By Deepti Pandey & Sushant Shekhar Singh
After the dust settled on K S Puttaswamy v. Union of India by recognizing the fundamental right to privacy in India, various facets of privacy have gained prominence.[1] One such aspect is the privacy right in corporations under the relationship of employment. Increased surveillance in employment is a serious concern heightened by employees as an impingement of right to privacy. European Court of Human Rights [“ECHR”] has acknowledged the limitations to the extent of monitoring by employer in the course of employment.[2] While the nation still awaits a data protection law, the implications arising out of privacy in employment is attempted to be resolved through legislations.[3] However, these regulations are insufficient in the era of Bring Your Own Device [“BYOD”]. This facet of privacy is addressed during the course of this article. The aim is to demarcate the thin line between personal data and corporate data under BYOD and draw out considerations to be kept in mind by employers in order to avoid unnecessary legal impediments.
I. The Concept of BYOD
The surge in digitized models of corporatization emanate from the urge of the organizations to figure out mechanisms in the workplace which have the potential to foster efficiency and productivity- Bring Your Own Device is one such mechanism.[4] BYOD is the use of device owned by employee to access enterprise content and network.[5] Unlike the systems provided by the employer, this allows employee’s personal device to be used for the organization’s purpose. Apart from the pragmatic technical impediments to deployment of BYOD in workspace in terms of threat to security breach, there are emerging legal issues especially with respect to privacy.[6] The use of personal device of employees for business purposes creates conflict in terms of their monitoring of corporate data. The lack of data protection law coupled with the incipiency of privacy law in India entails the need to examine the impact on the right to privacy of employees if the employers resort to BYOD’s surveillance.
The personal data collected by corporations is regulated under Information Technology Act and Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 under which they are required to possess reasonable security practices while collecting ‘sensitive personal data’.[7] The said rules define “personal information” as any information pertaining to natural person, which directly or indirectly, has potential of identification of individual.[8] Sensitive personal data and information is about finances, passwords, biometric information etc.[9] However, this law comes into operation only if sensitive personal information is collected. The question thus arises with respect to the data which is part of BYOD but falls outside the ambit of personal information. Whether employee’s right to privacy extends to such data or whether employer can exert its surveillance over corporate data in a BYOD is a concern which is unaddressed under the existing regime. This entails a thorough understanding of aspects of personal information covered under the right to privacy.
II. Informational Privacy in Employment: Clarifying the Ambit of ‘Personal Information’
Various nations have legislations which protect right to privacy in employment however to a limited extent of personal information.[10] In India, the landmark Puttaswamy judgement has attempted to clarify the law on privacy.[11] It recognizes right to privacy as intrinsic and inalienable.[12] This right emanates from both articles 21 and 19(1)(a).[13] Most popularly, it is attached with the right to be let alone[14], right to privacy of home including ‘family, marriage, procreation and sexual orientation’[15], right to prevent commercial exploitation of one’s privacy[16], right to preserve a private space in which the human personality can develop[17], and right to informational privacy[18] inter alia. On a close perusal, these aspects reveal that the right to privacy is construed in the context of protection of personal information. However, this has not been adequately addressed in the judgement. Yet there are cases under the Right to Information Act [“RTI Act”] which explain the constituents of personal information.[19]
The Supreme Court in UPSC v. R.K. Jain has laid down that under RTI Act the scope of personal information is broader.[20] However, with regard to privacy as fundamental to a person’s liberty, what is protected is private information which encompasses the personal intimacies of the home, the family, marriage, motherhood, procreation, child rearing and the like.[21] This is further corroborated by Mr. Anil Datt Sharma v. Mcd, Gnct Delhi which has distinguished between every kind of information that is personal and those that are private in nature.[22] The judiciary has further explained who all are covered under informational privacy. In Naresh Trehan v. Rakesh Kumar Gupta, it was held that informational privacy applies to ‘individual’ as against ‘person’ and therefore does not extend to corporations.[23] A P Shah Committee has also highlighted that monitoring of premises through CCTVs is a potential infringement of privacy of employees.[24] This is settled in a recent case law which held that complete surveillance of premises by the use of CCTV cameras amount to invasion into the right to privacy.[25] It is thus clear that the nature of information that covers right to privacy is the one which is intrinsic to an individual such as his name, address, caste, date of birth, institution and year of passing graduation, field experience, qualification, job, her father’s occupation and even call details and the like.[26] These aspects of informational privacy are required to be considered equally by the employers.
III. Personal vis-à-vis Corporate Data: The Extent and Extant of Protection
Currently, there is no case law delineating the impact of BYOD on privacy rights in India because of the nascent phase of privacy law development.[27] Under European Union law, in a BYOD deployment, data protection does not only apply to corporate data.[28] Hence, the EU regulation on data protection will apply to organizations deploying BYOD if personal data of an employee from the device is being collected and in such case the same must be adequately mentioned in the BYOD policy.[29] In the USA, reasonable expectation of privacy is protected under the Fourth Amendment. The consent becomes a mandate and lack of consent of employee can lead to lawful action against the employer on account of breach of privacy.[30] The recent case on this issue is Rajaee v. Design Tech Homes.[31] This was adjudicated by the District Court of Texas wherein the employee used his personal device to conduct work in the organization which was connected to the employer’s server. Upon his leaving the organization during the process of remotely resetting the device, the employer caused loss of both personal and business-related data from his phone.[32] The claim was made only for the loss of personal data and the court also did not go into the merits of privacy rights of the employee. On technical considerations the claim of employee was refuted.[33] However, this case opens the possibility of future discourse on the privacy impingement on grounds of control of employer over employees’ personal device used for corporate purposes.
IV. Analysis
It is thus clear from the aforementioned analysis that not all kinds of information fall under informational privacy engulfed in the right to privacy as a fundamental aspect of life and liberty. It governs only personal, intimate, intrinsic and individualistic aspects of private information. It is thus limited to individuals and does not apply to corporations. It is equally applicable to the sphere of employment and the right to privacy is therefore studied from the employee’s perspective. It is imperative to note that personal data can be separated from corporate data. By analogizing the Indian position on privacy (Naresh Trehan, UPSC v. R.K. Jain and other cases afore-stated where personal information is only limited to individuals and not corporations) with EU (wherein data protection does not apply to corporate data), it can be held that employers can have access to corporate data and consent requirement based on the existing law should confine only to personal information of the individual. However, since in a BYOD both data form part of the same device, control of employer over the device is difficult to establish. It is a wake-up call for the employers to carefully draft their BYOD policy with clearer instructions, consent requirements and disclaimers from liabilities on such accounts.
V. Conclusion
The BYOD model should clearly spell out the liability of employer. It should contain enough encryption and authentication requirements. The nascent phase of privacy law coupled with growing privacy concerns call for primacy to the requirement of consent of the employee before such implementation. This is of peculiar significance to BYOD due to the inherent conflict of personal and corporate data. This aspect of digitization is also of relevance to drafters of Privacy and Data Protection Bill. Keeping in view the Texas case[34] the employer should also have a clearly drawn out procedure in case of termination of employment to be able to separate corporate data from the personal data of the employee. While efficiency and cost-reduction should remain at the forefront of organizational strategies, it should be well within the confines of law in order to mitigate contingent liabilities in the form of litigation costs and this requires employers to take necessary steps to protect the privacy of the employee.
The authors are 7th Semester students studying at WB National University of Juridical Sciences, Kolkata (WBNUJS).
[1] Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
[2] Ernest & Young, Bring your own device: Security and risk considerations for your mobile device program, in EY Insights on governance, risk and compliance (Sept. 2013), https://www.ey.com/Publication/vwLUAssets/EY_-_Bring_your_own_device:_mobile_security_and_risk/$FILE/Bring_your_own_device.pdf.
[3] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, Gazette of India, pt.II, sec.3(1), (Apr. 11, 2011).
[4] Supra note 2.
[5] Deloitte, Understanding the Bring-Your-Own-Device Landscape, Deloitte Research Report, (2013), https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/about-deloitte/deloitte-uk-understanding-the-bring-your-own-device%20landscape.pdf.
[6] Supra note 2.
[7] Supra note 3, Rule 8.
[8] Information Technology Act, Sec. 2(i), No. 21, Acts of Parliament, 2000 (India).
[9] Id. Section 3.
[10] Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (Can.).
[11] Supra note 1.
[12] Id. ¶402.
[13] Id. ¶410.
[14] Id. ¶405.
[15] Id. ¶497.
[16] Id. ¶477.
[17] Id. ¶168.
[18] Id. ¶190.
[19] Justice A. P. Shah, Report of the Group of Experts on Privacy, Planning Commission of India, (Oct. 16, 2012) http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf.
[20] UPSC v. R K Jain, MANU/DE/3197/2012.
[21] Id. ¶32-33.
[22] Mr. Anil Datt Sharma v. Mcd, Gnct Delhi, CIC/DS/A/2012/001865.
[23] Naresh Trehan v. Rakesh Kumar Gupta, MANU/DE/3027/2014.
[24] Supra note 19, at 62.
[25] Indian Hotel and Restaurant Association (AHAR) v. The State of Maharashtra, AIR 2019 SC 589.
[26] Baljeet Singh v. The PIO, Industrial Training Institute, MANU/DE/2072/2019 (Delhi HC, India); UPSC v. Pinki Ganeriwal, 207 (2014) DLT 138; R. Saravanakumar v. The Inspector of Police (Estt.), MANU/TN/3074/2018.
[27] Workplace Privacy and Employee Monitoring, Privacy Rights Clearing House, (Mar. 25, 2019) https://www.privacyrights.org/consumer-guides/workplace-privacy-and-employee-monitoring; Anshul Prakash and Shweta Dwiwedi, Here’s What Employers Must Know About Employee Privacy Rights, People Matters, (Jul. 22, 2018) https://www.peoplematters.in/article/technology/heres-what-employers-must-know-about-employee-privacy-rights-18814; Rakhi Jindal et al., The Indian legal position on employee data protection and Employee privacy, Employment and Industrial relation laws, (Mar. 2012); http://www.nishithdesai.com/fileadmin/user_upload/pdfs/The_Indian_legal_position_on_employee_data_protection_and_employee_privacy.pdf; Pallavi Thacholi and Deepthi Bavirisetty, Bring Your Own Device Policies: Legal Considerations, Khaitan Data Privacy Issue, (2017), https://www.khaitanco.com/PublicationsDocs/IndiaLawNews-KCOcoveragePallaviT-Copy(6).pdf.
[28] Do The Data Protection Rules Apply To Data About A Company?, European Commission, https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/do-data-protection-rules-apply-data-about-company_en.
[29] Supra note 2.
[30] Dan Virgillito, An Employer’s Guide to Employee Privacy and BYOD, InfoSec, (Aug. 23, 2018) https://resources.infosecinstitute.com/an-employers-guide-to-employee-privacy-and-byod/#gref.
[31] Rajaee v. Design Tech Homes, No. H-13-2517, 2014 WL 5878477 (S.D. Tex., 2014) (U.S.).
[32] Id.
[33] Id.
[34] Supra note 30.
NUALS Law Journal 