Become a member

Get the best offers and updates relating to Liberty Case News.

― Advertisement ―

spot_img

Domestic Violence BNS Section 85 vs DV Act Explained

Understand how domestic violence BNS Section 85 and the Protection of Women from Domestic Violence Act, 2005 work differently — and together — to protect you.
HomeLaw for YouEmployer Surveillance DPDP India: Your Rights at Work

Employer Surveillance DPDP India: Your Rights at Work

In short: Employer surveillance in India is legal — no statute bans monitoring on company devices — but the law under the DPDP Act 2023, the IT Act 2000, and Supreme Court privacy rulings means any employer surveillance DPDP India framework must be reasonable, necessary, and proportionate to a legitimate business purpose.

Key points

  • No Indian law outright bans employers from monitoring activity on company-owned laptops, email, or messaging tools like Slack during work hours.
  • The Supreme Court’s Puttaswamy judgment established privacy as a fundamental right under Article 21, which courts have read to mean that employer monitoring must be justified, necessary, and proportionate — not arbitrary.
  • The IT Act 2000 and the SPDI Rules 2011 remain the active compliance framework for most organisations right now; the DPDP Act 2023 and DPDP Rules 2025 are being rolled out in phases, with full effect expected by mid-2027.
  • A 2023 Supreme Court majority ruling held that fundamental rights under Articles 19 and 21 can be enforced against private — not just government — employers, though this ruling remains contested.
  • The DPDP Rules 2025 were notified in November 2025 and set out detailed obligations for every organisation that processes personal data, including employee data.
  • Until Section 43A of the IT Act is formally repealed (scheduled for May 2027), the older SPDI Rules 2011 and the DPDP Act 2023 operate side by side.

Can your employer legally monitor your work laptop and email?

The short answer is yes — within limits. India does not have a single, dedicated law governing workplace surveillance. Instead, the framework is built from privacy principles, labour law norms, and data protection rules.

The IT Act 2000 permits employers to monitor activity on company computer resources, including documents, downloads, internet usage, and active or idle time. This includes tracking information that is generated, transmitted, received, or stored on a company device.

The Telegraph Act 1885 similarly allows interception and monitoring of information transmitted on a company device where there is a legitimate and reasonable business reason, and where the monitoring does not intrude into genuinely personal space.

In practical terms, if you are using a company-issued laptop, company email, or a company Slack account, your employer has a legally recognised basis to monitor how you use them during work hours.

What does the Puttaswamy privacy ruling mean for employees?

The Supreme Court’s landmark Puttaswamy judgment declared that privacy is a fundamental right protected under Articles 14, 19, and 21 of the Constitution.

The court set out a three-part test for any action that cuts into your right to privacy: there must be a law backing the action (legality); the action must serve a legitimate objective (necessity); and the action must have a rational connection to that objective and must not go beyond what is needed (proportionality).

The judgment does not directly address workplace surveillance. But courts, including the Delhi High Court, have applied its logic to mean that private employers must be able to justify monitoring with a legitimate reason — blanket, disproportionate surveillance is harder to defend.

Can employees claim privacy rights against a private employer?

This was a contested question for years. In a January 2023 judgment (Kaushal Kishor v. State of Uttar Pradesh), a Constitutional Bench of the Supreme Court held, by a four-to-one majority, that fundamental rights under Articles 19 and 21 can be enforced against private or non-State actors — not only against the government.

This is significant: it suggests employees may, in principle, assert their constitutional right to privacy against a private company that monitors them without justification. However, as noted below, this ruling itself remains contested and its full implications are still being worked out.

What is the current law employers must follow?

Two overlapping frameworks apply right now.

The IT Act 2000 and SPDI Rules 2011

Section 43A of the IT Act requires organisations handling sensitive personal data to maintain reasonable security practices. The SPDI Rules 2011, issued under that section, set specific obligations for collecting and processing sensitive personal data — including the data an employer might collect through monitoring.

These rules are the backbone of India’s active data protection compliance framework for most organisations today. They remain in force alongside the newer DPDP Act.

The DPDP Act 2023 and DPDP Rules 2025

The Digital Personal Data Protection Act 2023 was enacted on 11 August 2023. The DPDP Rules 2025 were notified on 13 November 2025, setting out detailed compliance obligations for every organisation that processes personal data — which includes employee data gathered through workplace monitoring.

The rollout is phased. The SPDI Rules 2011 will cease to apply only once Section 43A of the IT Act is formally repealed under Section 44(2) of the DPDP Act, which is scheduled to take effect in May 2027. Until then, organisations must comply with both regimes.

Comparing the two active frameworks for employer surveillance in India
FeatureIT Act 2000 + SPDI Rules 2011DPDP Act 2023 + DPDP Rules 2025
StatusIn force nowIn force (phased rollout, full effect by mid-2027)
Core obligationReasonable security for sensitive personal data (Section 43A)Lawful processing of all digital personal data with defined obligations
Monitoring scopePermits monitoring of company computer resources; employees must handle sensitive data carefullyImposes broader obligations on any organisation processing personal data, including employee data
When it stops applyingWhen Section 43A is repealed (scheduled May 2027)Ongoing, permanent framework going forward
Primary sourceIndia Code — IT Act 2000India Code — DPDP Act 2023; DPDP Rules 2025 (Gazette G.S.R. 846(E))

What does proportionate monitoring look like in practice?

Courts and the legal framework together suggest a few practical principles, even though no single statute spells them all out:

Legitimate purpose: Monitoring must serve a real business reason — security, productivity, compliance — and not be arbitrary or punitive.

Company devices vs personal devices: Monitoring on company-owned hardware is on much stronger legal footing than attempting to access an employee’s personal phone or personal email accounts.

Notice: Employers are on stronger ground when employees know monitoring is happening — for instance, through an IT policy or employment contract clause.

Proportionality: Reading every private message an employee ever sends, or monitoring activity outside work hours on personal accounts, is far harder to justify under the proportionality test the Supreme Court articulated.

For a broader look at how privacy and data protection rules affect everyday situations, see the Law for You guides on The Courtroom, which cover a range of rights in plain language.

What should you do if you think your employer is monitoring you unfairly?

Start by checking your employment contract and your organisation’s IT or data use policy. Most lawful monitoring will be disclosed there.

If you believe monitoring has gone beyond what was disclosed, or has extended to personal accounts and devices without justification, you may have grounds to raise a formal grievance with your HR department or, depending on your sector, with a relevant regulator.

Given that the DPDP framework is still being phased in and the law is actively evolving, consulting a qualified advocate before taking formal action is strongly advisable.

Frequently asked questions

Can my employer read my personal WhatsApp or Gmail on a company laptop?

The legal basis for employer surveillance in India covers activity on company computer resources and company accounts. Monitoring your personal WhatsApp or personal Gmail — even on a company device — is far harder to justify under the proportionality and legitimate-purpose standards that flow from the Puttaswamy privacy ruling and the DPDP Act framework. You should check your employer’s IT policy, and if in doubt, avoid accessing personal accounts on work devices.

Does the DPDP Act 2023 apply to employee data right now?

Yes, the DPDP Act 2023 is in force and the DPDP Rules 2025 (notified in November 2025) set out compliance obligations for organisations processing personal data, which includes employee data. However, the rollout is phased: the older SPDI Rules 2011 under the IT Act continue to apply alongside the DPDP Act until Section 43A of the IT Act is formally repealed, which is scheduled for May 2027.

Can a private company employer violate my fundamental right to privacy?

A 2023 Supreme Court Constitutional Bench majority held that fundamental rights under Articles 19 and 21 — including the right to privacy recognised in Puttaswamy — can be enforced against private actors, not only the State. This means employees may in principle assert privacy rights against a private employer. However, this ruling is noted to be contested, and its full legal implications continue to be debated. A qualified advocate can advise you on your specific situation.

Primary sources

Written by Editorial Team, The Courtroom · Last verified 2026-07-09

This article is for general information only and is not legal advice. Laws change; verify against the primary sources cited and consult a qualified advocate for your situation.