Back to Asia Pacific Regional Forum publications

Anshul Prakash
Khaitan & Co, Mumbai
anshul.prakash@khaitanco.com

Abhinav Rastogi
Khaitan & Co, Mumbai
abhinav.rastogi@khaitanco.com

Deeksha Malik
Khaitan & Co, Mumbai
deeksha.malik@khaitanco.com

 

Introduction

India offers one of the largest online markets in the world. While the growing internet infiltration in the country is commendable as it brings tremendous opportunities and avenues for growth, it is hard not to be aware of the plethora of forms in which this powerful tool can be misused. Social media is an area where instances of such misuse abound. Facebook, Twitter, LinkedIn, WhatsApp and Instagram are a few of popular social networking sites providing e-communication within today’s society.

When it comes to employee social media use, employers may find it difficult to regulate inappropriate activity, most of which occur in an employee’s personal space. In this article, we examine the legal jurisprudence and the best practices that surround the central theme of regulating employees’ social media use from an Indian employment law perspective.

Understanding the legalities in regulating social media use

Right to privacy concerning non-state actors

In India, while right to privacy has been recognised as a fundamental right of an individual, the same is only enforceable against the state or entities performing a public function. In its landmark judgment in Justice K S Puttaswamy (Retired) v Union of India (2017) 10 SCC 1], India’s Supreme Court acknowledged that the capacity of non-state actors (the private sector) to invade the home and privacy has been enhanced, but it did not expressly recognise a right to privacy against such entities, leaving it to the government to draft a suitable legislation on data protection.

This, however, does not mean that a private sector employer can have an unfettered power of surveillance over their employees’ social media use. The Information Technology Act 2000 ('IT Act') prohibits a person from accessing or securing access to a computer/network and from extracting any data without the computer/network owner’s permission, the breach of which may entitle a person to claim compensation. Having said that, an employer may, using their IT systems, regulate social media use by employees when such activities are being carried out on a device provided by the employer. An employer would require an employee’s written consent before monitoring social media activities on an employee’s personal system.

Consent for collection/use of sensitive personal information

Even where the employer keeps an eye on any social media use by their employee conducted on its own systems, it would be required to comply with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 ('IT Rules') framed under the IT Act. The rules protect employees from access to or use by an employer of any information that would qualify as ‘sensitive personal data or information’. The term ‘sensitive personal data or information’ implies information personal to employees including their passwords, financial details, medical records and biometric information. The IT Rules stipulate obtaining a written consent of the provider of such personal information and taking steps to ensure that: (a) such an individual is made aware of the purpose of collection of information; and (b) reasonable security practices in relation to possession and use of information are implemented.

Subject to the above legal requirements, employers can take suitable measures to protect their intellectual property/brand interests from any improper employee use on social media. A robust social media policy can go a long way in ensuring reasonable use of social media by employees and in enabling the employer to take suitable pre-emptive and remedial action against employees in the event of actual or threatened misuse of social media by them to the detriment of the employer.

Crafting a robust social media policy and a measured surveillance mechanism

The IT Rules require a corporate body to have a privacy policy for collection and processing of one’s sensitive personal information. Such an entity is also required to put in place a comprehensive information security programme policy setting out security control measures relating to the information assets it is seeking to protect. Apart from these policies, however, it is also imperative to have a specific social media policy that enables employees to understand which actions are permissible and what could possibly be considered as a breach on their part resulting in disciplinary/legal action. Such a policy should entail certain restrictions/prohibition on the use of social media by an employee – courts in India do recognise that stipulations in employment contracts or service regulations which operate during terms of employment are necessary to protect the employer’s interests and are valid and enforceable. Stipulations relating to confidentiality, non-solicitation and misrepresentation may apply even in a post-employment scenario.

A good starting point would be to define what the term ‘social media’ entails. The description should be wide enough to include all such applications where one can share content simultaneously. The employer can give certain examples such as Facebook, Twitter, Instagram and such others, to clarify the platforms intended to be covered in the policy.

A robust and detailed social media policy should cover the following aspects:

• prohibition on any social media activity that could endanger the business interests (including confidential information and intellectual property) or reputation of the employer or its affiliates, subsidiaries, partners, vendors and clients;

• prohibition on use of a social media platform for the purpose of harassing, making disparaging remarks, impersonating or discriminating against the organisation and/or any member of the organisation;

• prohibition on internet postings which spread misinformation, or may create hatred/conflict among communities, or are in breach of applicable laws;

• prohibition/restriction on personal use of social media during working hours;

• creation of a portal to highlight possible social media misuse by an employee and to raise any grievances in relation thereto;

• provisions highlighting monitoring of employees’ social media use by the employer when carried out on its IT network/devices;

• requirement to comply with the employer’s other related policies such as information security policy, anti-harassment policy; and

• the consequences of breaching social media policy, ranging from warning to dismissal of the employee, depending on the severity of the act in question.

In addition to the above, an employer can set out general guidelines on use of social media such as commenting on a political event with a disclaimer that the same constitutes employee’s personal views on the matter. The policy should enable the employees to reach out to senior personnel in the organisation should there be any doubt as to whether a social media post could fall within the prohibited domain.

A strict adherence to the aforementioned provisions may be ensured by incorporating reference to social media policy into employees’ employment contracts. Breach of the social media policy may, in that case, be recognised as the breach of employment contract itself.

Disciplinary sanctions and available protective mechanisms

Apart from a social media policy, an employer may employ several legal mechanisms to protect its business interests and the interests of other stakeholders.

Anti-disparagement as misconduct

Courts in India recognise anti-disparagement as a misconduct. In M H Devendrappa v Karnataka State Small Industries Development Corporation[(1998) 3 SCC 732], the Supreme Court of India observed that any action which is detrimental to the interests of the employer ‘clearly undermines discipline within the organisation and also the efficient functioning of that organisation.’Accordingly, an employer may proceed to take appropriate disciplinary action against an employee for a social media misuse that has the potential to harm the interests of the employer, including its reputation and goodwill.

Injunction and other civil remedies

An actual or potential disclosure of the organisation’s confidential information by an employee on a social media platform may enable the employer to seek an injunctive relief from a civil court. As reiterated by the Supreme Court in Central Public Information Officer, Supreme Court of India v Subhash Chandra Agarwal [2019 (16) SCALE 40], an employee who comes into possession of the employer’s confidential information in the course of their employment is expected to act as a fiduciary and cannot disclose such information to others.

Furthermore, since adherence to the policies (including social media policy) of an employer is typically included as an requirement of the employee in the employment contract itself, any breach may result in a breach of the employment contract, and employer may raise a civil claim for damages for any loss occasioned as a consequence. In case of a disparaging statement, an employer may also pursue the civil remedy available for defamation.

Action under criminal law

In addition to the above, certain actions of employees on social media may result in an action under criminal law. The India criminal laws recognise, as offences, actions amounting to cyberstalking, sexual harassment and criminal intimidation.

Concluding remarks

In our experience, few employers have a robust enough social media policy. In many cases, this leads to a situation where the likelihood of damage being caused to the employer rises significantly. An internal mechanism in the form of a social media policy and a robust information security and control system can help employers pre-empt possible social media misuse. While this is done, endeavour should be made not to resort to intensive surveillance of social media accounts, which could increase the likelihood of an employee filing a civil claim for physical/mental harm caused as a result of such monitoring.

Employers should keep their social media policies dynamic in the sense that they may be adapted to technological and legal developments at national and international levels. Do not, for instance, lose sight of India’s Personal Data Protection Bill 2019, which deals with use/processing of both personal data and sensitive personal data of employees. The proposed law, currently pending before parliament, may have a significant impact on India’s data protection regime.