Privacy is not just a constitutional right—it’s our last defense against digital predators. In today’s interconnected world, personal information has become both “precious commodity and prime target for cybercriminals”. Yet across Bhutan, an alarming practice continues unchecked: shopkeepers’ routine collection of customer mobile numbers. This seemingly innocent request masks a serious threat to both individual privacy and national security. With no safeguards against misuse or data breaches, these casually collected numbers create a ticking time bomb of vulnerability. The Royal Monetary Authority must act now before our personal data becomes a weapon against us.

It has become a practice for most shopkeepers requiring customers to provide mobile numbers for verification due to previous inefficiencies within the digital payment systems. The underlying responsibility, however, lies with the RMA and financial institutions to cultivate public trust in digital payment infrastructures. As demonstrated in a recent cybersecurity report detailing over 1,388 incidents over nine years, vulnerabilities in data handling practices have contributed to a growing exposure of personal information to potential abuse. If unregulated and unrestrained collection of mobile numbers by shopkeepers continues, it may not be too long to see a privacy disaster in the country.

Mobile numbers are no longer merely identifiers; they serve as access points to extensive personal and financial information. In Bhutan, as in many nations, a mobile number can serve as a conduit to sensitive data, including bank accounts, email addresses, and social media profiles. Malicious actors with access to such information can exploit it to breach accounts, execute financial fraud, and engage in identity theft. Given the critical role that mobile numbers play in two-factor authentication protocols, the unauthorized collection and retention of this information compromises the very security mechanisms intended to protect individuals.

Moreover, how mobile numbers are recorded by shopkeepers further exacerbates this risk.  Most shopkeepers and retailers retain customer data in unsecured logbooks that are easily accessible to the public. A slight negligence can facilitate unauthorized access to private information, creating an environment ripe for data misuse by unscrupulous parties. Such practices are untenable within a regulatory framework that prioritizes data privacy and security, and it is incumbent upon the RMA to prohibit the informal collection of mobile numbers.

The practice also has broader implications for national security and personal privacy. Unlike other nations where state-provided devices are used for official purposes, government officials in Bhutan often rely on personal mobile numbers for both professional and private communications, some of which may involve sensitive state matters. The indiscriminate collection of mobile numbers from individuals could compromise national security should these numbers fall into the wrong hands. Thus, in addition to consumer protection, there is a compelling state interest in limiting the collection and potential exposure of mobile numbers by commercial entities.

Moving forward, the RMA must take decisive action to protect consumer privacy in Bhutan’s evolving digital landscape. The implementation of robust digital banking platforms, coupled with stringent data protection measures, is no longer optional but imperative. Building on the National Cybersecurity Strategy framework, the RMA should establish clear regulations prohibiting unauthorized collection of mobile numbers by retailers, with substantial penalties for violations. As Bhutan embraces digital transformation, the balance between convenience and security and privacy must tilt firmly toward protecting personal information. The time for regulatory intervention is now—before our casual approach to data privacy leads to irreversible consequences.

Sonam Tshering

Lawyer, Thimphu

Disclaimer: The views expressed in this article are author’s own

Advertisement