I. INTRODUCTION

On August 11, 2023, the Digital Personal Data Protection Act 2023 (“DPDP Act”) received the President's assent, ending the nearly five-yearjourney that saw multiple iterations of the legislation under consideration. Although the DPDP Act has received the President's assent, its effective date is yet to be notified and consequently, the prevailing law regarding the collection, handling, processing, and transfer of personal data (including sensitive personal data) is the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘IT Rules') under the Information Technology Act, 2000 (“IT Act”). Once the effective date of the DPDP Act is notified, it will repeal the IT Rules. However, for the purpose of internal investigations, other provisions of the IT Act will continue to be in effect – for instance, where the investigation concerns unauthorized use of computer resources.

II. PROCESSING PERSONAL DATA IN INVESTIGATIONS

Under the IT Rules, compliance measures were put in place concerning the handling of ‘sensitive personal data,' which was narrowly defined to include passwords, financial information such as bank accounts or credit and debit cards, physical, physiological and mental health condition, sexual orientation, medical records and history, and biometric information. As one can imagine, investigators end up handling at least some amount of sensitive personal data as defined under the IT Rules. However, under the DPDP Act, all contemplated safeguards apply to ‘personal data' which has been broadly defined to encompass all data about an individual who is identifiable by or in relation to such data. Thus, once the DPDP Act comes into effect, investigations will handle larger amounts of personal data that are afforded protection. Investigations also often include third parties who undertake on-ground fact-gathering exercises, resulting in securing information such as addresses, pictures and videos. Wherever such information serves to identify concerned individuals, it would come within the realm of ‘personal data' as defined under the DPDP Act. However, where such information is sourced from the public domain by third parties, it would be exempted from the purview of the DPDP Act.

III. CONSENT REQUIREMENTS UNDER THE DPDP ACT AND EXCEPTIONS

Under the DPDP Act, Data Fiduciaries (persons who determine the purpose and means of processing personal data) can secure the personal data of a Data Principal (the individual to whom the personal data relates) under two circumstances: (i) where they have voluntarily given their consent to the processing of data; or (ii) for certain legitimate uses provided under the DPDP Act.1 To draw a parallel with the General Data Protection Regulation (“GDPR”) regime, Controllers would be akin to Data Fiduciaries and Data Subjects would be akin to Data Principals respectively. Similarly, under the GDPR regime, information can be collected and processed in the absence of consent, to pursue legitimate interests.

Under the DPDP Act where consent is required, the processing of personal data has to be preceded by a detailed notice to the Data Principal informing them of (i) the personal data and the purpose for which the same is proposed to be processed; (ii) the manner in which they may exercise their rights relating to withdrawing consent and grievance redressal; and (iii) the manner in which they may make a complaint to the Board established under the DPDP Act.

Given the often covert nature of internal investigations, especially during the fact-finding stage, obtaining the consent of the Data Principals is frequently impractical. Given that, it is necessary to examine the scope and extent of the ‘legitimate uses' which are the exemptions to the consent requirement.

As per the DPDP Act, deemed consent is provided to employers where information has been procured for the purposes of employment or for any purpose related to safeguarding the employer from loss or liability. While specific examples of prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property or classified information are provided, there is a fair argument that this provision cannot be construed to limit the types of internal investigations to only the aforementioned categories. That said, it remains to be seen how expansively the courts will be willing to interpret this principle.

IV. SAFEGUARDS FOR PROCESSING PERSONAL DATA DURING AN INTERNAL INVESTIGATION

Ordinarily, under the DPDP Act, a Data Fiduciary may engage, appoint, use, or otherwise involve a Data Processor to process personal data on its behalf. The Data Fiduciary will nevertheless always remain responsible for complying with the provisions of the DPDP Act. However, in certain limited instances, most of the obligations are exempt from being imposed on Data Fiduciaries.

Specifically, Section 17 of the DPDP Act exempts the duties that are otherwise ordinarily imposed on Data Fiduciaries if the processing of personal data is “necessary for enforcing any legal right or claim” or if the personal data is “processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law for the time being in force in India.” The only duties that would continue to apply in this case would be to ensure that all personal data in a Data Fiduciary's control or possession, including in respect of any processing undertaken by it or on its behalf by a Data Processor, must be protected by taking reasonable security safeguards to prevent a personal data breach. While the DPDP Act does not delve into what constitutes ‘reasonable security safeguards', it is worthwhile to note that any breach in observing this obligation could result in a penalty of up to INR 250,00,00,000.

V. CONCLUSION

In our view, employers collecting the personal data of employees would do well to implement the following measures to ensure that internal investigations are conducted as per due process:

  1. Despite not requiring consent from employees for the purpose of internal investigations, it may be worthwhile to execute employment agreements that contain language specifying the purposes to which the data collection extends, such as audits and internal investigations. The contracts can also mention that such data may, if necessary, be transferred to third parties such as law firms, forensic consultants, and auditors as part of such investigations.
  2. Before executing contracts with third parties for support during investigations, employers should evaluate the latter's technical safeguards as well as obligations of confidentiality to ensure that the personal data provided will always be adequately protected. This is because the overall responsibility of protecting personal data in this situation will continue to be imposed on Data Fiduciaries even when Data Processors have been engaged.

Footnote

1. Section 4 of the Act

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.