New York bars employers from snooping private social media of employees : Potential Ripple Effects in India
- Anhad Law
- Aug 20
- 6 min read
On September 14, 2023, New York Governor signed a law namely Assembly Bill 836 (A.836) (“New York Law”) prohibiting an employer from requesting or requiring that an employee or applicant for employment disclose any username, password, or other means for accessing a personal account or service through specified electronic communications devices. This legislation, effective March 12, 2024 aims to protect individual privacy in the digital age.
The objective of the New York Law provides as under:
“Employers are beginning to use various types of new tools in decisions dealing with the hiring and disciplinary actions regarding prospective and current employees. Recently, there have been reports of employers demanding login information, including username and password information to popular social media websites such as Facebook, Twitter as well as login information to email accounts and other extremely personal accounts. This information is being used as a condition of hiring, as well as promotions, lateral movement within companies and in matters relating to disciplinary action including, but not limited to, firing of individuals.
This type of request can lead to issues of unfair and discriminatory hiring and admissions practices and constitutes a serious invasion of privacy on the behalf of the employer. Employees have the right to make this information either public or private through the websites and they should have every right to maintain this privacy when it comes their workplace or during an interview or admissions process.
In these economic times many people do not have the option to walk away from a job and are forced to submit to this request for fear they will not be hired otherwise. This bill would remedy this issue and leave consumers with their right to privacy and reduce the risk of unfair and discriminatory hiring.”
The New York Law and its Implications
The New York Law restricts employers from accessing private information of employees or potential hires through their personal social media accounts. This includes usernames, passwords, and any content posted on these platforms. The law also prohibits employers from forcing individuals to access their accounts in their presence or reproduce any information from them. This move aims to create a clearer boundary between an individual's professional and personal life online.
“Employer” is defined in New York Law broadly to include any persons or entities engaged in business in New York State, including their agents, representatives, and designees. A “personal account” refers to an account used exclusively for personal purposes.
The New York Law provides that it shall be unlawful for any employer to request, require or coerce any employee or applicant for employment to:
(i) disclose any username and password, password, or other authentication information for accessing a personal account through an electronic communications device;
(ii) access the employee's or applicant's personal account in the presence of the employer;
(iii) reproduce in any manner photographs, video, or other information contained within a personal account obtained by the means prohibited in this paragraph.
An employer may require an employee to disclose any username, password or other means for accessing nonpersonal accounts that provide access to the employer's internal computer or information systems. The expression "access", however, shall not include an employee or applicant voluntarily adding an employer, agent of the employer, or employment agency to their list of contacts associated with a personal internet account.
The New York Law further prohibits an employer from discharging, disciplining, or otherwise penalizing or threatening to penalize an employee for refusing to disclose information covered by the law. Similarly, an employer is prohibited from refusing to hire an applicant as a result of their refusal to disclose such information.
Anhad Law’s Perspective
With regard to potential impact of New York law on India, while the New York law directly impacts the employer-employee dynamic in New York, it could potentially have indirect consequences for India, a nation dealing with similar concerns around online privacy and data protection.
Currently India does not have a specific and comprehensive legislation on employee surveillance/ employee monitoring except for relevant statute concerning data protection contained in Digital Data Protection Act, 2023 (still not enforced for want of enforcement date), Information Technology Act, 2000, as amended, and rules issued thereunder, namely, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”).
SPDI Rules protect employees from access to or use by an employer of the employee’s sensitive personal data or information in violation of SPDI Rules. The term “sensitive personal data or information” is defined in the SPDI Rules to mean personal information which consists of information relating to, among other things: passwords, physical, physiological and mental health conditions, bank account details, medical records and biometric information, etc.
In India private and public organizations use audio & video recording devices, namely CCTVs, to monitor premises and detect unlawful activities in public spaces, yet there are no clear regulations as to the circumstance and manner in which devices such as CCTVs can be employed. In some cases individuals are notified that a device is being used to monitor the premise, and in other cases, no notice is given, and the individual is left unaware of the recording. In one of the decision titled Raptakos Brett Employee's Union vs. The Deputy Commissioner of Labour[1], the Madras High Court in the year 2014 noted that there were 38 CCTVs installed in the factory by employer to keep a watch whether the workers were working or idling. The Court, however, merely directed the employer to remove the CCTV cameras from the employees’ rest room. Thus, the lack of established procedure over the use of audio & video recording devices has resulted in the unclear situation.
In recent times, the legal mechanism to deal with data protection/employee monitoring in India has stemmed from the judgment of the nine Judge Constitutional Bench of the Supreme Court, in the matter of Justice K.S. Puttaswamy and another Vs. Union of India[2] wherein the Supreme Court clarified that any law that encroached upon the right to privacy would be subject to constitutional scrutiny, and would have to meet the three-fold requirement for:
• legality;
• necessity; and
• proportionality.
Therefore, till the enactment of any legislation, prior to initiating any actions for employee surveillance such as seeking sharing of social media account passwords, installing surveillance camera at workplace, tracking of IP address by installing a device on the laptop/desktop and command to keep it on during work timings and take pictures or to take pictures to ensure and detect if employee or unknown person or multiple persons are on desk, an employer would be generally required to consider whether:
· the employees have been notified of such monitoring requirements / aspects;
· the consent of employees has been procured;
· the proposed activity is necessary, and if so, the legal grounds that apply;
· the proposed activity is fair to the employees;
· the proposed activity is proportionate to the concerns raised or involved; and
· the proposed activity is transparent;
To conclude, while the New York Law applies solely to New York state, it could spark conversations and potentially influence policy changes in India which may include:
Increased Scrutiny of Employer Practices: The New York law might encourage Indian employees and job seekers to be more aware of their rights and question employers' attempts to access their personal social media. This could lead to increased scrutiny of existing practices in India, where some employers might still unofficially use social media screening during recruitment or as part of employee monitoring.
Increased Focus on Data Protection: India already has its own data protection framework, the Digital Personal Data Protection Act, 2013 (DPDP Act) currently awaiting enforcement date. The New York law's emphasis on individual privacy online could strengthen arguments for stricter data protection regulations in India, potentially accelerating the implementation of the DPDP.
Shift in Employer-Employee Relations: Indian companies, particularly those with multinational operations involving New York branches, may need to review their policies regarding employee social media accounts and adapt their policies to comply with both local and international regulations.
Rise of Employee Awareness: News of the New York law, coupled with ongoing discussions around the DPDP Act in India, could raise awareness among Indian employees about their rights and boundaries regarding online privacy. This could empower individuals to question employer practices and demand greater transparency regarding data collection and usage.
New York Law serves as a reminder of the interconnectedness of the globalized world and how legal developments in one region can influence discussions and policy changes in others, especially in the realm of online privacy and data protection.
The coming months will be crucial in observing how the New York Law unfolds and whether it triggers any significant changes in India's approach to employee social media access and individual data privacy.
[2] [(2017) 10 SCC 1]