Authored By: Kriti Dhiman
Maharaja Surajmal Insitute Affiliated to GGSIPU, Delhi
ABSTRACT
In India, using corporate software for personal projects can lead to losing ownership of intellectual property under the copyright act of 1957, breaking employment contracts and possibly facing criminal charges under the IT act of 2000.
This analysis further examines the “Duty of Fidelity” embedded in employment contracts, highlighting how the unauthorized utilization of proprietary tools engenders a conflict of interest that warrants termination. It also talks about the relevant provisions under the Bharatiya Nyaya Sanhita and how the meaning of “entrustment” has changed to include digital licenses and software-as-a-service (SaaS) environments.
INTRODUCTION
It is common for employees to use business software for personal projects, but this can be risky from a legal point of view. Even though this kind of use might be helpful for employees, it can cause problems with intellectual property, data security, and liability. Understanding these risks, applicable case law, and practical remedies is crucial for organizations seeking to reduce harm and protect their assets.
The Copyright Act of 1957 in India has very strict rules that can make these actions into a business asset or a crime.
The “Digital India” initiative has sped up the digitization of the Indian economy, making it harder to tell the difference between personal and work computers. As more and more employees work from home using company-provided Virtual Private Networks (VPNs) and cloud-based suites, the “tools of the trade” are no longer just things you can touch; they are also permissions. Because of this overlap in technology, there is a “grey zone” where an employee’s creative work is always at risk of being taken over by the legal idea of corporate ownership.[1]
The contemporary ‘work-from-anywhere’ culture has effectively dismantled the physical boundaries of the office, yet the legal boundaries of ‘entrustment’ remain more rigid than ever. As employees increasingly utilize cloud-based SaaS (Software as a Service) environments and proprietary IDEs for private endeavours, they inadvertently trigger the ‘Doctrine of Resource Linkage. This doctrine suggests that the more specialized and expensive the corporate tool utilized, the stronger the legal presumption that the resulting work-product belongs to the employer. In the Indian context, where the Digital Personal Data Protection Act (DPDPA), 2023 [2], grants employers broad ‘Legitimate Use’ exceptions for surveillance, the expectation of privacy in a personal ‘side-hustle’ is not just diminished; it is effectively waived.[3]
THE DOCTRINE OF “WORK MADE FOR HIRE” AND IP OWNERSHIP
The biggest risk is losing ownership of a personal project. According to Section 17of the Indian Copyright Act, 1957, the employer is usually the first owner of any work created during employment under a contract of service. Although an employer is generally the first owner, a “Contract of Service” transfers this right to the employer if the work happens during employment.
The difference between a “contract of service” and a “contract for services” is still the most important thing when it comes to IP ownership. The employer’s claim is based on the work being done within the “scope of employment,” according to Section 17(c)[4]. But using company software is a strong piece of evidence that can even bring in unrelated “side projects.” The courts have been leaning more and more toward a “resource-linkage” test. This means that if an employee uses a special, expensive corporate license, it is assumed that the work was part of their official duties, no matter when it was done.[5]
MISUSE OF DIGITAL ENTRUSTMENT BNS UNDER SECTION 316
The amendment of the Information Technology (IT) Act, 2000 to the Bharatiya Nyaya Sanhita (BNS), 2023 demonstrates a contemporary revision in the Indian criminal law on the misuse of digital resources.
The legal risk is separated under the IT Act. Section 43 provides means of pursuing civil damages as a result of unauthorized accessing or obtaining data. These actions are a crime under section 66 when performed with a dishonest or fraudulent purpose such as creating a rival product using company software. [6]
The BNS, 2023, adds to this by setting up the principle of entrustment in Section 316 (Criminal Breach of Trust). In this case, the employee is granted the right, legally, to use software licenses to work only. These valuable resources should not be used to carry personal projects, lest they give rise to criminal charges.
Similarly, the Section 303 (Theft) has been expanded by the judicial interpretations to incorporate the misplaced transportation of intangible digital property in an unscrupulous manner.[7]
This is anchored in Abhinav Gupta v. State of Haryana (2008)[8] in which the court refused to grant anticipatory bail to a staff member who sent confidential company design information to a third party, stating that custodial interrogation was necessary, to understand how the digital theft had been committed, is certain to make intangible property just as subject to protection as movable property.
The Section 316 of the Bharatiya Nyaya Sanhita, 2023 is especially powerful because it makes it illegal to “dishonestly misappropriate” property that someone has given to another person[9]. An employee is a “custodian” of software licenses in the digital world. When employees use these licenses for their own benefit, it would turn into the classic definition of a criminal breach of trust. In addition, Section 66 of the IT Act adds a second layer of responsibility. If an employee breaks security rules to use software for personal projects that aren’t allowed, they could be charged with “hacking” or other computer-related crimes, which can lead to up to three years in prison.[10]
VICARIOUS LIABILITY AND SHOP RIGHTS
The employer can still have a Shop Right, when an employee manages to prove that he or she is the owner of the IP. It is a non-exclusive, royalty-free license to the employer to use the invention by implication since it was devised with the use of company resources. Also, there is the principle of vicarious liability (respondeat superior), which implies that the company is liable to the actions of its employees conducted in the frames of their work.
In State Bank of India v. Shyam Devi[11], the Supreme Court made it clear that the extent of vicarious liability can be limited, especially when the employer must be performing business when the act is carried out in order to hold him or her liable under vicarious liability. But when the personal project of an employee on company software includes the illegal scraping of data or copyright violating, the boundaries of business scope become very thin which presents an invitation to litigation to the employer.
The idea of “Shop Rights” is a middle-ground equity doctrine. In rare cases, it lets an employee keep the rights to a patent or copyright, but it stops them from stopping their employer from using that invention if company time or materials were used. This makes the employee’s personal project less valuable because they can’t give “exclusive” licenses to other people while the employer has a royalty-free right to use it. From the employer’s point of view, the risk of vicarious liability is still a deterrent. If an employee’s personal project on a company laptop breaks the privacy or copyright of a third party, the company could be sued under the “deep pockets” theory.[12]
DATA PRIVACY AND WORKPLACE SURVEILLANCE
Mixing personal projects with company software effectively waives an employee’s expectation of privacy. Under Indian law, the Digital Personal Data Protection Act (DPDPA), 2023, allows for the processing of personal data for “certain legitimate uses,” which includes the prevention of corporate espionage or system misuse.
According to the International Labour Organization Research, with the growing digitalization of the workplace, a ubiquitous surveillance is becoming a normal working practice, leaving the worker incapable of asserting privacy of the personal data held on the corporate servers.
This is also exacerbated by the fact that whilst most jurisdictions offer general rights of privacy, give inadequate or sporadic protection of such rights, when such rights conflict with the right to protect their licensed software environment by the employer.
The Digital Personal Data Protection Act (DPDPA), 2023, has introduced a “Legitimate Use” exception under Section 7[13], which significantly favors employers. It allows for the processing of personal data without explicit consent for “the purpose of employment” or to “prevent loss or liability.” This means that an employee cannot use the DPDPA to block an employer from auditing their computer for personal projects if that audit is framed as a security measure. This creates a “transparency deficit” where the employee’s digital footprint is entirely visible to the firm, but the firm’s monitoring criteria remain proprietary and opaque.[14]
CONCLUSION
To mitigate the “double-edged sword” of digital productivity, organizations must implement robust IT usage policies and explicit intellectual property assignment clauses to eliminate ownership ambiguity. Conversely, employees should strictly segregate personal ventures from corporate infrastructure to avoid criminal breach of trust under the BNS. Ultimately, obtaining a written “No Objection Certificate” (NOC) remains the most effective safeguard for protecting a “side hustle” from being legally absorbed as a corporate asset.
To navigate this “digital grey zone,” organizations must transition from broad oversight to precise contractual demarcation. Recent legal scholarship emphasizes that well-drafted intellectual property clauses, which explicitly incorporate “carve-outs” for pre-existing or unrelated personal projects, are the primary defense against protracted ownership litigation. Furthermore, as highlighted by the International Labour Organization, technical safeguards such as “Bring Your Own License” (BYOL) practices should be encouraged. This ensures that an employer’s legitimate use for workplace surveillance—aimed at protecting proprietary assets—is balanced against the employee’s fundamental right to data privacy, thereby reducing the likelihood of criminal allegations.[15]
Reference(S):
[1] V. Jain, Digital Governance and the BNS: Redefining Employee Liability, 12 J. Indian Legal Stud. 88, 92 (2025).
[2] The Digital Personal Data Protection Act, 2023, Section 7, No. 22, Acts of Parliament, 2023 (India);
[3] Halefom Abraha, Navigating Workers’ Data Rights in the Digital Age, ILO Working Paper 149 (2025).
[4] The Copyright Act, 1957, Section 17(c), No. 14, Acts of Parliament, 1957 (India);
[5] M. Sharma & R. Gupta, The Side-Hustle Shield: Protecting Personal IP in Corporate India, 18 Indian J. Intell. Prop. L. 112, 115 (2025).
[6] The Information Technology Act, 2000, Section 66 (India).
[7] The Bharatiya Nyaya Sanhita, 2023, Sec. 316,Sec.301,2023 (India).
[8] 2008 Criminal L.J.4536 (P&H)
[9] The Bharatiya Nyaya Sanhita, 2023, Section 316, No. 45, Acts of Parliament, 2023 (India);
[10] The Information Technology Act, 2000, Section 66, No. 21, Acts of Parliament, 2000 (India).
[11] State Bank of India v. Shyama Devi, AIR 1978 SC 1263.
[12] A&O Shearman, How to Capture IP Created by Employees and Contractors, A&O Shearman Legal Insights (Jan. 14, 2024)
[13] The Digital Personal Data Protection Act, 2023, Section 7, No. 22, Acts of Parliament, 2023 (India);
[14] Halefom Abraha, Navigating Workers’ Data Rights in the Digital Age: A Historical, Current, and Future Perspective on Workers’ Data Protection, ILO Working Paper 149, 24 (2025).
[15] Halefom Abraha, Navigating Workers’ Data Rights in the Digital Age: A Historical, Current, and Future Perspective on Workers’ Data Protection, ILO Working Paper 149, 24 (2025).
