In August, India enacted the Digital Personal Data Protection Act. The legislation, which will come into effect at a later date to be decided by the Indian government, provides a way for companies to bypass obtaining consent to search personal data during an investigation.
In a typical investigation involving employee fraud, which requires extensive collection and forensic examination of laptop, email, and mobile data, the legislation guides on whether consent is required from the subject for processing of personal data. Processing encompasses activities such as forensic imaging and indexing of devices, and disclosure to third parties.
In contrast, personal data, which usually forms part of the data universe collected for investigations, includes any data by which an individual could be identified. Data collection invariably involves gathering personal data such as email IDs, signatures, and phone numbers; occasionally, it involves (more sensitive) personal data such as bank account details, identification numbers, medical records, passport information, etc.
Under the scheme of the legislation, barring a few cases, companies will now be required to either obtain the prior consent of the data principal (the individual to whom the personal data relates) in a specified manner or process the data for “certain legitimate uses” as an alternative to consent. The new law provides an interesting argument that dispels the requirement of personal consent in certain cases, including safeguarding the employer from loss or liability.
This is interesting because it may be argued that the processing of personal data in the context of an internal investigation commissioned by an employer may be considered essential for identifying malpractices and safeguarding the employer from continuous loss or liability due to the actions of its employees. In such cases, prior consent regarding employee data processing would be impractical and will not be necessary.
The new legislation also states that processing personal data to prevent, detect, or investigate offenses or contraventions under Indian laws, essentially including internal investigations, will not require prior consent from data principals. This means that if an investigation is conducted to ascertain the veracity of certain acts that may attract legal exposure or liabilities, the company will not be required to obtain the consent of data principals, including third parties.
For example, if a third party’s bank statements or details are found in an employee’s email box during an internal investigation, the company will be able to process such data without obtaining prior consent from the concerned third party. However, in all such cases, companies are required to take reasonable security safeguards to prevent breaches of personal data.
Considering the above, it may still be prudent to include in agreements and work orders with third parties provisions, among other requirements prescribed under the new legislation, stating that their personal data may be processed for internal investigations, subject to their sign-off if required. This is to cover all situations where investigations are conducted in relation to acts that may not necessarily attract legal exposure, such as violations of a company’s internal policies.
Further, any proactive internal reviews or anti-corruption due diligence in mergers and acquisitions may not necessarily lie under the exceptions provided by the legislation. Therefore, for all such reviews, it is prudent to obtain consent from data principals in a prescribed manner before processing their personal data.
Overall, the new legislation relaxes consent requirements for data processing in investigative matters. However, this is subject to any stricter stance that companies may adopt in their internal policies, which must be examined before data processing occurs.
Siddharth Gupta is Counsel at Trilegal. He is also a Chartered Accountant and Certified Fraud Examiner based in Delhi, India. He can be contacted here.
Sahil Bansal is a Senior Associate – White Collar Crimes at Trilegal. He can be contacted here.