Why Employment Surveillance Clauses Are Void, Not Just Risky, Under DPDP Regime

Update: 2026-07-06 04:30 GMT
Click the Play button to listen to article

Employment contracts and onboarding policies across Indian companies now routinely contain clauses authorising the employer to track emails, log keystrokes, monitor browsing activity, and capture screenshots. Compliance guides issued after the Digital Personal Data Protection Rules, 2025 came into force have encouraged exactly this: insert a monitoring clause, call it “legitimate use,” move on. The advice treats the clause as a compliance checkbox. It is not. Most of these clauses are void.

The Digital Personal Data Protection Act, 2023 (“DPDPA”) permits an employer to process personal data in two ways only: consent under Section 6, or a listed “legitimate use” under Section 7. Section 7(i) lets employers process data without consent for the “purposes of employment,” giving three examples: preventing corporate espionage, protecting trade secrets, and safeguarding classified information. Every one of these examples is defensive and security-specific. None of them describes continuous keystroke logging or blanket email surveillance of an entire workforce.

That gap is where the surveillance clause does its work. Drafted broadly enough, it lets an employer claim two things at once: that the monitoring falls within “purposes of employment” under Section 7(i), and, as a fallback, that the employee's signature on the offer letter constitutes valid consent under Section 6. Both claims fail, and the second fails for a reason rooted in contract law that predates the DPDPA by a century and a half.

Why Consent Cannot Save These Clauses

Section 6 of the DPDPA requires consent to be free, specific, informed, and given through clear affirmative action. “Free” consent carries the same meaning Section 14 of the Indian Contract Act, 1872 gives it: consent unaffected by coercion, undue influence, or any other vitiating factor. An employee who is handed a monitoring authorisation as part of the onboarding bundle, with the offer of employment riding on the signature, is not in a position to withhold it. Declining to sign is not a real option. It is functionally identical to declining the job.

This is not a marginal objection to the consent route. It is the reason Section 7(i) exists at all. Parliament built a consent-free pathway for employment data processing because it recognised that employees cannot meaningfully consent to terms set by the party paying their salary. Having built that pathway, the DPDPA cannot simultaneously be read to allow employers to manufacture the very consent the statute treats as structurally unavailable, simply by routing it through a contract clause instead of a standalone form.

A challenge along these lines might first look to coercion or voidability under the Contract Act. Both routes are weaker than they appear. Section 15 defines coercion as committing or threatening an act forbidden by the Penal Code, or unlawfully detaining property; the economic pressure of a take-it-or-leave-it job offer does not meet that bar. Section 16, on undue influence, fits the employer-employee relationship far better: one party in a position to dominate the other's will, using that position to extract an unfair term. But a contract vitiated by undue influence is only voidable under Section 19A. It stays valid until the employee challenges it, the burden of proof sits with the employee, and a limitation period runs against the claim. For a workforce that mostly has neither the resources nor the appetite to litigate an employment contract clause, voidable protection is close to no protection at all.

The Stronger Route: Section 23 and a Void Object

Section 23 of the Indian Contract Act renders an agreement's object unlawful, and therefore void, where it “defeats the provisions of any law.” Void here does not mean voidable. It means the clause confers no rights from the moment it is signed. No challenge is required. No limitation period applies. The employee does not have to do anything for the clause to fail to operate.

The question is whether a broad employment surveillance clause defeats the DPDPA's provisions. It does, for two compounding reasons. First, the clause attempts to generate Section 6 consent in a setting where the DPDPA's own structure, through Section 7(i), implicitly concedes that free consent cannot exist. Second, where it goes further and authorises monitoring beyond what Section 7(i)'s illustrative list covers, it expands a narrow, defensively-framed statutory exception into a general licence for workplace surveillance, using private contract to override a limit Parliament set for a reason. A surveillance clause that does either of these things has an object that defeats the statute. Under Section 23, that makes it void, not merely contestable.

This matters because K.S. Puttaswamy v. Union of India, Writ Petition (Civil) No 494 of 2012, is not background colour to this argument. A nine-judge bench held unanimously that the right to privacy is protected under Articles 14, 19, and 21, encompassing informational autonomy and protection against surveillance that reshapes how people act. The DPDPA is the legislature's implementation of that holding. A contract clause that defeats the DPDPA is not simply violating a statute; it is defeating the legislative mechanism built to protect a right the Supreme Court has already recognised as constitutional. Section 23 was written for exactly this kind of conflict between private agreement and public law.

What the Employer's Best Argument Looks Like, and Why It Still Loses

The strongest defence available to an employer is that Section 7(i)'s “purposes of employment” language is undefined and therefore elastic enough to cover broader monitoring, since the three examples given are illustrative rather than exhaustive. This argument has some textual force. An undefined phrase in a statute is, in principle, open to a wider reading than its examples suggest.

It fails for two reasons specific to this provision. First, every illustrative example Parliament chose, corporate espionage, trade secrets, classified information, is security-oriented and targeted. None gestures toward productivity monitoring, behavioural profiling, or continuous logging of an entire workforce regardless of role or access level. Statutory illustrations narrow the field even when they do not close it; an “elastic” reading of “purposes of employment” still has to stretch toward something in the same family as its own examples, not away from it. Second, and more fundamentally, an employer's classification of a measure does not control whether the measure is actually within Section 7(i)'s scope. Calling continuous keystroke logging “espionage prevention” does not make it espionage prevention if it sweeps in employees with no access to anything an espionage clause would protect. The proportionality logic the Supreme Court has applied to privacy restrictions generally, requiring that an intrusion be necessary and the least restrictive option available for a legitimate aim, has direct relevance here even outside formal state action, since Kaushal Kishor v. State of U.P., WRIT PETITION (CRIMINAL) NO. 113 OF 2016 confirmed that Articles 19 and 21 carry horizontal application against private actors, with a positive State duty to protect those rights from non-State infringement. A legislature that creates a data protection statute under that duty, and then allows contract to hollow it out, has not discharged the duty.

What This Means in Practice

For employers, the practical consequence is that a surveillance clause copied from a compliance template is not a shield. If the clause authorises monitoring beyond Section 7(i)'s defensive scope, or tries to manufacture consent the DPDPA's own structure says cannot exist in this setting, the clause is void from the date it was signed. It generates no protection against a later claim, and the absence of litigation to date does not mean the clause is safe; it means no one has yet been forced to test it.

For employees, the practical consequence runs the other way. A void clause needs no court order to fail. It already confers nothing. The protection exists in the statute book today, ahead of the Data Protection Board becoming fully operational and ahead of any enforcement action setting precedent.

The deeper problem is legislative, not interpretive. India has no equivalent to Article 88 of the GDPR, which directs EU member states to write specific rules for employee data processing. Section 7(i) treats employment as one item on a list that also includes medical emergencies and state functions, categories that share nothing with employment except that consent is impractical for all of them. That category-flattening leaves no statutory floor for what employer monitoring can look like. Until Parliament or the Data Protection Board fills that gap with rules built for the employment relationship specifically, Section 23 of a nineteenth-century contract statute is doing the work India's twenty-first-century data protection law has not yet done.

Author Kshitij Saruparia is an Advocate at Hyderabad & Apeksha Kachhawaha is a Law graduate. Views are personal.


Tags:    

Similar News

The Judge Who Did Her Duty