Digital Personal Data Protection Act: workers’ rights to be safeguarded!
The consulting industry in India is a rapidly growing sector, with a CAGR of 30%. The industry is worth up to $1.4 billion and is expected to reach $2.1 billion by 2025. The key players in the consulting industry in India include some of the multinationals, however, Karma Global has upped its ante with loads of consulting work carried out in the IT, financial and regulatory services sectors.
Karma Global a leading consulting firm, with operations in U.K, U.S. Canada, Middle East and South East Asia, specialises in areas like staffing, on-boarding, payroll, facility management, curbing regulatory risk, auditing and abiding by all labour law related compliance on PAN basis.
Digital Personal Data Protection Act: workers’ rights to be safeguarded!
Introduction
In early August 2023, the Indian Parliament passed the Digital Personal Data Protection (DPDP) Act, 2023. The new law is the first cross-sectoral law on personal data protection in India and has been enacted after more than half a decade of deliberations.
Key Features of The DPDP Act, 2023
Compared to the 2019 version of the bill, the DPDP Act, 2023 reduces obligations for businesses and protections for consumers, vesting the central government with unguided discretionary powers in some cases.
Applicability to Non Residents
The DPDP Act applies to Indian residents and businesses collecting the data of Indian residents. Interestingly, it also applies to non-citizens living in India whose data processing “in connection with any activity related to offering of goods or services” happens outside India.
Purposes of Data Collection and Processing
The 2023 act allows personal data to be processed for any lawful purpose.14 The entity processing data can do so either by taking the concerned individual’s consent or for “legitimate uses,”
Rights of Users/Consumers of Data-Related Products and Services
The DPDP Act also creates rights and obligations for individuals. These include the right to get a summary of all the collected data and to know the identities of all other data fiduciaries and data processors with whom the personal data has been shared, along with a description of the data shared. Individuals also have the right to correction, completion, updating, and erasure of their data. Besides, they have a right to obtain redress for their grievances and a right to nominate persons who will receive their data.
Obligations On Data Fiduciaries
Entities responsible for collecting, storing, and processing digital personal data are defined as data fiduciaries and have defined obligations. These include: (a) maintaining security safeguards; (b) ensuring completeness, accuracy, and consistency of personal data; (c) intimation of data breach in a prescribed manner to the Data Protection Board of India (DPB); (d) data erasure on consent withdrawal or on the expiry of the specified purpose; (e) the data fiduciary having to appoint a data protection officer and set up grievance redress mechanisms; and (f) the consent of the parent/guardian being mandatory in the case of children/minors (those under eighteen years of age).
Exemptions from Obligations Under the Law
The law provides exemptions from consent and notice requirements as well as most obligations of data fiduciaries and related requirements in certain cases: (a) where processing is necessary for enforcing any legal right or claim; (b) personal data has to be processed by courts or tribunals, or for the prevention, detection, investigation, or prosecution of any offenses; (c) where the personal data of non-Indian residents is being processed within India; and so on.
What Are the Issues with Safeguarding of Workers’ Rights?
- 2018 Personal Data Protection Bill followed by the 2019 draft, the 2022 bill, and finally the enacted DPDPA, there is a notable absence of acknowledgment of worker data rights
- The Act categorizes the workplace under ‘legitimate use,’ creating an exception to consent-based processing. This exemption, criticised for its focus on processing by design rather than participatory governance, diminishes the advancement of worker data rights in this crucial legislation.
- The current law directly deals with the workplace in a single provision, with an indirect reference to exemptions for start-ups.
- Purpose limitations for data processing in the workplace have progressively diluted, expanding from recruitment, termination, access to services or benefits, and exceptions to sensitive personal data to a broader range of considerations without adequate protection for the less powerful employee.
- The DPDPA incorporates broad grounds of employer protection added in the 2022 draft, namely, exemptions from processing without consent to protect the employer from any loss or liability, protecting trade secrets and IP, preventing espionage, and protecting social security information.
- Data processing under these grounds can have a considerable impact on constitutional rights to freedom of association—for example, not acknowledging a protection for legitimate worker collaboration on common issues in a peaceful way, not allowing workers to access their social security data, or having privileged communication between co-workers surveilled.
- Section 7(i) of the Act reflects a legislative surrender to market forces across all kinds of workplaces that leaves workers open to speculative exploitation and gives room for building digital monopolies. The text fails to centre worker needs and rights which endangers decent work agenda.
Proprietary blog of Karma Global
Collated and Compiled by the internal staff of Karma Global with the knowledge and expertise that they possess, besides adaptation, illustration, derivation, transformation, collection and auto generation for its monthly newsletter Issue 17 of November 2023 and in case of specific or general information or compliance updates for that matter, kindly reach out to the Marketing Team – kush@karmamgmt.com / yashika@karmamgmt.com