An analysis of Section 7(i) of the DPDP Act 2023

The Digital Personal Data Protection Act 2023 is a landmark privacy legislation, primarily for two reasons. This is the first piece of legislation to deal with ‘Personal Data’ of an individual, unlike other legislations that deal with ‘Data’ protection in general. This legislation is the result of the Puttaswamy case where the Supreme Court urged the Govt to establish a regime for protection of personal data, while recognizing right to privacy as a Fundamental Right. Secondly this is the first legislation wherein “she” is used to refer to an individual irrespective of gender.

This Act provides for how the personal data of an individual (referred to as the ‘Data Principal’ in the Act), can be processed by the ‘Data Fiduciary’ Section 4 of the Act,atates that a  Data Fiduciary can perform the permitted   operations on the digital personal data of an individual only for a lawful purpose and upon having obtained free, specific, informed, unconditional, and unambiguous consent with clear affirmative action from the Data Principal. Thus, the Data Fiduciary cannot take the shield of the Data Principal having consented to process her data for any unlawful purpose. Section 4 also indictes that consent is not required if the personal data is processed for certain legitimate uses. The DPDPA mandates taking specific user consent for collecting and processing sensitive personal data that could potentially hold IP value. This consent requirement gives users more control over such high-value data. However, regulated entities can still leverage non-sensitive data for IP development in line with reasonable purposes disclosed to users.

Moreover, Section 7(i) of the Act gives powers to the Data Fiduciary (employer) to process the personal data of the Data Principal (employee) without specific consent for (i) the purposes of employment; (ii) to safeguard the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, IP, classified information; or (iii) the provision of any service or benefit sought by an employee. The Act does not specify the scope of the term “purposes of employment’. Without such restrictions, the employer is given power to process the personal data of its employee without consent.  Hence, in the name of employment or maintaining confidentiality of trade secrets or intellectual property, the employer can process an individual’s data .  It is a general practice for employees to sign a Non-Disclosure Agreement with the employers, these agreements protect the confidential information of the firm, including its intellectual property and provide  consequences that will  result from a breach of the same. Since these  agreements are  being recognized as  enforceable contracts by the law , the necessity of giving unrestricted power to the employers without defining the scope goes against the primary cause of this Act, i.e. protection of Right to Privacy.

In this context, a perusal of the General Data Protection Regulation (GDPR) governing the European Union  would help in understanding the balance that is drawn between safeguarding the personal data of an individual and ensuring the interest of the employers are safeguarded .  Though the DPDP Act mentions that personal data can be processed for certain legitimate uses, Art 5 of the GDPR has elucidated in detail  that personal data can be collected for specified, explicit, and legitimate purposes , thereby adding greater clarity to the provisions and  making the  restrictions on the right to privacy more reasonable. Further the  DPDP Act does not specify the purposes and conditions when the employer can process the personal data of the employee,  whereas Art 88 of the GDPR stipulates that specific rules must be framed to protect the rights and freedoms of the employee’s personal data. It also  states that such rules shall include specific measures to safeguard the data subject’s dignity, legitimate interest, and fundamental rights with regard to the transparency of processing, the transfer of personal data, and monitoring systems at the workplace.

The DPDP Act allows the Data Fiduciary to process personal data under a claim of maintaining the confidentiality of trade secrets, IP, and classified information, whereas Art 89 of the GDPR ensures that there shall be appropriate safeguards in place to ensure that technical and organizational measures are in place in order to ensure respect for the principle of data minimization. One method recommended for this is pseudonymisation, which means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. The GDPR further provides that when personal data is processed for research purposes, the right over the personal data shall stand derogated only if such rights are likely to render impossible or seriously impair the achievement of the specific purposes and such derogation is necessary for the fulfillment of those purposes. These restrictions do not find a place in the DPDP Act.

Any law that lacks clarity, will be the subject of litigation. Hence, a clarificatory amendment to resolve the ambiguities in S.7(i) of the Act may be required, to ensure the employers who seek to protect their rights of confidentiality and IP, take appropriate safeguards to ensure data minimization.

By Reshma. A