India: DPDP Act: Balancing Employee Data & Privacy Rights

1. Introduction

One year ago, in August 2022 the Indian government withdrew the draft Personal Data Protection Bill of 2019¹ which was in the offing for more than four years. In late 2021, the government released a revised version of the 2019 bill which drew a lot of flak particularly from global technology conglomerates like Google, Amazon, Meta, who feared the legislation could restrict how they managed sensitive information while giving government broad powers to access it. Now, a year after the withdrawal of the erstwhile PDP Bill, the Digital Personal Data Protection Act, 2023 ("DPDP Act") has become law. It applies to those employers who collect or process data for various reasons including, amongst others, financial, social security benefits, medical records, insurance claims.

This newsletter discusses certain selective provisions of the DPDP Bill in the context of employee data.

2. The Contours of Privacy & Consent

The question of the right to privacy is one of the most defining issues of our times in today's increasingly digital world. Simply put, it is an individual's right to be free from unwarranted intrusion. Extracting from a discussion on evolution of privacy in various cases and writings, the Puttaswamy judgment observed that "Privacy safeguards individual autonomy and recognizes the ability of the individual to control vital aspects of his or her life. Personal choices governing a way of life are intrinsic to privacy ....... Privacy attaches to the person since it is an essential facet of the dignity of the human being."

Privacy is a fundamental right because personal information is a core part of who we are as individuals. It is necessary to respect and protect privacy for various reasons including, amongst others, the ability to live freely, control one's identity and determine what, when and if information can be provided to others. This means now, more than ever, there is a need to protect privacy legally and with a strong, fair, and enforceable rights-based regime.

Creating a culture of privacy means (a) limiting collection, use, retention, and disclosure of personal information to what is demonstrably necessary to achieve an organization's objectives and being transparent about such goals; (b) adequately training those dealing with that information on the importance of protecting privacy and implementing monitoring mechanisms to ensure accountability. In other words, organizations cannot take privacy lightly. And this is where providing people with choices around the use, storage, management, and collection of personal information assumes gargantuan proportions. In Europe, EU Data Protection Authorities increasingly imposed fines on companies for non-compliance making it vital for employers and employees to understand when it is appropriate to rely on consent.

Consent is a legitimate reason for processing employee data. Section 6 of DPDP Act discusses consent. It provides consent must be specific, given freely, should be informed and unambiguous. In other words, data subjects must be conscious they are consenting to have their data processed for the specified purpose and limited to such personal data necessary for the stipulated purpose. There should be no coercion of any kind. A data subject can withdraw consent at any time, and it must be as easy to withdraw as it is to give it. Additionally, employers need to be mindful of notice provisions captured in section 5 and legitimate uses in section 7.

Section 5 specifically provides notice must be given each time consent is sought, and where consent has been obtained prior to August 11, 2023, fresh notice must be provided to process data even if consented earlier. There is no format for the notice yet (probably left to rulemaking) and possibly additional requirements could manifest in such delegated legislation.

Section 7 describes "certain legitimate uses" for which personal data can be used and includes all lawful grounds for processing such data. Nine different uses are provided and the most relevant ones for processing personal data outside of a government, emergency or public health context are "voluntary sharing" of personal data under section 7(a) and "employment purposes" under section 7(i). So, according to the section data fiduciaries² may be able to process personal data for the specified purpose for which volitional consent has been provided. A fiduciary may also process personal data without consent for purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service to employees. In other words, at the workplace, details provided by an employee and data collected and processed in relation to employment will qualify as legitimate use. Given the statutory obligations and the time that rulemaking is likely to take, employers must provide complete information regarding the reason for collection of personal data and how it will be used and handled. Currently, the list of "legitimate uses" does not include similar provisions like "contractual necessity" and "legitimate interests" (common in GDPR) but possibly subsequent rules and judicial interpretation may expand "legitimate use" to encompass them.

The importance of transparency in this regard by both parties cannot be overstated. In an ideal world, there should be a level-playing field between the data principal (employee in this case) and the data fiduciary (employer), though in the real world that is often not the case. Most employment contracts now have standard consent provisions. In due course, questions will arise on different aspects regarding withdrawal or limitations on consent in the employment context. It remains to be seen who will have the burden of protection of privacy – the individual or the organization. Currently it appears that such a burden is on the individual, paradoxically the one whose right is to be protected!

3. Processing Employee Data

In times to come, employers will be held to a higher degree of accountability regarding data processing activities and should be able to demonstrate how they comply with the general data protection principles as well as the new statute.

For starters and as noted, they must be clear and unambiguous about how they use and safeguard their workforce's personal data, both within and outside the organization. Employers will need to learn how to catalogue personal data, if not done already. And, in the process understand how and why it was obtained, the duration for which it will be retained, its accessibility and security features, what third parties may have to become privy to it and rationale thereof. Generally, an employer ought to process employee personal data based on genuine requirements. For instance, now inputting the Aadhar number (equivalent to a US social security number) and PAN (a tax number of an individual or a company) is mandatory for processing employment related social benefits like provident fund, gratuity with statutory agencies as, practically, most government agencies and even private organizations only use Aadhar and/or PAN numbers for identifying individuals. Hence, it will be necessary to process personal data to perform obligations of an employer.

4. Action Steps for Employers

The DPDP Act emphasizes purpose limitation and the principle of accountability. Under section 8, data fiduciaries have multiple obligations since they are "responsible for complying" with the statute and any subsequent implementation rules. Like GDPR, this is true for processing undertaken by them and by any other processor on their behalf. Additionally, it will be essential for employers to pay heed to the following:

• Right to Correct: Employees have a right to know what data an employer has on file about them and the right to correct, complete, update and erase this data. HR professionals should reflect on this provision and document what happens to employee data when employment is terminated.
• Data Access: Employers must have procedures in place to respond to personal data access requests from employees. Section 11 permits them to even seek identities of all data fiduciaries with whom data has been shared as well as the description of data shared.
• Transferring Personal Data: Organizations where payroll or financial matters like accounting or bookkeeping is subcontracted to external vendors, will need to revisit their existing contracts to ensure there are obligations on such vendors to have safeguard mechanisms to protect personal data.
• Record-keeping: Organizations should retain data for the duration it takes to complete the task it was collected for, or as required by law. This should also be aligned with document retention policies so, if necessary, companies are able to justify why data was retained.
• Security safeguards: This is extremely critical. Data must be protected by appropriate technical and organizational measures as well as security safeguards to prevent data breaches and ensure effective implementation of the law. This also applies where the employer engages other third-party processors for, say, payroll management. Employers must re-verify security measures and demonstrate they are aligned with security obligations. And breach will require the employer to notify each impacted employee as well as Data Protection Board. The mode of such notification has yet to be prescribed.
• Data breaches: Currently, the reporting of data breaches is not detailed but the Government is conferred broad discretion to further specify the provisions of the Act through delegated legislation, including details related to data breach notifications. Until such details are notified, data fiduciaries must devise reasonable security standards to prevent any breach and ensure they have systems and processes in place to identify when a breach occurs and how it must be handled.
• Grievance Redressal: Organizations shall require data grievance redressal mechanisms in place and respond to the employee in the prescribed time, which is yet to be notified.
• Data protection officer: While GDPR mandates some organizations to appoint such a DPO, like those involved in large-scale data processing, or those which process sensitive or special category data, the DPDP Act empowers the Government to designate any data fiduciary or class of data fiduciaries as a "Significant Data Fiduciary" applying criterion³ that lack quantifiable thresholds. If an organization qualifies as one in the future, then it will need to appoint a DPO, based in India who will be the primary contact for grievance redressal mechanism. So, while nothing is required in this regard at the moment but it will be important to revisit this as and when the government issues notifications in this regard.

It goes without saying that employers will have to comply with the DPDP Act and put adequate policies and procedures in place. Penalties for data breaches are provided in a Schedule to the Act and are massive, ranging from INR 10,000 to INR 2.5 billion (about USD 120 to USD 31 million).

5. Conclusion

Clearly, data protection and privacy are important for businesses and, increasingly, consumers will prefer organizations with strong data privacy framework. We are inching to the end of 2023 and while a data protection law is finally in place, yet, India has only just about started.

In practice, it is expected it will take time for the new Data Protection Board to be established and for rules to be issued in key areas for compliance. Additionally, the Digital India Act, expected to replace the Information Technology Act and Rules of 2000. Once enacted, this law will address online safety, cybersecurity, Artificial Intelligence regulation and surveillance matters. It will be interesting to see potential overlap and inconsistencies between this statute and DPDP Act. Yet it goes without saying it is better to make a start than continuously debate over various iterations of data protection legislation which, in this case, has gone one for more than half a decade! At the bare minimum, while other aspects get notified gradually, organizations need to gear up, ensure they have a data protection policy in place, navigate the law to ensure they balance privacy rights with data processing and, of course, train the employees. Treating privacy as a fundamental right means creating a culture of privacy where it is prioritized, valued, and protected!

Footnotes

1. In 2018 a panel led by Justice Srikrishna prepared a draft data protection bill, introduced in 2019. Following stakeholder comments, a Joint Committee of Parliament provided recommendations along with a draft Bill in November 2021 which contained numerous amendments to the original bill.

2. A "data fiduciary" is the entity that determines the purposes and means of processing of personal data, alone or in conjunction with others, and is the equivalent to a "data controller" under GDPR.

3. Factors range from assessing volume and sensitivity of personal data processed and the risk posed to the rights of data principals, to broader societal and national sovereignty and integrity concerns, security of the state and public order!

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.