Rights concerns ignored in data law

Technological advancements, particularly in data-driven production processes, have expanded the scope of workplace regulation beyond individual privacy concerns to encompass data protections and economic justice within the paradigm of decent work guarantees to enable social justice in a modern economy. While labour legislations (particularly ones with sectoral coverage like the EU platform work directive) often include protections for worker data, the initial focus is typically found in the corresponding data protection laws, such as the workers right to access data under the EU General Data Protection Regulation (GDPR), 2016.

The recently enacted Digital Personal Data Protection Act 2023 (DPDPA) must be scrutinised as it is the first central law to potentially govern workplace data rights. The legislation prioritises data processing over data rights, establishing the consent-notice framework as the narrow, primary legal processing cornerstone. The Act categorises the workplace under ‘legitimate use,’ creating an exception to consent-based processing. This exemption, criticised for its focus on processing by design rather than participatory governance, diminishes the advancement of worker data rights in this crucial legislation. The current law directly deals with the workplace in a single provision, with an indirect reference to exemptions for startups.

Through four successive drafts, starting with the 2018 Personal Data Protection Bill, followed by the 2019 draft, the 2022 bill, and finally the enacted DPDPA, there is a notable absence of acknowledgment of worker data rights. Purpose limitations for data processing in the workplace have progressively diluted, expanding from recruitment, termination, access to services or benefits, and exceptions to sensitive personal data to a broader range of considerations without adequate protection for the less-powerful employee. The DPDPA incorporates broad grounds of employer protection added in the 2022 draft, namely, exemptions from processing without consent to protect the employer from any loss or liability, protecting trade secrets and IP, preventing espionage, and protecting social security information. Data processing under these grounds can have a considerable impact on constitutional rights to freedom of association—for example, not acknowledging a protection for legitimate worker collaboration on common issues in a peaceful way, not allowing workers to access their social security data, or having privileged communication between coworkers surveilled. This was arguably enough to preempt collective imaginations of workplace democracy in successive drafts, but removing key verbiage around when processing of data is allowed without consent complicates the issue at hand.

Section 7(i) of the Act reflects a legislative surrender to market forces across all kinds of workplaces that leaves workers open to speculative exploitation and gives roomfor building digital monopolies. The text fails to centre worker needs and rights, which endangers the decent work agenda.

While the DPDPA has been hailed in many quarters for its departure from prescriptive legislation and emphasis on principles-based regulation, concerns linger regarding over-delegation to rules. Deference to private governance for workplace data rights will end up legitimising privacy violations of the common citizen and not rights protection; this impact manifests most clearly in workplace regulation. The question that remains, one that the Justice Srikrishna Committee report acknowledged, is: how does the law manage to achieve fairness or freedom for weaker parties in the workplace and not beome the latest manifestation of
control by platforms, employers, and other buyers in the labour market? What, then, is the way forward?

For one, sectoral regulation must be able to answer the questions of where and why in the value chain do employers need to process data without consent and what are some of the limitations for such processing. States in India have begun to legislate on workplace fairness in the case of platforms and informal workers, most recently seen in Rajasthan and its law to create a permanent fund for social security for gig workers. Similar movements can also be expected in other states.

These laws should incorporate data processing-related questions as well. The grounds for processing without consent must be returned to the particular legitimate uses included in writing. Furthermore, it is essential to focus on the non-privacy aspects of this law, evaluating the impact of specific and speculative data processing on employer benefits and the emergence of monopolistic digital intelligence. The sharing and co-governance of these benefits are crucial
for both employees and regulators to achieve a free and fair digital economy.

(The authors are researchers at IT for Change, Bengaluru)