India is set to overhaul its data privacy regime with the coming into force of the new Digital Personal Data Protection Act, 2023. The new Act introduces a number of key concepts and modifications which may have significant implications for various stakeholders. To this end, INDUSLAW take a closer look at the impact of the new data privacy regime on employers and employment relationships. The article discusses new consent requirements for data processing and the key obligations for employers, among others.
1. INTRODUCTION
a. After several years of deliberation, the Digital Personal Data Protection Act, 2023 ("DPDP Act") received the President of India's assent on August 11, 2023, although its effective date is yet to be notified. Currently, the Government is in the process of framing the major rules under the DPDP Act, which are likely to be published soon. Once the relevant sections are brought into force, the DPDP Act will repeal the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 enacted under the Information Technology Act, 2000, which is the prevailing legislation in India governing the processing of personal data and sensitive personal data.
b. The DPDP Act has been enacted with the intent to hold businesses and organisations accountable and responsible for protecting the personal data of individuals that are collected by them during the course of their operations (whether externally or internally). This landmark development in India's data protection regime, once implemented, will bring India at par with other jurisdictions such as Singapore, People's Republic of China, the UK, and 27 of the EU Member nations, which have already enacted robust data protection laws.
2. EMPLOYER OBLIGATIONS UNDER THE DPDP ACT
a. APPLICABLE PROVISIONS OF THE DPDP ACT
(i) The DPDP Act defines 'personal data'2 as any data about an individual who is identifiable by or in relation to such data and applies to the processing of all personal data within India when collected from data principals in digital form or in non-digital form and subsequently digitized. The DPDP Act is also applicable to the processing of digital personal data outside India if it relates to the offering of goods or services to data principals located in India. The DPDP Act does not apply to personal data that is made publicly available by a data principal.
(ii) An employer collects a significant amount of personal data from its employees as well as potential employees during the lifecycle of employment, such as personal data collected during the employment application and interview process, during the onboarding formalities, for conducting background verification, for processing payroll, undertaking statutory compliances, and even during the time of the end of employment. Often, employers outsource several processes to third parties like background verification or compliance formalities or payroll operations that results in disclosure of personal data of their present or potential employees.
(iii) Under the DPDP Act, an employer processing any personal data of its employees would be considered as a 'data fiduciary' as they determine the purpose and the means of processing the data. The employees in turn would be considered 'data principals' as they are the individuals to whom the personal data relates. Where an employer engages a third party to process the personal data of employees on their behalf, such a third party would be a data processor5 under the DPDP Act.
Download : The Digital Personal Data Protection Act, 2023: Key Implications For Employers
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
