含羞草社区

In August 2023, India enacted the Digital Personal Data Protection Act (DPDPA), a comprehensive data protection law regulating the management of personal data. Once in force, it will have a significant effect on the gig economy.

The gig economy has disrupted traditional employment, with the number of gig workers in the Indian workforce projected to reach 23.5 million by 2030. This transformation has been driven by digital platforms connecting gig workers with customers for a range of services, a process often referred to as platformisation. It highlights the role of data in real-time operations, from matching workers with consumers to personalising user experiences, setting dynamic prices, forecasting demand and encouraging participation by using algorithmic tools. These businesses are inherently data-driven, making compliance with the DPDPA a priority.

The existing data protection framework, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI rules), imposes specific obligations on entities handling sensitive personal data and information (SPDI). This includes passwords, financial data, health and medical information and biometric information. Consent is the sole ground for processing SPDI, and companies usually obtain such consent through employment contracts or privacy notices tailored to employees. However, the SPDI rules offer no alternative legal bases for processing personal data, nor do they address specific requirements for HR or employment data. Companies handling gig workers’ data often have to rely on privacy notices and partner agreements. There are two grounds in the DPDPA for processing personal data: consent and legitimate use. One legitimate use is processing employee data for employment-related purposes. However, the DPDPA does not define what an employment-related purpose is, leaving ambiguity to the status of how gig workers’ data may be processed.

The evolving legal status of gig workers complicates the issue. Usually treated as independent contractors, there have been pressing arguments to formalise their status. The government is looking to extend welfare benefits, such as social security, insurance, and safe working conditions, to gig workers. Legislation such as the Code on Social Security 2020 and the Karnataka Platform-Based Gig Workers (Social Security and Welfare) Bill, 2024, are steps in this direction. Courts are deciding whether gig workers are employees in specific circumstances. This shift challenges conventional employer-employee relationships and may redefine the legal basis for processing gig workers’ data.

Platforms often have significant control over gig workers. Many have requirements, such as mandatory dress codes or codes of conduct mirroring traditional employment. Platforms frequently track workers’ real-time locations, productivity and compliance. Such practices, combined with penalties for lateness or rejected assignments, blur the line between contractors and employees. Strict control may cause gig workers’ legal classifications to be re-evaluated. If gig workers are considered employees, processing of their data may satisfy the employment-related purpose exception in the DPDPA. This may simplify compliance with data protection law but will increase the platform’s obligations as an employer.

Platforms use data intensively to continuously track locations for route optimisation, encourage longer work hours through behavioural algorithms and collect personal data to improve customer support and the user experience. Whether such uses are employment-related purposes is uncertain because such data often serves commercial goals. Platforms may have to limit these practices to employment-specific purposes, where applicable.

Relying solely on employment-related purposes as justification for data processing without an analysis of a gig worker’s status and the corresponding processing activities is ill-advised. Platforms should be data minimalist, collecting only what is necessary for specific purposes. Precise retention schedules should be followed, ensuring data is retained no longer than required or until a gig worker’s association with the platform ends. As gig and data protection regulation develops, platforms must balance safeguarding personal data and fostering innovation. Adopting compliance-driven solutions will prevent platforms breaching DPDPA provisions as they strive for growth.

Ada Shaharbanu is a senior associate and Namita Kaushik is an associate at Spice Route Legal.