new data protection law

The Implications of India’s New Data Protection Law on Internal Investigations

PDF

At present, there are no statutory mandates or procedural directives in India for conducting internal investigations in a company, other than under the Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013. This law requires every organization with ten or more employees to constitute an internal complaints committee, and lists out the procedure for handling such complaints.

However, internal investigations may need to be carried out by employers in relation to a wide range of issues and/or situations. This note specifically discusses the collection, handling, storage and/or processing of personal data in the wider context of internal investigations, including with respect to allegations or suspicions of economic and criminal offences.

INTERNAL INVESTIGATIONS

An Indian company may find itself undertaking internal investigations in circumstances involving allegations or suspicions of:

  • misconduct or unethical business conduct;
  • harassment – including sexual harassment;
  • possible commission of criminal offences such as:
    • fraud, corruption, bribery, criminal breach of trust, cheating or theft,
    • the manipulation of, or tampering with, official and/or financial records – including forgery and falsification of transactions or underlying documents,
    • misappropriation of funds or misuse of a company’s assets,
    • illegal payments made to vendors or contractors,
    • embezzlement or money laundering
  • a breach of confidentiality;
  • insider trading and market abuse; or
  • any other misconduct under law, a relevant employment contract, or a company’s rules, charter documents, codes and policies.

Internal investigations typically get triggered on the basis of:

  • a complaint made by –
    • a whistleblower (including from stakeholders who are external to a company), or
    • an aggrieved employee (or any other member or employee of such company), or
    • a third party; or
  • pursuant to –
    • the management’s suspicion(s), or
    • disclosures made in the course of an audit.

Further, in the case of subsidiaries of multinational corporations (“MNCs”), investigations may be carried out for the purpose of satisfying compliance requirements under law(s) applicable to the parent entity. For example, an investigation may be initiated by, or in relation to, an Indian subsidiary for the purpose of compliance with legal obligations under the Foreign Corrupt Practices Act of 1977 of the US or the UK’s Bribery Act 2010.

In general, in the context and course of such internal investigations, large amounts of personal data related to accused individual(s), informants, witnesses, people aware of the matter, and other relevant employees may need to be processed by an employer – either by itself or through its advisors (e.g., forensic partners, law firms, and other experts). Accordingly, an informed assessment of the rights and obligations of the concerned employees and other individuals, as well as those of the employer and its advisors/agents, becomes crucial from the perspective of applicable data protection laws.

INDIA’S DATA PROTECTION REGIME

In India, the Digital Personal Data Protection Act, 2023 (the “DPDP Act” or “Act”) was published in the official gazette pursuant to a notification dated August 11, 2023. Although not yet in force, the Act’s provisions and rules are expected to be notified soon, overhauling the current legal framework governing personal data in India (the “Existing Regime”). For a brief overview of the DPDP Act, see our note here. For a broad overview of the Existing Regime and India’s legislative trajectory with respect to governing personal data, see our note here. For a recent update on the DPDP Act and its rules, see our note here.

THE DPDP ACT AND INTERNAL INVESTIGATIONS

“Personal data” has been defined broadly in the Act to mean any data about an individual (each such individual, a “data principal”) who is identifiable by or in relation to such data. The DPDP Act specifically protects “digital personal data”, which means personal data in digital form.

In the context of internal investigations, any digital data that (even indirectly) relates to and/or identifies relevant individuals is likely to be covered under the Act.

Further, entities that ‘process’ digital personal data will be required to implement appropriate technical and organizational measures to ensure compliance with the DPDP Act. This requirement would apply to employers conducting internal investigations involving the use of personal data. Employers should note that the Act defines the term “processing” broadly, including wholly or partly automated operations that involve the collection, storage, retrieval, use, sharing, disclosure, erasure or destruction of personal data.

In addition, if a sector-specific law or a dedicated regulatory/statutory body mandates additional data protection and/or data processing obligations, those will apply over and above the general requirements under the DPDP Act. Accordingly, in the context of internal investigations, applicable corporate, labor and employment laws are likely to remain applicable, including with respect to data processing restrictions and requirements, if any.

DATA FIDUCIARIES AND DATA PROCESSORS

A “data fiduciary” is any ‘person’ who alone or in conjunction with another person determines the purpose and means of processing personal data. Individuals, companies, firms, associations of persons or bodies of individuals (even if unincorporated), the state, and any artificial juristic person, may be considered a data fiduciary under the Act.

A “data processor” is any person who processes personal data on behalf of a data fiduciary. In general, a data processor may be engaged by a data fiduciary to process personal data on the latter’s behalf under a valid contract.

In the context of internal investigations, the employer is likely to act as a data fiduciary if it determines the purpose and means of processing relevant personal data – including in conjunction with other entities and/or by engaging the services of an external firm, advisor, expert or partner – each of which, in turn, is likely to be considered a data processor under the Act. As long as such external entity acts only upon the instructions, and on behalf, of the employer, and does not process the personal data independently and/or for its own purposes, it is likely to act only as a data processor (and not as a data fiduciary). This distinction is important, as explained below.

The Act – unlike the General Data Protection Regulation (“GDPR”) of the European Union – appears to attribute responsibility solely upon data fiduciaries, as opposed to prescribing shared liability with data processors. A data fiduciary will thus remain responsible for protecting the personal data that remains in its possession or control, including with respect to processing tasks undertaken by data processors engaged by the data fiduciary, and may be held liable when a data breach and/or an event of non-compliance arises entirely on account of a negligent data processor.

However, it would be important for data fiduciaries to ensure that their contracts with any data processor engaged in the context of internal investigation are negotiated carefully. Such contracts should inter alia specifically set out and limit the purposes for which the personal data will be processed and include suitable audit and indemnity provisions. This is particularly important given the monetary penalties applicable under the Act in the event of non-compliance (ranging from INR 10,000 to INR 2.5 billion, depending upon the contravention). For a discussion on contractual arrangements with data processors, see our note here.

GROUNDS FOR PROCESSING PERSONAL DATA

The DPDP Act states that a person may process the personal data of a data principal only in accordance with its provisions and for a ‘lawful’ purpose (i.e., any purpose not expressly forbidden by law). Further, such purpose is required to be subject to:

  1. the data principal’s explicit consent; or
  2. certain specified instances of legitimate use (exemptions to the explicit consent requirement).

i. Consent

Under the DPDP Act, a data principal’s consent must be free, specific, informed, unconditional and unambiguous, and needs to be provided with a clear affirmative action – thereby signifying an agreement with a data fiduciary to process such individual’s personal data for a ‘specified purpose’ (such consent, a “Valid Consent”). Thereafter, data processing activities need to be limited to the information necessary for the purpose specified in the ‘notice’ and/or ‘request for consent’, respectively. For an overview on organizational planning for consent management, see our note here.

Obtaining consent for data processing in internal investigations

As discussed above, requirements of a Valid Consent under the DPDP Act are high and the onus of proving that a Valid Consent was given by the data principal (in cases where consent is the basis of processing), lies with the data fiduciary. Further, the data principal will have the right to withdraw their consent as easily as it was given, as well as at any point of time, pursuant to which their data will have to be erased.

In addition, on account of the power mismatch and/or one-sided economic dependence in a typical employment relationship, obtaining consent in the context of an internal investigation may not (be perceived to) represent an employee’s genuine choice, and therefore, may not be seen as freely given.

Further, while an employee’s omnibus consent to processing in respect of future investigations may be obtained upfront as part of an employment contract, such consent may not be considered valid either, since it may not be interpreted as “specific” with regard to the purpose of each investigation.

For some types or stages of investigation, obtaining specific consent may be both viable and desirable – e.g., with respect to video interviews or CCTV surveillance.

Given the sensitive nature of an internal investigation, therefore, consent may not always be a viable option since seeking consent from accused employees may prejudice an investigation’s findings.

ii. Legitimate use

The DPDP Act does attempt to address these concerns and sets out certain grounds or legitimate uses for the disclosure or processing of personal data without the consent of the corresponding data principal.

Purposes of employment

The DPDP Act appears to permit non-consensual data processing for employment purposes, including for purposes to safeguard the employer from loss or liability, such as prevention of corporate espionage (such provision, the “Employment-Related Provision”). Subject to how expansively the Employment-Related Provision is interpreted, processing for the purpose of internal

Other Exempted Situations

Section 17 of the Act specifies the following situations where, subject to additional qualifications, some provisions of the Act related to the general obligations of a data fiduciary, the rights and duties of a data principal, and special provisions related to the processing of personal data outside India (“Exempted Provisions”), will not apply (such situations, “Other Exempted Situations”):

  • the processing of personal data is necessary for enforcing any legal right or claim; and
  • personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence/contravention of any Indian law in force.

Based on future interpretations of such circumstances, non-consensual data processing in the context of internal investigations may be permitted on account of the Exempted Provisions, except that a data fiduciary will nevertheless remain obliged to:

  1. comply with the Act and its rules in respect of processing, including as undertaken on its behalf by a data processor, irrespective of any agreement to the contrary; and
  2. protect personal data in its possession or under its control, including in respect of processing undertaken by a data processor on its behalf, by taking reasonable security safeguards to prevent a breach of such personal data.

THE WAY FORWARD

In follow-up notes, we will compare the issues related to (i) Valid Consent, (ii) legitimate use, and (iii) Other Exempted Situations, respectively, with respect to data processing in the context of internal investigations, including in light of the rules related to the DPDP Act once a draft of such rules is released.


This insight has been authored by Dr. Deborshi Barat (Counsel), Reshma (Vaidya) Gupte (Counsel) and Siddhi Kudalkar (Associate). They can be reached on dbarat@snrlaw.in, rgupte@snrlaw.in and skudalkar@snrlaw.in, respectively, for any questions. This insight is intended only as a general discussion of issues and is not intended for any solicitation of work. It should not be regarded as legal advice and no legal or business decision should be based on its content.© 2024 S&R Associates