Corporate Espionage or Corporate Overreach? The Hidden Risks of Section 7(i) of Digital Personal Data Protection Act, 2023

Employment, Espionage, and the Thin Line Between Protection and Overreach

23 June 2026 by

BlockEdge Solutions

| No comments yet

The Digital Personal Data Protection Act, 2023 (“DPDP Act”) is often described as India’s first modern digital privacy statute, but that description understates its practical impact. For companies, especially employers, the Act is not merely about consent screens and privacy notices. It creates a legal architecture for how personal data may be processed, retained, shared, and challenged. Among its most interesting and potentially contentious provisions is Section 7(i), which permits processing without consent for “the purposes of employment” and for safeguarding the employer from loss or liability, including prevention of corporate espionage, protection of trade secrets, intellectual property, and classified information.

This clause is deceptively short. In application, it raises difficult questions of proportionality, necessity, workplace surveillance, employee dignity, internal investigations, and the fine line between legitimate corporate protection and unlawful data overreach. From a litigation standpoint, Section 7(i) is best understood not as a blank cheque, but as a narrow statutory exception that must be tightly justified, documented, and defended.

What Section 7(i) actually allows

Section 7(i) allows a Data Fiduciary to process personal data without consent for employment-related purposes. The language further includes measures related to safeguarding the employer from loss or liability, such as the prevention of corporate espionage; maintenance of confidentiality of trade secrets, intellectual property, and classified information; or provision of a service or benefit sought by an employee.

This means the provision is designed to serve legitimate workplace and business-protection interests. Payroll administration, employee record maintenance, access-control systems, insider-threat detection, official communications, internal compliance tracking, and employee-benefit administration may, depending on the facts, fall within this framework. The clause is therefore not anti-employee by design. Rather, it acknowledges that employment itself creates a lawful need to process personal data even where consent is neither practical nor necessary.

But the operative word here is necessary. That is where the dispute begins.

The real controversy: how wide is “employment”?

The phrase “purposes of employment” is not defined exhaustively in the Act. This gives the provision flexibility, but it also creates litigation risk. In a future dispute, courts, regulators, and the Data Protection Board may be asked to decide whether a particular monitoring practice is genuinely employment-related or merely convenient for the employer.

For instance, processing salary details, attendance logs, official email identifiers, and access permissions is easy to defend. But if the employer begins monitoring every keystroke, recording screens continuously, scraping private messaging data, or analyzing employee behaviour across devices without a clear and specific justification, the question changes. The issue is no longer whether the data was collected during employment. The issue is whether the processing was necessary for employment purposes or for protection against loss and liability.

That distinction matters because privacy law does not reward vague necessity claims. It demands a defensible purpose.

Corporate espionage: Legitimate Ground, Dangerous Pretext

The reference to corporate espionage is important. It signals legislative recognition that modern enterprises need lawful tools to protect trade secrets, intellectual property, confidential databases, source code, strategic communications, and internal access systems. In sectors such as technology, finance, pharmaceuticals, defense contracting, consulting, and research, the threat of data exfiltration is not imaginary. It is operational reality.

However, the same phrase can also become a convenient pretext. A company may justify excessive monitoring by invoking “espionage prevention” even where the real objective is productivity surveillance, labour control, or post hoc employee discipline. That is precisely where litigation risk intensifies.

A court or regulator will likely ask:

Was there a specific risk or incident?
Was the monitoring targeted or blanket?
Was the processing proportionate to the threat?
Was the data retained only for as long as needed?
Could the employer have used a less intrusive method?

If those questions cannot be answered convincingly, the employer’s Section 7(i) defense becomes vulnerable.

Why employers should worry about overreach

In the long run, over-reading Section 7(i) creates serious operational and legal problems.

First, it leads to scope creep. A company that begins with reasonable controls over confidential systems may gradually expand into wide-ranging surveillance of email traffic, device activity, screen behavior, location data, and employee communications. Once this happens, the processing no longer looks like narrow anti-espionage protection; it looks like systematic monitoring.

Second, it erodes employee trust. Employees who believe they are under constant watch are less likely to communicate freely, report misconduct, or use internal systems naturally. This damages workplace culture and may actually impair compliance. A surveillance-heavy environment often produces the very risk it was supposed to prevent: hidden communication channels, off-platform messaging, and reduced transparency.

Third, it creates retention and discovery risk. The more data you collect, the more data you must secure, justify, and possibly produce in a dispute. If an employee complains before the Data Protection Board, the employer may need to explain why the monitoring existed, what data was collected, who had access to it, how long it was retained, and why it was still necessary. Surveillance data is not only a security asset; it is also potential evidence against the employer.

Fourth, it increases breach exposure. Logs, telemetry, behavioural analytics, and internal monitoring records are attractive targets for attackers. If such data is over-collected and over-retained, the organization magnifies its own breach surface. A company cannot say it is protecting confidential information while simultaneously building an oversized repository of sensitive employee data without strong controls.

Real-world style scenarios

Consider a software company that introduces endpoint monitoring to protect source code and prevent leakage. That is a defensible use case. But then it starts recording all screens of remote developers, logging every application switch, capturing webcam snapshots, and analysing break-time movement patterns. If challenged, the company may struggle to show that all of that was necessary to prevent espionage.

Or consider an employee who resigns from a financial services firm. The employer, worried about client poaching, continues to monitor email archives, chats, and device logs for months after exit. Unless there is a specific and documented investigation, the employer may have crossed from legitimate protection into over-retention and overprocessing.

Or take recruitment. A company may ask for sensitive identity documents and social media access during hiring “for security.” If later it cannot explain why those materials were necessary for employment purposes, a rejected candidate may argue that the collection was excessive and unjustified.

These examples illustrate a consistent principle: the existence of a broad business concern does not automatically validate broad data processing.

The litigation posture under the DPDP Act

The DPDP Act places the burden of justification on the Data Fiduciary when consent is not the basis of processing. In litigation terms, this is a critical point. A company invoking Section 7(i) should be prepared to demonstrate the following:

The data processed was connected to employment or a specific protection need.
The processing was limited to what was necessary.
The purpose was documented in internal policy or security rationale.
The retention period was reasonable.
Access was restricted to authorised personnel.
The data was not reused for unrelated purposes.

If the employer cannot show these elements, the processing may appear arbitrary, excessive, or unlawful. This is especially true where the employer uses monitoring tools purchased from third-party vendors without conducting a privacy and compliance review.

From a techno-litigation perspective, the biggest mistake is assuming that “we are the employer” equals “we are entitled to process anything.” The Act does not support that mindset. It supports limited, purpose-specific processing in a defined employment context.

Compliance discipline that survives scrutiny

The safest approach is to treat Section 7(i) as a narrowly tailored exception. Employers should document the business need, define the purpose, minimize the data collected, limit retention, and periodically review whether the monitoring is still necessary. Security policies should be matched by data-mapping, access logs, retention schedules, escalation protocols, and internal approval structures.

If the organisation relies on monitoring for anti-espionage purposes, the policy should clearly identify the following:

what data is collected,
for what risk,
by whom it is reviewed,
for how long it is stored,
and when it must be deleted.

A privacy notice may not always be mandatory in the same way as consent-based processing, but transparency remains a powerful defence. Employees are more likely to accept limited monitoring when the scope is clearly defined and the purpose is tied to a real risk. Ambiguity, by contrast, is what generates complaints.

Conclusion

Section 7(i) is one of the DPDP Act’s most practically important and legally sensitive provisions. It recognizes that employment is not privacy-neutral and that businesses must protect confidential information, trade secrets, and systems from misuse. But it does not authorize unfettered workplace surveillance. Corporate espionage prevention is a valid ground only when the processing is truly connected to employment and genuinely necessary to safeguard the employer from loss or liability.

The long-term risk is not the existence of the exception. The long-term risk is its abuse. A company that treats Section 7(i) as a surveillance license will eventually create compliance exposure, employee distrust, and litigation vulnerability. A company that treats it as a narrow risk-control tool will be far better positioned if and when the Board, the Tribunal, or a court asks the hard question: was this processing really necessary, or merely convenient?

# Opinion

BlockEdge Solutions 23 June 2026