Eyes Everywhere

The Erosion of Employee Privacy Under the DPDP Act  

**Shreyas Mishra

Introduction

The landscape of employer-employee relationship has been an evolving ballgame. With the rise of labour movements, employees and workers have been able to regain the human rights that were long owed to them. However, employers too have been reluctant to waive off the control that they exercise over their employees. To maintain control, employers tend to employ various forms of surveillance to monitor their employees. This control often fosters a sense of authority among employers, and a misconception that it is their inherent right to exercise control and surveillance over their employees. 

The desire for control gets employers carried away, decimating the line between work and personal life as they seek to keep an eye on every aspect of their employees’ lives, often much beyond the scope of employment. Digitalisation and technological advancements further facilitate this, equipping employers with new and modernised technologies to covertly monitor their employees round the clock. With the deep pockets and political influence that they enjoy, employers are able to take this a step further, by legitimising their acts of surveillance through legislative reform. Such is the case in India, where the new Data Protection law, introduced with the intent to safeguard the fundamental right to privacy, ironically offers protection to employers instead when they violate their employees’ privacy. The Digital Personal Data Protection Act of 2023, with the use of vague and absurd terminology, provides for exceptions under which employers can process the data of their employees by obtaining their ‘deemed consent’. Much is wrong with India’s new data protection laws, from this very pretence of consent, to the creation of exceptions that deprive employees of their rights to privacy, leaving them without any effective recourse in cases of privacy violations by their employers. 

The Paradox of Deemed Consent

Privacy, as professor Alan Westin puts it, is “the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to other.” This element of self-determination which focuses on consent, is the cornerstone on which privacy dwells. A lot of emphasis is given to consent in the context of privacy and in data protection laws globally. It serves as a legal basis for processing personal data under the GDPR. Consent is defined in Article 4(11) as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” Recital 32, while explaining the conditions of consent states that it should be “freely given, specific, informed and unambiguous indication.” Acts that aren’t thus clearly affirmative, such as “silence, pre-ticked boxes or inactivity”, should not be construed as consent. Through this means of safeguarding individuals’ control over their data by the use of affirmative consent, the GDPR reinforces the principle that privacy is fundamentally about autonomy. This approach of consent also centres the data subject as active participants in decisions about their personal data rather than passive recipients of data processing practices. It, thus, also promotes transparency and accountability among the organizations that handle such personal data. 

On the surface of it, the Digital Privacy Data Protection Act seems like a progressive law, as similar to the GDPR, it also provides for consent as a ground for processing personal data. Like the GDPR, section 6 of the Act defines consent by reiterating the European principles of being “free, specific, informed, unconditional and unambiguous with a clear affirmative action”. However, the catch lies in another provision, (section 4(ii)) which allows for processing personal data for reasons of “certain legitimate uses”. These ‘legitimate uses’ may appear to be legitimate at first glance, until one considers the last stated use. Section 7(i) states that “A Data Fiduciary may process personal data of a Data Principal… (i) for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee.” 

The DPDP Bill, 2022, under section 8, allowed for data to be processed under the notion of “deemed consent” for certain purposes. While the DPDP Act, 2023 repackages the term “deemed consent” as “legitimate purposes”, the reasons for processing personal data without explicit consent remain the same. 

This novel concept of ‘deemed consent’ is fraught with problems and poses severe implications on employees’ right to privacy. To begin with, the idea of ‘deemed consent’ is itself paradoxical. To clarify, it is not the same as implicit consent, which is a practical inference of an individual’s consent, inferred from their behaviour or the circumstances surrounding an action when not explicitly given. Deemed consent occurs when an individual’s consent is not explicitly provided but is simply presumed by the law in certain situations, without much regard for the likelihood of whether the individual would truly have granted consent. The presumption of consent in such cases resembles a legal fiction, not based on any inference about the individual’s actual intent. It vitiates the foundations of the principle of consent- that it needn’t be expressly given, and that it can be supposedly inferred on one’s behalf, the employees in this case. Deemed consent erodes any autonomy or agency that an employee might hold over their personal data. When consent is affirmatively presumed on behalf of employees, it alludes to the relinquishment of control over any information concerning them, leading to a work environment where privacy stands substantially compromised.

Effectively, employees are then left with a profound lack of real choices. Due to inherently skewed workplace dynamics, employees often feel pressured to agree to the processing of their data from the outset, resulting in coerced consent. However, deemed consent takes this a step further, as, unlike coerced consent, it keeps employees in the dark about what data of theirs is being processed, leaving them unaware of the extent of their personal information being handled, thus further exacerbating their vulnerability to its breach and misuse. If employees are unaware of the data that is being processed, they cannot take the necessary precautions to protect it. The lack of sufficient disclosure regarding what personal data is being collected makes it difficult for the employees to accurately assess whether they want to opt out. Moreover, if one is unaware about the nature or substance of the data that is being processed, what exactly do they even opt out of? The complexities arising out of such lack of information renders privacy at workplace, and beyond, virtually meaningless. The exception to privacy rights being created against employees, along with the defence for its infringement being vested with the employers, also raises further legal and ethical concerns. 

In the context of a workplace, adherence to data ethics prompts certain key concerns before employers. First, the ethical concern of purpose limitation questions whether the collected data is being used for its intended purposes. It becomes ethically dubious if such data is repurposed without the employee’s informed consent, or if it is used, or rather misused, beyond the purposes for which it had been originally collected. Data subjects ought to be informed about the intended utilisation of their data, in conformity with the ethical standards of transparency and to prevent any potential data manipulation. Questions also arise as to the measures adopted for the protection of such data- whether and how the data is being securely handled, and who would be responsible for its eventual destruction. A holistic consideration of such ethical standards for data processing reinforces a fiduciary, and not merely legal, obligation that employers have to treat employees’ personal data with respect and fairness.

A Deviation from Global Privacy Standards

Consent serves as one of the lawful bases for processing personal data, but not the only one. Legal frameworks do provide for circumstances where data may be processed without the need for consent. This has been recognized globally, such as in Europe, where under the GDPR, data may be processed without consent in necessary circumstances such as for the performance of a contract to which the data subject is a party, compliance with a legal obligation, or protection of the vital interests of the data subject. Pertinently, the processing of data under any of these grounds requires adherence to certain principles laid out in Article 5 of GDPR itself, such as lawfulness, fairness and transparency, limitation of processing to the purpose for which the data was obtained, ensuring its accuracy and requiring adoption of appropriate security measures for the personal data to protect its integrity and confidentiality. The provision also explicitly states that “the controller shall be responsible for, and be able to demonstrate compliance with” these principles.

Similarly, the concept of deemed consent, which permits data processing without obtaining explicit consent under certain conditions itself has been borrowed from the Personal Data Protection Act of Singapore, which states: “an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation for a purpose if (a) the individual … voluntarily provides the personal data to the organisation for that purpose; and (b) it is reasonable that the individual would voluntarily provide the data”. This element of reasonability is further clarified by the Personal Data Protection Commission of Singapore, which in its advisory guidelines states– “The purposes (for which an organization may process data based on deemed consent) are limited to those that are objectively obvious and reasonably appropriate from the surrounding circumstances.”

The intent of the Indian legislation, however, raises ethical questions. While there was an attempt to draw from Singaporean laws, as seen in the DPDP Bill 2022, the broader aim was apparently to expand its scope much beyond the global standards. Adopting the concept of deemed consent, then, would serve as an impediment- since there is only so much that can be presumed on one’s behalf. It would also be difficult to bypass both the qualifiers for deemed consent provided under the PDPA of Singapore, since the underlying intent of the Indian legislation has been to allow the processing of personal data without any real requirement for consent. Employees are generally sceptical of the misuse of their personal data at workplace, and cautious about the personal data that they voluntarily permit to be processed (when given the choice). To further presume that “it is reasonable that the individual would voluntarily provide the data” in the Indian context simply appears, well, quite unreasonable. Therefore, foreseeing the consequences of introducing the concept of “deemed concept”, the legislature backtracked and returned with an amended version. As a result, the law, in its current form, has faintly replaced the terms “deemed consent” with “legitimate purposes”. The purposes, as mentioned earlier, for processing data through both deemed consent under the DPDP Bill 2022 and the DPDP Act, 2023 remain exactly the same.

Is it a Constitutional Overreach?

In a unanimous decision by a nine-judge bench in “Puttaswamy v. Union of India” (“Puttaswamy I”), the right to privacy was upheld to be an unassailable fundamental right under Article 21. To determine the constitutionality of the Aadhaar Act, the five-judge bench in Puttaswamy II, headed by Justice Sikri relied on the test of proportionality, building on the court’s stance in the Modern Dental College case. In laying out the test, the Court necessitated the satisfaction of four key ingredients: 

“(a) A measure restricting a right must have a legitimate goal (legitimate goal stage).

(b) It must be a suitable means of furthering this goal (suitability or rationale connection stage).

(c) There must not be any less restrictive but equally effective alternative (necessity stage).

(d) The measure must not have a disproportionate impact on the right holder (balancing stage).”

Does section 7(i) of the DPDP pass this test of proportionality? The answer appears to be in the negative. Firstly, the objective of the provision in question is not clearly stated, making it difficult to assess its legitimacy. It allows the data principal to process personal data under the broad ambit of something as vaguely defined as “purposes of employment”. The usage of absurd terms like “corporate espionage” and “maintenance of confidentiality”, which are also not clearly delineated, provides significant leeway to interpret as to what may constitute acceptable processing of data. This pro-employer law, which is inherently ambiguous—perhaps intentionally so—, risks enabling excessive data collection under the pretext of legitimate business interests. 

Secondly, the broad authorization of non-consensual data processing by employers fails to provide a logical connection to achieving the purported goals. When data is processed with consent, the act confers certain additional rights, such as Section 5, which provides the right to be notified of the data and the purpose for which it is being processed; Section 11, which provides the right to access and be informed of the data being processed and the identities with whom such data is shared; and Section 12, which provides the right to the correction and erasure of personal data.

However, such rights are available solely for consensual processing of data, as opposed to the data processing of employees, which is non-consensual. This makes the law highly inequitable for employees, not only by their mere selective exclusion from data protection rights but also because the deprivation of these rights curbs their ability to take any measures against the misuse and exploitation of their data. Non-consensual collection of personal data, coupled with provisions averting the protection of such data, allows unchecked data to be processed, segments of which are susceptible to misuse for surveillance over employees. 

Moreover, if such a broadly termed provision were to be interpreted literally, virtually any and every act of surveillance could be deemed permissible. To prevent something like corporate “espionage”, an employer might argue for the necessity of round the clock monitoring of its employees, a rationale that contradicts logic and extends far beyond the scope of employment. Any presumption that an employee may have otherwise consented to the processing of their data in the absence of the provision for deemed consent is also misplaced, for as Recital 43 of the GDPR explains, consent is not considered freely given when there is a “clear imbalance between the data subject and the controller”—an imbalance inherent in employer-employee relationships, where the employee’s employment prospects are at stake. The law fails to account for such over-intrusive acts by employers, and instead, enables it, reflecting a scant regard for the privacy of employees. 

Lastly, the provision does not fulfil the other two ingredients of proportionality either, namely the necessity stage and the balancing stage. The necessity stage requires that there should not exist any alternate solution that is “any less restrictive but equally effective”. It is questionable why an employer would need to process the personal data of an employee —potentially invasive of their personal lives— “for the purposes of employment”. There are less intrusive solutions available, such as implementing stronger cybersecurity protocols at workplace, sensitising and training employees on data handling, and enforcing confidentiality agreements. Similarly, for the “prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information”, non-disclosure agreements are already enforced upon the employees. If found in violation of the same, the employer has the right to sue for breaching the contract. Trade secret misappropriation has resulted in multiple lawsuits globally, and could potentially hold the employee liable for losses and compensatory damages if found guilty. However, encroaching the privacy of employees on mere suspicion of such misappropriation is unreasonable and would equip employers with unchecked surveillance powers, effectively resulting in a disproportionate impact on employees. 

Conclusion

It is ironic how a law devised to safeguard the right to privacy is questioned on account of undermining what it so ostensibly seeks to protect. As India’s primary data protection legislation, the Digital Personal Data Protection (DPDP) Act is expected to set a foundational standard for how personal data is to be collected and used. However, in its current state, the law fails to meet this expectation, particularly concerning work and employment. The law’s ambiguous wording, coupled with the denial of employees’ right to access information about the data being collected or to request its correction or deletion, allows for unchecked surveillance by the employers. The informational asymmetry is further worsened by not providing employees with any opt-out mechanisms, leaving room for employers to retain the personal data of its employees indefinitely. Processing of employee data must, therefore, satisfy the tests of necessity and proportionality, and Section 7(i) should be redrafted, if not eliminated, to restrict and enumerate the data that can be processed without consent for explicitly defined employment-related purposes.

**Shreyas Mishra is an undergraduate law student at the National University of Juridical Sciences (NUJS), Kolkata, with a keen interest in exploring diverse legal perspectives and contributing to academic discourse.

Disclaimer: The views expressed in this blog do not necessarily align with the views of the Vidhi Centre for Legal Policy.

Filed Under