin, where the total number of deposits are given. This official said that information with names of clients cannot be shared.
Another senior RMA official said it is okay to share information like deposits above Nu 1 million, etc.,but sharing of client’s names even with the Finance Minister is wrong and against the law.
With banks insisting that they did not share the information, and them laying the blame on RMA, and RMA not accepting the blame, it leaves open the question on who shared the confidential client information.
Information sought by Minister and not MoF
It has been learnt that the information which was sought on depositors was not by the Ministry of Finance (MoF) as an institution, as part of some official report, but by the minister in his own capacity.
A MoF official said that while the minister may have requested the information on overall deposits, it is not the fault of the minister if the sender sent the account names too. The official said that the minister is not in breach as he did not reveal individual names in the Facebook posts, but the institution that gave him the names is in breach of privacy.
The official said that the ministry is careful about privacy, as in the past ,when it came to giving an award to the top taxpayer, the ministry would only do so after seeking consent to reveal the identity of the top tax payer.
Violation of Penal Code and ICM Act
Another lawyer said that wherever the information came from, it undermines confidence in the banking system.
People may not be aware, but they can get into a lot of legal trouble by violating privacy.
In the Bhutan Penal Code sections 468 to 471 under Chapter 30 lists out the offences against privacy.
In section 468 a defendant shall be guilty the offence of eavesdropping, if the defendant unlawfully engages in wiretapping, mechanical overhearing of conversation, or intercepting or accessing of an electronic communication. The offence of eavesdropping is a misdemeanor.
Under section 470 a defendant shall be guilty of the offence of an unauthorized opening of mail or parcel, if the defendant without lawful warrant intercepts and opens any mail or parcel not addressed to the defendant. The offence of the unauthorized opening of mail or parcel shall be a felony of the fourth degree.
Under section 474 a defendant shall be guilty of the offence of unlawful possession of computer materials, if the defendant knowingly possesses in any form any copy, reproduction, or duplicate of any computer data procured by someone else with intent to benefit the defendant or a person other than the owner thereof. The offence of unlawful possession of computer materials shall be a petty misdemeanor.
Sections 172 to 179 of the CCPC protects individuals from unlawful search and seizure of property or information.
The Information and Communication Act 2018 under Chapter 21 titled ‘Data Protection’ lists out sections 384 to 386 protecting the privacy of people. It lists out the principles governing collection of data electronically and its disclosure.
Under section 384 ‘A person shall obtain the express written permission of the subject for the collection, collation or processing of any personal information, unless permitted or required to do so by law.’
Section 385 reads, ‘A person shall not disclose any of the personal information held by it to a third party, unless required or permitted by law or specifically authorized to do so in writing by the concerned person.’
Section 386 states, “The person possessing, dealing or handling any personal data, including sensitive personal data or information shall delete or destroy all personal information which has become obsolete. Provided that the person may use that personal information for statistical purposes as long as the profiles or statistical data cannot be linked to any person by a third party.”
Chapter 22 list out the offences and penalties for violating data privacy.
Section 387 which is on ‘Failure to protect data’ says, “Where any person possessing, dealing or handling any personal data including sensitive personal data or information in a computer or computer network or data or computer database or software which the person owns, controls or operates is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such person shall be liable to pay compensation to the victim for the damage caused, as determined by the Court.”
Section 388 which is on ‘Unlawful Disclosure of data or information’ says, “A person having secured access to any material containing personal data or information about another person, with the intent to cause or knowing that it is likely to cause wrongful loss or wrongful gain, discloses such data or information without the consent of the person concerned or in breach of a lawful contract, shall be liable for offence of misdemeanor and shall pay compensation to the victim for the damage caused, as determined by the Court.”
Section 389 which is on ‘Unauthorized downloading, copying and extraction of data’ says, “A person, who without lawful permission of the owner or any other person who is in charge of a computer or computer network, downloads, copies or extracts any data, computer database or information from the computer or computer network shall be liable for offence of misdemeanor and shall pay compensation to the victim for the damage caused, as determined by the Court.”
Bhutan does not have a Data Protection Law but the above two chapters are the closest that come to it.
A Member of Parliament from the Opposition Party commenting on the Finance Minister’s disclosure and the information given to him said, “This is privileged information that should not go out to public. This is extremely private information for personal consumption and the government cannot use it to influence tax decisions.”
The MP said that even an agency like the Anti-Corruption Commission (ACC) had to seek court orders and follow due process to get personal information.
Business people say faith in system shaken
The paper also talked to two prominent businesspeople on their feelings on the issue.
The first businessman said that data protection even in the banks is very poor. He said he once asked for some bank information on his loan, but the bank employee forwarded him not only his loan information but that of another 6,000 to 7,000 loan accounts.
He said that civil servants will guard information that benefits them, but they can be quite careless in sharing even private data of citizens within the system.
He said the revelations of the Finance Minister and the privacy breach shakes the confidence in the system. He said at a time when there are so many Bhutanese abroad, privacy breaches like this can even lead to Bhutanese keeping their money in bank accounts abroad.
He said ordinary Bhutanese puts up with a lot unlike in the west, but it is not nice that this is happening.
Another businessman said, “What has happened is absolutely wrong because in a small society such things (fixed deposit information) is not looked at positively”
He said that on one hand government officials are leaking private information, and on the other hand the new Income Tax Bill 2025 enhances their powers to arbitrarily collect more information.
Enhanced search powers in new Income Tax Bill
In the current Income Tax Act 2001 it says that a search without a court warrant may be done if there exists an imminent risk of disposing or destroying evidence of tax evasion; or there exists reasonable cause to believe that the premise, houses goods or documents that may be required in the process of investigation.
Where a search without warrant is conducted, the court shall be informed in writing with grounds for the search within 24 hours or the next working day.
Also, only a tax officer not below the rank of Assistant Commissioner may conduct the search of premises.
However, in the Income Tax Bill 2025 the search and seizure powers are expanded.
Section 533 says “For the purposes of the administration of this Act, the Department: must have, at all times and with or without court order, full and free access to any premises, place, property, records, or data storage device; may make an extract or copy of any records to which access is obtained under subsection (1)”
Where the Department exercises search without court order, the Department must file a statement in writing with grounds for the search with a court of competent jurisdiction as soon as reasonably possible, but in any case, not longer than 72 hours.
It says an authorized officer is permitted to exercise powers under this section.
Breach at a time when citizens information is all going online
The privacy breach in the case of the fixed deposits comes at a time when increasingly a lot of people’s private information, like medical records, land records, legal records, tax information, bank records, share holding records, educational records, career records, legal records, business records, trade secrets, etc., are not only being moved online but also integrated in interconnected server systems.
It also comes at a time when a lot of services are made available online, which means the information is also available online to a lot of official intermediaries.
If bank records privacy is not respected then what is the guarantee that a person’s medical records can stay private or will not be misused by people managing them or getting access to them.
In a time when the government and other systems are storing more and more information on people without proper safeguards or a culture and system of privacy and its enforcement, then the risk of major privacy breaches and misuse of personal information is only growing.
An official from the Gov Tech Agency said they have been sending regular reminders to agencies saying what information can be shared or not, and the agency will continue to do so.
