In this day of smartphones and remote-working policies, many companies are going ‘asset-light’ and allowing personal devices (cell phones, laptops, etc.) for official use. Use of self-owned cell phones to access work emails, WhatsApp for business and work, Excel or PPT files, browsing Facebook or Instagram, Googling, Gmailing, Skyping, booking Uber rides, finding Airbnb hosts and ordering app-based food deliveries are now more the norm for millennials and their successors – the Gen Z.
This is raising interesting questions around individual privacy, implementation of system controls on, and access to, employees’ self-owned devices by employers, either for usage screening or regulatory purposes. For example, the Securities and Exchange Board of India (Sebi) has increasingly been asking for phone logs (call logs, emails, chats, etc.) from listed companies in cases involving insider trading or front running allegations – what if personal phones were involved (they often are).
The ease of, and preference for, using personal devices for office use is obvious, but can employers ask their employees, especially in a gig economy, to hand over personal cell phones for data scrapping? Will the IT teams be within their right to obtain back-end access to employees’ personal devices for routine bug monitoring, anti-malware protection, anti-hacking checks and data encryption? What if cyber-incidents involving personal smart-phones and laptops affect office emails or WhatsApp chats used for work purposes? Is a consent architecture adequate for employers to gain blanket access to personal devices used for work, or will the new data privacy laws become a challenge?
The future will bring Internet of Things (IoT). With Siri and Alexa controlling almost every aspect of life and ‘things’ in future, risk of cyber threats is likely to trigger the need for greater employer access to personal devices used for official purposes.
Like most aspects of the new economy, work-place privacy is an untested topic in India – albeit increasingly in focus, especially after the Supreme Court recognised the right to privacy as an intrinsic part of the right to life and personal liberty in the Puttaswamy case in 2017. However, data and privacy laws continue to be far behind the new workplace realities. With millennials increasingly preferring to work for start-ups (some of which like Flipkart, Paytm, Ola and Oyo are already ‘decacorns’ and valued higher than many old economy flag-bearers, workplace privacy is likely to get tested before Indian courts in the next few years, especially with a new personal data protection law being imminent.
It might be premature to say what principles ought to govern workplace usage of personal devices and whether firewalls can be introduced to segregate personal from professional streams on self-owned devices, but at a minimum, some safeguards become critical to avoid blurring the “personal-professional” divide.
Changing Workplace Gadget Policies
First, employee handbooks and consent policies need a re-look – do employment agreements include consent from employees for IT departments to get access to their personal devices in situations involving external or internal investigations? This is not theoretical anymore – regulators increasingly ask the employer to undertake its own investigation in cases of suspected market manipulation (for instance, in violations of the Sebi Act) and submit its report. Most POSH investigations involve use of personal messages, chats and call logs of the employees involved. How will companies conduct investigations in situations involving lack of consent to access personal devices that might contain evidence of suspected wrong-doing? What if employees concerned have left, either before or during an investigation?
Second, employment policies need a rethink on the use of social media for official work purposes. LinkedIn is an individual (i.e. personal) account, but used for official use, though not “owned” by the employer. Can internal company policies ask for social media take-downs? Employment “passing off” and incorrect work disclosures are a real risk. Employers often informally or even formally nudge employees to get on LinkedIn, promote their projects and work accolades – how do employers legally control what’s posted on individual LinkedIn handles?
Third, cyber-incidents involving office servers, which fall within an employer’s domain, can be handled, but what if a malware attack takes place on a chat app or personal email and compromises work-related communication? Who would have an obligation to report to CERT-IN – the employer or the individual employee involved?
Data laws world over were not framed for ‘digital workspace’, though they are getting tweaked, including in India, given the evolution of the privacy regime. The Personal Data Protection Bill, 2019, referred to the Joint Parliamentary Committee in December 2019 for introduction during the upcoming Budget session of the Parliament, will be the most comprehensive law on data and privacy in India.
All employers, especially in the new economy, will have to consider the implications of the new consent obligations and purpose driven data-processing requirements proposed under the Bill.
Consider this, anybody wanting to store ‘cookies’ can only do so after providing clear notice at the time of collecting such information, having obtained user consent and identifying the purpose for which such data would be processed.
Data subjects will have a right to withdraw consent. Consent might no longer be through a long list of clauses to which an employee agrees by clicking online as part of job induction (often without reading). The Personal Data Protection Bill requires free, informed, specific, and clear consent which has to be capable of being withdrawn.
How will the current IT policies deal with this? Will employers accessing employee data (even with consent) be classified as “data-fiduciaries” under the new data privacy law and be subject to the jurisdiction of the proposed Data Protection Authority? If eventually it turns out that critical or sensitive personal data can only be stored in India under the new law, would all MNC servers have to be moved to India?
Being mindful that penalty for violation of the new data protection law could be up to 4 per cent of the turnover, to mitigate this dilemma for employers who need to access (and store) employee data on personal devises, would it be better to exempt employer-employee relationships from the new data and privacy law?
To deal with the new world of data laws, globally, companies have introduced secure logs, audit trails, remote monitoring tools and virtual private networks to segregate and protect information on private networks and introduce firewalls while using personal devices for official use.
This is India’s “GDPR moment”. To avoid the confusion and interpretations around General Data Protection Regulation (GDPR), which came into effect in May 2018, Indian corporates, especially in the new economy, would be better off examining the implications of the new data protection law, and taking steps to ensure preparedness, rather than be forced to go back to the “asset-heavy” days where access to office emails and communication could only be on office-issued devices and private networks.
Zia Mody, Managing Partner
Anu Tiwari, Partner