Workplace Surveillance Laws in India: Employee Privacy Rights

Okay so here's a fun thing that happened to a friend of mine last year. She works at a mid-size IT company in Pune — not one of the big names, but a company with about 800 employees. She was working from home one Wednesday afternoon and decided to take a 15-minute break to browse Myntra during a slow period. Didn't think anything of it. The next morning, her manager sent her a message: "Let's make sure we're staying focused during work hours." No other context. No explanation of how he knew. Just that one message, dripping with passive-aggressive energy.

Turns out the company had installed ActivTrak on all employee laptops six months earlier. Nobody told her. There was no announcement, no email, no updated policy document. The software was capturing screenshots every five minutes, logging which applications she used and for how long, and generating productivity reports that went directly to managers. She found this out not because the company disclosed it, but because a colleague in the IT department mentioned it casually over chai.

That story isn't unusual. It might even be the norm now. And the question of whether it's legal, ethical, or something employees can push back against in India is... complicated. More complicated than it should be.

The Post-2020 Surveillance Explosion

Before COVID, most workplace monitoring in India was physical. CCTV cameras in the office. Biometric attendance systems at the entrance. Maybe some network monitoring on the company Wi-Fi. It was visible, predictable, and somewhat limited in scope. You knew you were being watched in the office. You weren't being watched at home.

The pandemic changed that overnight. When millions of Indian employees shifted to remote work in March 2020, employers panicked. They couldn't see their people. They couldn't walk by their desks. So they bought software. A lot of software.

Hubstaff, Time Doctor, ActivTrak, Teramind, DeskTime, Veriato — the list of "employee monitoring" or "productivity tracking" tools that saw massive adoption in India between 2020 and 2022 is long. The Indian market for employee monitoring software grew by roughly 200% between 2020 and 2024, according to an estimate from a workforce analytics firm. TCS reportedly implemented its own internal monitoring system for remote workers. Infosys, Wipro, and HCL Tech all adopted various forms of digital productivity tracking. And hundreds of smaller companies, startups, and BPOs installed whatever was cheapest and easiest to deploy.

What do these tools actually do? It varies by product and configuration, but here's the general picture. Most of them take periodic screenshots of the employee's screen — every 5, 10, or 15 minutes. Many track keystrokes, either counting them (to measure "activity") or logging them (to record what's typed). They monitor which applications are open and for how long. They categorize apps and websites as "productive" or "unproductive" based on settings configured by the employer. Some track mouse movements to detect whether you're actually at your computer. Some record the employee's webcam at random intervals. And some — this is the part that gets genuinely creepy — monitor clipboard content, email subject lines, and file transfers.

The remote work wave receded somewhat through 2023 and 2024 as many Indian companies pushed for return-to-office. But the monitoring tools didn't go away. Many companies kept them installed, now using them for hybrid workers or simply because the productivity data had become addictive to management. Once you can see exactly how many hours your team spent in "productive" applications, it's hard to give that up.

What the Law Says (Which Isn't Much)

Here's where I get skeptical. People talk about employee privacy rights in India as if there's a clear legal framework protecting workers from surveillance. There isn't. Not really. What we have is a patchwork of constitutional principles, an IT Act that was written before smartphones existed, an employment law situation that hasn't been comprehensively updated in decades, and a data protection law that's too new to have generated meaningful precedent.

The Constitution is the starting point. The Supreme Court's Puttaswamy judgment in 2017 established the right to privacy as a fundamental right under Article 21. That's a big deal philosophically. But the Court also said that privacy rights can be restricted when there's a legitimate state interest (or, by extension, a legitimate private interest) and the restriction is proportionate. What "proportionate" means in the context of an employer taking screenshots of your screen every five minutes hasn't been litigated. So we don't actually know where courts would draw the line.

The Information Technology Act, 2000, is sometimes cited as giving employers monitoring rights. Section 43A requires organizations to protect sensitive personal data, and the SPDI Rules of 2011 flesh this out with requirements around consent and disclosure. But these provisions were designed to protect customer data, not to regulate employer-employee surveillance. They apply, technically, but they weren't written with this scenario in mind. An employer could argue that monitoring company-owned devices falls under their right to protect their own IT infrastructure under Section 69B of the IT Act, which allows the government to monitor electronic data for cybersecurity purposes. Stretching that to cover a private employer watching an employee browse Myntra requires some creative legal interpretation.

The DPDPA (Digital Personal Data Protection Act, 2023) is more relevant but still young. Under the Act, employers are "Data Fiduciaries" who process employees' personal data. That means they need to obtain informed consent, state the purpose of data collection clearly, limit what they collect to what's necessary for that purpose, and give employees the right to access and correct their data. On paper, this should mean that an employer can't install keystroke logging software without telling you, can't capture your webcam without your consent, and can't use monitoring data for purposes beyond what was disclosed.

In practice? I'm not aware of a single DPDPA enforcement action against an Indian employer for employee surveillance as of March 2026. The Data Protection Board is still getting its legs under it. And most employees, even if they knew their rights, aren't going to file a complaint against their current employer. The power imbalance is too large. Filing a data protection complaint against the company that pays your salary is a career risk most people won't take.

Company Devices vs. Personal Devices

There's a meaningful legal and practical distinction here, even if the lines are blurry.

When you're using a company-owned laptop, phone, or network, the employer has a stronger argument for monitoring. They own the hardware. They pay for the internet connection. The device is provided for work purposes. Most employment agreements include a clause stating that company equipment should be used for work-related activities and that the company reserves the right to monitor usage. If you signed that agreement — and you probably did, buried on page 17 of the appointment letter — you've given some form of consent to monitoring on company devices.

How far that consent extends is debatable. Consenting to "the company may monitor usage of company equipment" is different from consenting to "the company will take a screenshot of your screen every three minutes, log every website you visit, record your keystrokes, and flag you if you spend more than ten minutes on a non-work application." The specificity matters under the DPDPA. Consent should be informed — meaning you should know exactly what's being monitored, how the data is used, and how long it's retained. A vague clause in an employment agreement probably doesn't meet that standard, though nobody's tested this in court yet.

Personal devices are a different story. The BYOD (Bring Your Own Device) trend means many Indian employees use their personal phones and laptops for work, especially in startups and smaller companies that don't provide hardware. When an employer installs Mobile Device Management (MDM) software on your personal phone, the software can potentially access your personal data — photos, messages, app usage, location. The legal basis for this is shaky at best. You own the device. The employer's legitimate interest in protecting work data doesn't extend to surveilling your personal life on your own hardware.

Some MDM solutions claim to partition work and personal data, creating a separate "container" for work apps and data that the employer can manage without accessing personal content. Samsung Knox and Android's work profile feature do this reasonably well. But the implementation varies, and I've heard from employees whose companies installed MDM solutions that required broad device permissions — access to location, contacts, call logs — that went well beyond what was needed for the work container. When you're told "install this or you can't access work email on your phone," the consent isn't exactly free, regardless of what the DPDPA says.

The Bossware Boom

The industry has a name for the more aggressive monitoring tools: bossware. The term was coined by the Electronic Frontier Foundation, and it captures the spirit pretty well. Bossware isn't just about tracking productivity. It's about control.

Teramind, one of the more popular tools in Indian BPOs and IT companies, can record every keystroke an employee types — including passwords, personal messages, and private email content if typed on a monitored device. It can capture video of the employee's screen in real-time. It can flag "risky behavior" like visiting job listing sites, copying files to USB drives, or sending emails with attachments to external addresses. That last one might sound like a reasonable data loss prevention measure, and it can be. But it's also a tool for identifying employees who are looking for other jobs or communicating with competitors.

Hubstaff, popular among Indian startups and remote-first companies, takes random screenshots and measures "activity levels" based on keyboard and mouse input. If you step away from your computer for five minutes to make tea, your activity score drops. Managers see this in a dashboard. Some companies tie activity scores to performance reviews. The implication is that sitting at your computer and typing equals working, which anyone who's ever done knowledge work knows is absurd. Thinking, planning, and problem-solving don't generate keystrokes.

There are Indian companies building bossware too. We360.ai, Workstatus, and DeskTrack are Indian-made employee monitoring platforms marketed specifically to the domestic market. They're generally cheaper than international alternatives, which makes them accessible to small and medium businesses. Some of them offer "stealth mode" installation — meaning the software can be installed on an employee's computer without any visible indication that it's running. That's monitoring without disclosure. Under the DPDPA, it's almost certainly illegal. But the enforcement gap means it happens anyway.

GPS Tracking and Field Employees

For employees who work in the field — delivery drivers, sales representatives, maintenance technicians — surveillance often takes a more physical form. GPS tracking is standard practice. Companies like Locus, Delhivery, and Shadowfax track their delivery fleet in real-time. Sales force automation tools like Vymo and LeadSquared track sales reps' locations throughout the day, verifying that they visited the client sites they reported visiting.

The privacy issue here is less about whether GPS tracking during work hours is legitimate (it probably is, for roles where location verification is part of the job) and more about scope creep. Does the tracking stop when the shift ends? For delivery drivers using company-owned phones, the answer is often no — the phone is GPS-enabled 24/7, and the tracking continues even after working hours. Some companies require field employees to install tracking apps on their personal phones, which means the employee's personal movements, weekends and holidays included, are potentially visible to the employer.

A labor rights organization in Chennai documented cases in 2025 where gig workers for food delivery platforms had their accounts suspended because GPS data showed they took "unauthorized breaks" or deviated from the suggested route. The workers weren't employees in the legal sense — they were classified as independent contractors — so employment protections, such as they are, didn't even apply. The platform's algorithm, fed by GPS data, made the suspension decision automatically. No human reviewed it.

Email Monitoring — Everyone Does It, Nobody Talks About It

Reading employees' emails on company accounts is perhaps the oldest form of digital workplace surveillance, and it's the one companies are most comfortable defending. "It's our email system, our domain, our servers" goes the argument. And legally, they're probably right. Email sent through a company account on company servers doesn't carry a reasonable expectation of privacy in most jurisdictions, and Indian courts haven't ruled otherwise.

But "we can read your email" and "we're actively scanning all employee email using AI tools to flag keywords related to resignation, competitor mentions, legal disputes, and union activity" are different things. The former is a right that's rarely exercised. The latter is a surveillance practice that some larger Indian companies have quietly adopted. Email DLP (Data Loss Prevention) systems from vendors like Symantec, Microsoft Purview, and Forcepoint scan outgoing emails for sensitive content — which might include trade secrets, customer data, or proprietary code. That's a legitimate security measure. But the same systems can be configured to flag emails mentioning "resignation letter," "interview schedule," "labor commissioner," or "union meeting." The line between security and surveillance depends entirely on who's writing the rules for the DLP system, and employees usually don't get a say.

What Employees Can Push Back On

I want to be practical here because abstract legal analysis doesn't help if you're sitting at your desk (or kitchen table) wondering whether your employer is watching.

First, ask. Under the DPDPA, you have the right to know what personal data your employer collects and how they process it. Send an email to HR or your company's Data Protection Officer (if they have one — Significant Data Fiduciaries are required to appoint one) asking for a clear description of all monitoring tools deployed on your device, what data they collect, how long it's retained, and who has access. The act of asking creates a paper trail and puts the company on notice that someone is paying attention. Many companies haven't thought through their monitoring practices carefully, and the question alone sometimes prompts a review.

Second, check your employment agreement. If it mentions monitoring, note what it says specifically. If it doesn't mention monitoring at all, the company's legal basis for surveillance is weaker. Under the DPDPA's consent requirements, monitoring that wasn't disclosed at the time of employment may require fresh consent.

Third, separate your personal and work digital lives as much as possible. Don't use company devices for personal browsing, messaging, or social media. Don't store personal files on company cloud accounts. If you must use a personal device for work, understand what MDM software is installed and what permissions it has. Consider using a separate work profile on Android or a separate user account on your laptop.

Fourth, if you believe monitoring is excessive or undisclosed, document it. Take notes on what you observe — unusual system processes, disclosed or undisclosed software, incidents where managers reference information they shouldn't have. If you eventually decide to raise a complaint — internally through HR, externally through the Data Protection Board, or through legal counsel — documentation will matter.

Fifth, know the limits of what you can do while employed. This is the uncomfortable part. In India's job market, most employees can't afford to antagonize their employer over surveillance practices. The legal protections exist on paper but enforcing them is slow, expensive, and career-risky. The most practical protection for most people is awareness — knowing what's being collected and making informed decisions about what you do on monitored devices. That's not a satisfying answer. But it's an honest one.

Where This Goes From Here (And Why I'm Skeptical It Gets Better Soon)

The optimistic view is that the DPDPA will mature, the Data Protection Board will start enforcing employee data rights, courts will establish precedents that limit disproportionate surveillance, and companies will self-regulate under threat of penalties. The DPDPA already has the legal tools — consent requirements, purpose limitation, data minimization, the right to information. If these provisions are enforced meaningfully, the worst surveillance practices (undisclosed monitoring, keystroke logging of personal content, stealth installation, 24/7 GPS tracking) would become legally untenable.

The pessimistic view — and this is closer to where I land, if I'm honest — is that enforcement will lag behind practice for years. The Data Protection Board's capacity is limited. Employee complaints will be rare because of the power dynamic. The IT services industry, which employs millions of Indians and relies heavily on monitoring for client compliance and productivity management, will lobby against strict interpretation of employee surveillance rules. And the surveillance technology itself will keep advancing. AI-powered monitoring that analyzes facial expressions, tone of voice on calls, and typing patterns for "sentiment analysis" is already being marketed to Indian employers. The next generation of bossware won't just track what you do. It'll try to infer what you're feeling.

Whether Indian labor law, data protection law, or the courts catch up to that before it becomes the norm is the question I can't answer. What I do know is that the current situation — where millions of Indian employees are monitored by tools they didn't consent to, under legal frameworks that haven't been tested, with no practical recourse — isn't something that should feel normal. Even if, for now, it is.