Can the Indian Data Protection Legislation Act as a Check on Growing Workplace Surveillance
Recently, a German Data Regulator fined an online electronic goods retailer 10.4 million euros for video-monitoring their employees without a legal basis, hence violating the provisions of the General Data Protection Regulation. The Regulator stated that the constant surveillance was “inadmissible” under the GDPR while doling out one of the highest fines the authority set in its history. The Commissioner while concluding the investigation stated that the employer had not taken steps to protect the data of the employees, as per the provisions of the GDPR. The safety measures required for offices reopening post lockdown require new checks on the employees. The safety standards which are mandated by the government include adequate social distancing, regular temperature checks, mandatory use of masks, and collection of information for tracing. This is where technologies such as facial recognition, increased use of CCTV’s, and thermal screening come into play. In addition, for employees who are working remotely, there are a number of software and technologies that are being used to track them during and maybe even after working hours. However, the absence of an all-encompassing data protection regulation leaves the employees in India with a lesser or almost no say in how they are being monitored, or what happens to their data.
Employee monitoring technologies in India
In 2018, Tech Mahindra announced the rollout of facial recognition technology to record not just the attendance of their employees but also the “mood of the workforce”. In an interview regarding the implementation of such measures, Tech Mahindra’s spokesperson stated that the employee has the choice to consent to the use of such a system. However, in a similar interview, the Tech Mahindra group also stated that soon recording attendance through facial recognition would be mandatory. Similarly Panchkula’s Municipal Corporation had made their employees wear wearable devices called “Human Efficiency Tracker” to monitor their location as well as see and hear the sanitation worker as they worked.
The monitoring as we can see is not just limited to the confines of the physical workspace. A number of remote employee monitoring software has been in use for a while. A simple online search reveals a number of companies that provide employee monitoring services. The services they provide include recordings of call records to emails, contacts, photos, and video, location, and even Whatsapp messages, browsing history or taking screenshots of the devices at random intervals from their office devices. These applications also advertise that the employees would not know that they are being monitored and that the employees cannot override the monitoring.
Covid and New Office Procedures
The Coronavirus has now added extra dimensions to the existing features of employee monitoring, including ways to check the temperature of a person in a crowd as well as recognise people even through masks. The demand for systems with facial recognition, temperature screen, and mask enforcement has seen a growing demand especially in factories and large offices.
The Defence Research and Development Organisation (DRDO) is also looking at ways to record the attendance of employees by developing “artificial intelligence-based face recognition systems” which they plan to commercialise. Similarly, mobility apps such as Uber, in the process of resuming operations, and as a part of their safety measures, are requiring the drivers to take selfies to verify that they are wearing masks to the Uber’s Real-Time ID Check system, and only then can the ride proceed.
The Indian Federation of App-Based Transport Workers (hereinafter “IFAT”), in a press statement, highlighted the issues with the use of the Aarogya Setu app in the absence of a personal data protection bill, and the fear that the data collected through the app could be retained and processed in the future.
Although the mandatory nature of Arogya Setu has been done away with and most companies no longer require their employees to download the app, new instances of the enforcement of the app in the public sector emerge. For example, in January the Indian Railways resumed its e-catering services “RailRestro” while imposing the mandatory use of the Aarogya Setu app. The guidelines of the e-catering service in the Indian Railways also require mandatory thermal scanning of delivery agents and restaurant staff. Similarly the city of Lucknow reinstated the need to download the Arogya Setu app by all employees who have compatible phones.
Light at the end of the tunnel? – The Personal Data Protection Act
With regards to the current version of the draft Personal Data Protection Bill, 2019 (hereinafter, “Bill”), Section 13 provides the employer with a leeway into processing employee data other than sensitive personal data without consent based on two grounds: when consent is not appropriate, or when obtaining consent would involve disproportionate effort on the part of the employer. Furthermore, personal data can only be collected without consent for four purposes, namely, recruitment, termination, attendance, provision of any service or benefit, and assessing performance. These purposes comprehensively cover almost all activities that employees may potentially undertake, or be subjected to, as part of their work-life.
The Bill labels employees as “data principal” and provides them with a plethora of rights. These include the right to confirmation and access (S17), portability of data (S19), and withdrawal of consent (S7(1d)). However, the present and earlier versions of the Bill fail to define “employee”, “employer”, or “employment”, with respect to the provisions of the Bill. There is no uniform labour law in India and every legislation, be it the Industrial Employment (Standing orders) Act or the Employee’s Compensation Act, provides different conditions to be qualified as an employee, and sometimes only addresses workers or “workmen”. Hence, the lack of a clear indication as to whom this provision applies creates an added layer of ambiguity the effects of which would be borne by the employee.
However, the phrasing of employers as “data fiduciaries” provides that they are to ensure that collection and processing of data are in line with the principles of collection limitation and purpose limitation, and is accurate, stored securely, and only for the time period needed. Furthermore, the employer is required to provide notice to employees about their rights to confirmation, access, correction, and portability with respect to their data. It is important to note that most of the data collected by employers and especially through new technologies is sensitive personal data – including financial data, and most importantly health data and biometrics. According to the Bill, sensitive personal data requires additional safeguards such as explicit consent. The Bill also requires that if these data fiduciaries undergo processing by involving new technologies, or use sensitive data such as genetic or biometric data such processing should only be done after a data protection impact assessment. However, until the PDP Bill becomes law all these provisions and safeguards cannot be used against the current and rapid adoption of surveillance technologies in the workplace.
When companies collect data from the consumers, the company is mandated to reveal if they are sharing this data with third parties or government agencies, as stated in Rule 6 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. The consumer also has the right and the option to not choose a particular company or to withdraw their consent. In the case of employees, however, the data collected is more continuous, can be identified back to them, and can have an immediate and direct impact on their life; such as hiring, firing, or promotions. In light of this, the option to withdraw consent for employees leaves only two choices: either to consent to surveillance or lose their jobs. More concerning is the provision that allows the employee to process non-sensitive personal data without the consent of the employee, in this light the effect and actions post the withdrawal of consent would be based on the employer’s discretion.
The push towards new ways of data collection should ideally happen when there is a means for the individual to question or seek clarification and hopefully have a choice and autonomy. Employers and workplaces should look at ways to ensure the safety of the employee and ensure trust in them, instead of using technology as a placebo. One can only hope that the version of the PDP Bill that gets actualised has provisions that ensure that employee surveillance does not go unchecked.
This article has been authored by Ms. Shweta Mohandas, Policy Officer at the Centre for Internet and Society and is a part of RSRR’s Excerpts from Experts Blog Series, initiated to bring forth discussion by experts on contemporary legal issues. It is an abridged form of the full report on workplace surveillance available on the CIS website.