[This is a guest post by Chytanya S. Agarwal.]
Section 7(i) of the Digital Personal Data Protection Act, 2023 (‘DPDPA’ or ‘the Act’), read with Sections 2(d) and 4(1)(b), allows employers to non-consensually ‘process’ personal data of employees for ‘purposes of employment’ or for preventing ‘liability or loss’ to the employer. Section 7(i) reads as follows:
7. Certain legitimate uses: A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— … (i) for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee.
The provision inexhaustively lists corporate espionage and breach of confidentiality as instances of ‘liability or loss’ to the employer. However, it provides no guidance as to what the phrase ‘purposes of employment’ entails. Once these undefined grounds are triggered, employers are empowered to non-consensually ‘process’ employees’ data without any constrains. ‘Processing’, defined widely under Section 2(x), includes surveillance, use, and dissemination of personal data.
In this blog post, I question the constitutionality of this blanket exemption for employer-led non-consensual data processing based on the ambiguous drafting of Section 7(i). My argument is three-fold: firstly, Section 7(i) violates the right to privacy by failing Puttaswamy (Aadhar-5J)’s test of proportionality; secondly, Section 7(i) is hit by the manifest arbitrariness doctrine under Article 14; and thirdly, furthering the Article 14 argument, I argue that the DPDPA itself does not envisage restrictions on Section 7(i) even by way of subordinate legislation. The absence of clear rule-making provisions for Section 7(i) implies that any delegated legislation restricting the exemption would be ultra vires the Parent Act. Thus, the Act, by design, vests employers with unrestrained surveillance powers, strengthening the Article 14 argument.
Right to Privacy
Per KS Puttaswamy (Privacy-9J) [(2017) 10 SCC 1, ¶320-326], the right to privacy emanates from the guarantee of life and personal liberty under Articles 19 and 21. Privacy is a state of freedom from intrusion, with an “effective guarantee of a zone of internal freedom” and cannot cease in public sphere. It is the springboard for enjoyment of all Article 19(1) freedoms (Puttaswamy-9J, ¶402-3, ¶412, Bobde J.). Surveillance per se constitutes a restriction on right to privacy as per Justice Subba Rao’s minority opinion in Kharak Singh v. State of U.P., which was upheld by Puttaswamy (9J). Thus, employer-led surveillance under Section 7(i) is ipso facto an Article 19/21 restriction. This prima facie restriction dislodges the presumption of constitutionality in favour of Section 7(i).
In Puttaswamy cases, the right to privacy was claimed against the State. In contrast, surveillance under Section 7(i) predominantly concerns private employers, in addition to instrumentalities of the State. This issue of claiming right to privacy against private actors is no longer res integra in light of Kaushal Kishor [(2023) 4 SCC 1]. The majority in Kaushal Kishor (¶83) held that rights under Articles 19 and 21 are enforceable even against private persons. In other words, the State has a positive duty to protect rights under Articles 19 and 21 from threats by non-State actors. Despite the conceptual errors in Kaushal Kishore, I invoke this positive duty of the State and argue that the State failed to perform its duty insofar as Section 7(i) gives a blanket and unlimited exemption to private employers for restricting the privacy of employees. Per Puttaswamy (5J) [(2019) 1 SCC 1], any restriction on the right to privacy must pass the test of proportionality. I present a bare-bones prong-wise application of the proportionality test.
Legitimate Aim: This requires that the rights-restrictive measure must be traceable to reasonable restrictions in Part III. Per Kaushal Kishore, restrictions on Article 19(1)(a) enumerated in Article 19(2) are exhaustive and additional grounds of restriction cannot be imported to curtail 19(1)(a) rights. “Purposes of employment” do not find any remote mention within 19(2) grounds. Nor can it be traced to ‘public order’ or ‘morality’, given their narrow interpretation in past judgements [see Anuradha Bhasin v. Union of India, (2020) 3 SCC 637]. However, the restrictions under Article 21 are broad and unenumerated – it can be validly restricted by the procedure established by the law. For the sake of simplicity, we assume arguendo that this prong is fulfilled.
Suitability: This requires that the rights-restrictive measure must have a rational nexus to the object sought to be achieved. That is, the means should reasonably further their objects. This approach is deferential to the rights-restrictive measure. The enquiry is confined to assessment of a relationship between means and ends. So long as the means advance the ends to any degree, the suitability prong is fulfilled. Due to the deferential nature of enquiry, we assume that Section 7(i) fulfils the second prong.
Necessity: The necessity prong, per Modern Dental College (¶53-58), requires the absence of equally effective and less rights-restrictive measures. Puttaswamy-5J tempered the strictness of necessity prong by incorporating Bilchitz’s ‘moderate interpretation of necessity’ test. Instead of being “equally effective”, such alternative measures must realise the object in a “real and substantial manner”. While my enquiry here is not exhaustive, I adduce Section 13 of the Personal Data Protection Bill, 2019, as a feasible alternative. This provision was based on the recommendations of Justice BN Srikrishna Committee Report. Section 13 has the following restrictions:
- Non-consensual processing of employee’s personal data excludes sensitive personal data.
- This provision comes into effect only if consent of data principal (employee) is not appropriate or involves disproportionate effort on part of data fiduciary (employer).
- Purpose Limitation: The purposes for which such data may be processed are limited to 4 situations: recruitment and termination; provision of service/benefit sought by employee; attendance verification; and assessment of performance of employee.
Section 13 of the 2019 Bill substantially fulfils the purpose of Section 7(i) – it provides for monitoring for purposes of assessing performance and protecting confidentiality monitoring. Section 13 of the 2019 Bill is also less rights-restrictive vis-à-vis Section 7(i) for one main reason: the exemption does not extend to sensitive personal data. Thus, Section 7(i) fails the necessity analysis.
It is noteworthy to mention here that in Ramesh Chandra Sharma v State of Uttar Pradesh, the Supreme Court added a fifth prong to the test of proportionality, viz., “adequate safeguards”. However, as argued by Rudraksh Lakra, this prong already pre-exists within the necessity stage of the proportionality test. If we assess Section 7(i) in the light of this, it visibly lacks adequate safeguards on the extent to which employers can non-consensually process employees’ personal data.
Balancing or ‘proportionality stricto sensu’: This final prong requires that the restriction on the right should be balanced with the benefit gained from such restriction. It requires a comparative assessment of the net gain, i.e., whether the positive benefits of the restriction outweigh the negative impact on the right. In this regard, I invoke Schmitz’s economic theory of workplace surveillance. Per Schmitz, privacy laws can be justified even on the basis of non-moral, economic values because they maximise the total surplus produced by an employer and employee. Schmitz employs a principal-agent model where the employer seeks to induce extra effort from the wealth-constrained employee. Because effort is unobservable, employers pay efficiency wages to incentivise unobservable effort. Such incentives are called positive rents. To reduce this rent, employers invest in surveillance technologies. However, the employer’s sole interest is to maximise their own profit and not the total surplus.
Per Schmitz, just to reduce positive rents, an employer might invest in surveillance technology even if the monitoring costs exceed the additional surplus generated by the higher effort level. Here, the employer wastes resources to redistribute wealth from the employee to themselves without any increase in total surplus. Schmitz argues that privacy protection laws at the workplace prevent this “socially wasteful rent-seeking,” thereby increasing the total surplus. Moreover, constant surveillance causes several externalities which impact employees’ productivity (by causing stress, anxiety, depression, and musculoskeletal problems) and increases health costs. Applying Schmitz’s theory to Section 7(i), privacy protection arguably will cause a greater net gain to the society vis-à-vis no privacy protection at the workplace. This makes the blanket exemption under Section 7(i) socially inefficient. Since the net gain under privacy protection exceeds the net gain under no privacy protection (which is the case with Section 7(i) exemption), Section 7(i) fails to pass the balancing test.
Article 14
Per Shayara Bano, manifest arbitrariness denotes legislative acts which are capricious and lack a determining principle. Per KA Abbas, if a rights-restrictive law allows its administrators to exercise unrestrained powers, it must be held unconstitutional.
A quick look at Section 7(i) of DPDPA shows that the employer can process personal data of employees non-consensually without any limits. Apart from Sections 11 and 12, which give minimal rights to the Data Principal (here, the employee), the Data Fiduciary (here, the employer) is vested with unlimited powers to surveil and process the personal data of employees.
Moreover, per Shreya Singhal, expressions of inexactitude, that are so broad as to cover any subject covered by it, are unconstitutionally vague and arbitrary. If the definition of the word offers no guidance, it would create unfettered discretion. The grounds for data processing provided under Section 7(i) are hit by vagueness, ambiguity, and overbreadth due to the following two reasons. Firstly, the import of “purposes of employment” is unclear. Unlike the Justice Srikrishna Committee Report which defined it to include 4 grounds (recruitment and termination; provision of service/benefit sought by employee; attendance verification; and assessment of performance), the DPDPA leaves its scope undefined. This creates ambiguity regarding the extent of permissible surveillance. Similarly, term ‘corporate espionage’ is undefined. Would surveillance of employees outside the workplace be necessary to prevent corporate espionage? If yes, the scope of surveillance would barely have any limits due to functional creep. Secondly, the list provided under Section 7(i) is inexhaustive and inclusive. This is clear because the usage of “such as” implies that the list is only indicative. This leads to a situation wherein the employer can claim grounds of surveillance not enumerated in Section 7(i) so long as they have some nexus (howsoever remote or tenuous) to employment or prevention of “loss or liability”.
III. On the possibility of restraints via subordinate legislation
The DPDP Rules, 2025, do not create any limits on Section 7(i) exemption. Interestingly, the Central Government has no rule-making powers to make a subordinate legislation to define the limits of Section 7(i). The provision conferring rule-making powers, Section 40, only mentions clause (b) of Section 7, with no mention of clause (i) of Section 7.
Moreover, any rule defining the limits of Section 7 cannot be made under the general rule-making provision under Section 40(1). As held in Global Energy Ltd v. Central Electricity Regulatory Commission, rule-making power “for carrying out the purpose” of the statute is a mere general delegation and no guidelines can be laid down thereunder. Similarly, per Sukhdev Singh v. Bhagatram, the Central Government cannot travel beyond the rule-making provision to make rules or guidelines. So any rules or guidelines framed by the Central Government to limit the exemption under Section 7(i) would be ultra vires the parent Act.
In short, the scheme of DPDPA itself does not envisage any limits on the extent of surveillance permitted under Section 7(i). Nor does it empower the Central Government to make rules in this regard. This strengthens the Article 14 argument – Section 7(i) of DPDPA, by not envisaging limits on the exercise of rights-restrictive powers, is hit by the doctrine of manifest arbitrariness.
IV. Conclusion
The only way to preserve the constitutionality of Section 7(i) seems to be a judicial reading down of the provision. For this, three limits can be read into Section 7(i):
- Principle of Purpose Limitation: To address the vagueness and overbreadth inherent in the phrase “purposes of employment,” the scope of Section 7(i) must be strictly construed. Drawing on the Justice Srikrishna Committee recommendations, the term should be read to exclusively include only those purposes that are essential to the employment relationship: i.e., recruitment, termination, provision of sought services or benefits, attendance verification, and the assessment of performance. Limiting these grounds prevents the functional creep of surveillance where employers might otherwise claim a remote nexus to employment to justify invasive monitoring of an employee’s private life.
- Safeguards for Sensitive Personal Data: Section 7(i) fails to distinguish between general and sensitive personal data. To pass the necessity prong of the proportionality test, Section 7(i) must be read to strictly exclude the non-consensual processing of sensitive personal data. This includes biometric/health data, monitoring of private communications, etc., which should only be processed with the informed consent of the employee, rather than being subsumed under a blanket exemption.
- Spatial, and Temporal Limits: Surveillance must be limited to the performance of actual work tasks and should not intrude into the employee’s private sphere, especially during telework or outside of official working hours. Illustratively, the tests of “in the course of employment” and “arising out of employment” in labour law can be useful for determining the spatial and temporal limits of surveillance.
