DPDPA Section 17: Exemptions from the Act

Section 17 - The Boundaries of Data Protection

Every data protection law must define its boundaries - the circumstances where the protective framework yields to other compelling interests. Section 17 of the Digital Personal Data Protection Act, 2023, defines these boundaries for India. It is the most extensive and arguably the most controversial section of the Act, providing a wide range of exemptions from its provisions. Section 17 empowers the Central Government to exempt certain processing activities from the Act entirely or from specific provisions, based on considerations of national security, sovereignty, public order, and other state interests. It also provides specific exemptions for state instrumentality functions, approved research and archival purposes, startup operations, legal right enforcement, criminal investigation, and judicial proceedings. Understanding Section 17 is essential for two reasons. First, organisations - particularly government agencies and their contractors - need to know when exemptions apply to their processing activities. Second, all organisations need to understand the limits of the protective framework they are operating within, because exemptions mean that Data Principal rights may not apply in certain contexts.

Section 17(1): The Sovereign Exemption Power

Section 17(1) provides the broadest exemption - the Central Government may, by notification, exempt any instrumentality of the State from the application of the Act or any provision thereof in the interest of the sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order, or preventing incitement to any cognisable offence relating to these matters. This provision gives the Central Government blanket power to exempt government agencies and their instrumentalities from any or all provisions of the DPDPA. The exemption grounds mirror the reasonable restrictions permitted under Article 19(2) of the Constitution of India on the right to freedom of speech and expression. However, the breadth of this power has drawn significant criticism. Unlike the GDPR, which requires member states to provide specific, proportionate exemptions with appropriate safeguards, Section 17(1) allows wholesale exemption without prescribing any proportionality test, necessity requirement, or safeguard conditions. Critics argue that this effectively allows the Government to exempt its own surveillance, mass data collection, and processing activities from data protection obligations. Defenders counter that national security requires flexibility and that judicial review remains available if exemptions are exercised unreasonably.

• Sovereignty and integrity of India - territorial and constitutional protection
• Security of the State - intelligence, defence, and counter-terrorism functions
• Friendly relations with foreign States - diplomatic and treaty obligations
• Maintenance of public order - law and order and civil disturbance contexts
• Preventing incitement to cognisable offences related to the above

Section 17(2)(a): State Instrumentality Functions

Section 17(2)(a) exempts the processing of personal data by an instrumentality of the State where such processing is necessary for the performance of any function authorised by law for the provision of any service or benefit to the Data Principal. This exemption recognises that government agencies process vast amounts of personal data in delivering public services - from Aadhaar-linked welfare distribution to tax administration, public healthcare, education, and civil registration. Requiring granular consent for every government function could paralyse essential public services. However, this exemption is qualified - it applies only where the processing is 'necessary' for the performance of a function 'authorised by law'. An instrumentality of the State cannot claim this exemption for processing that goes beyond what is necessary for the authorised function or for processing that serves purposes unrelated to the statutory function. For example, a municipal corporation collecting property records for tax assessment is performing a function authorised by law. But if it shares that data with commercial entities for marketing purposes, the exemption would not apply to the commercial sharing because it is not necessary for the authorised function. The word 'necessary' imposes a proportionality constraint - the processing must be required, not merely convenient, for the authorised function.

Section 17(2)(b): Research, Archival, and Statistical Purposes

Section 17(2)(b) exempts processing of personal data necessary for research, archiving, or statistical purposes, subject to conditions that the Central Government may prescribe. This exemption is critical for academic institutions, research organisations, statistical bodies, and the scientific community. Data-intensive research - in public health, economics, social science, and emerging technologies - often requires processing large volumes of personal data in ways that may be impractical to conduct under full consent-based regimes. The exemption acknowledges that societal benefit from research and evidence-based policy-making - a key priority identified by NITI Aayog - may sometimes outweigh individual consent requirements. However, the exemption is not unconditional. The Central Government can prescribe conditions, which are likely to include anonymisation or pseudonymisation requirements, ethics committee approval for research involving sensitive data, restrictions on re-identification, data security requirements, and limitations on commercial use of research outputs. International best practices - including the GDPR's research exemption under Article 89 - require appropriate safeguards for rights and freedoms of Data Principals, typically including technical and organisational measures to ensure data minimisation. India's rules are expected to adopt a similar approach, requiring that research processing implement safeguards proportionate to the risks involved.

• Covers academic research, scientific research, and statistical analysis
• Includes archival purposes in the public interest
• Central Government may prescribe conditions including anonymisation and ethics approval
• Commercial use of research outputs may be restricted
• Proportionate safeguards will be required to protect Data Principal interests

Section 17(2)(c): Startup Exemptions

Section 17(2)(c) allows the Central Government to notify certain classes of startups as exempt from certain provisions of the Act. This is a uniquely Indian provision - no other major data protection law provides blanket exemptions for startups. The rationale is that India's vibrant startup ecosystem, with over one hundred thousand recognised startups, could be disproportionately burdened by full compliance obligations, especially in early stages when resources are limited and business models are evolving. The Government recognises that imposing the same compliance requirements on a two-person fintech startup as on a multinational bank would be neither practical nor equitable. However, this exemption has drawn criticism on several fronts. Privacy advocates argue that startup status should not determine the level of data protection afforded to individuals. A Data Principal whose data is processed by a startup deserves the same protection as one whose data is processed by a large corporation. The counter-argument is that graduated compliance - where startups are exempt from certain procedural requirements while still meeting core obligations - better serves both innovation and data protection than a one-size-fits-all approach. The specific classes of startups eligible for exemption and the provisions from which they will be exempt await Government notification. The exemptions are likely to be tiered based on factors such as revenue, data volume, and processing activities.

Section 17(2)(d)-(e): Legal Rights and Law Enforcement

Section 17(2)(d) exempts processing necessary for enforcing any legal right or claim. This recognises that individuals and organisations sometimes need to process personal data to pursue or defend legal proceedings. For example, an employer may need to process employee data to defend against a wrongful termination claim, or a creditor may need to process debtor information to enforce a loan agreement. Without this exemption, parties to litigation could use data protection rights strategically to prevent the other side from accessing or using relevant evidence. Section 17(2)(e) exempts processing necessary for the prevention, detection, investigation, or prosecution of any offence or contravention of any law. This is the law enforcement exemption - it ensures that police, intelligence agencies, prosecution services, and regulatory enforcement bodies can process personal data as needed for their law enforcement functions without being constrained by consent requirements, purpose limitation, or Data Principal rights that could obstruct investigations. This exemption is standard in data protection laws worldwide - the GDPR excludes law enforcement processing from its scope entirely, subjecting it instead to the separate Law Enforcement Directive. India's approach of providing an exemption within the same Act is simpler but provides less structured safeguards for data processed in law enforcement contexts.

• Section 17(2)(d) - enforcement of any legal right or claim in judicial/quasi-judicial proceedings
• Section 17(2)(e) - prevention, detection, investigation, and prosecution of offences
• Covers police, intelligence, prosecution, and regulatory enforcement functions
• Prevents strategic use of data protection rights to obstruct legal proceedings
• No structured safeguards prescribed - unlike the EU's Law Enforcement Directive

Section 17(2)(f) and 17(3): Courts and Foreign State Processing

Section 17(2)(f) exempts processing of personal data by courts and tribunals in the discharge of their judicial functions. This reflects the fundamental principle of judicial independence - courts must be free to process personal data as needed for the administration of justice without being subject to executive oversight through the Data Protection Board. Court records, judgments, evidence, and case management systems all involve extensive personal data processing, and subjecting this to DPDPA obligations could compromise the efficiency and independence of the judicial system. Section 17(3) addresses an international dimension - it exempts the processing of personal data of Data Principals outside India pursuant to any contract entered into with any person outside India by any person based in India or any instrumentality of the State. This provision facilitates India's massive business process outsourcing (BPO) and IT services industry, where Indian companies process personal data of foreign individuals under contracts with foreign entities. Without this exemption, Indian BPO companies processing European or American customer data could face dual regulation - by the DPDPA and by the foreign country's data protection law. For more on how cross-border data transfers work under the DPDPA, see our dedicated guide. Section 17(3) removes the DPDPA layer for such processing, leaving it subject only to the contractual obligations and the foreign country's applicable law.

Section 17(4): Exemptions for Notified Data Fiduciaries

Section 17(4) empowers the Central Government to notify certain Data Fiduciaries or classes of Data Fiduciaries for whom certain provisions of the Act will not apply or will apply with modifications. This is a flexible tool that allows the Government to create sector-specific or entity-specific compliance regimes. For example, the Government might exempt certain public sector enterprises from specific notification requirements, or modify consent obligations for healthcare providers processing emergency medical data. This provision also enables the graduated compliance approach that the DPDPA contemplates - different organisations may face different compliance obligations based on their nature, size, and processing activities - for instance, Significant Data Fiduciaries face enhanced obligations while others may receive relaxations. The Government can use Section 17(4) to create compliance tiers that recognise the diversity of India's economy. However, this flexibility also concentrates significant discretionary power in the Central Government, which can selectively exempt entities from data protection obligations. The absence of legislative criteria for exercising this discretion - beyond the general public interest - means that exemption decisions could be influenced by political or commercial considerations. Transparency in the notification process and judicial review of exemption decisions are essential safeguards against arbitrary exercise of this power. Organisations should consult the full text of the DPDPA to understand the precise scope of each exemption.

Criticism and Safeguards Needed

Section 17 has attracted more criticism than any other provision of the DPDPA. Privacy advocates, civil society organisations, and opposition parliamentarians have argued that the exemptions are too broad, too discretionary, and insufficiently safeguarded. The Supreme Court of India, in its landmark Puttaswamy judgment recognising the right to privacy as a fundamental right, established a four-part test for permissible restrictions on privacy: legality (the restriction must be sanctioned by law), legitimate aim (the restriction must serve a legitimate state interest), proportionality (the restriction must be proportionate to the aim), and procedural safeguards (there must be adequate procedural guarantees). Critics argue that Section 17 satisfies the legality requirement but falls short on proportionality and procedural safeguards. There is no requirement that exemptions be proportionate to the interest served, no time-limitation on exemptions, no independent oversight of exemption decisions, and no mandatory review or sunset mechanism. The lack of structured safeguards is particularly concerning for the sovereign exemption under Section 17(1), which could be used to exempt mass surveillance programmes from data protection oversight. Organisations should monitor judicial challenges to Section 17 exemptions and understand the penalty risks associated with misapplying exemptions, as courts may read in proportionality and safeguard requirements based on the Puttaswamy framework.

• Exemptions criticised as overly broad and insufficiently safeguarded
• No proportionality test required for granting exemptions
• No time-limitation, sunset clause, or mandatory review mechanism
• No independent oversight of Central Government exemption decisions
• Judicial review under Puttaswamy framework may impose additional constraints
• Organisations should monitor court challenges and evolving interpretations

How Kraver.ai Helps

Kraver.ai's compliance platform helps organisations navigate Section 17's complex exemption landscape with precision and confidence. Our exemption mapping module analyses your organisation's processing activities against each category of exemption, identifying where exemptions may apply and where full compliance obligations remain. For government agencies and state instrumentalities, the platform provides tailored compliance workflows that account for applicable exemptions while maintaining core data protection practices - because even exempt processing benefits from good data governance. Our regulatory intelligence engine tracks Government notifications regarding exemptions in real time, alerting you when new exemptions are issued, modified, or revoked. For organisations operating across multiple sectors, Kraver.ai maps the interaction between DPDPA exemptions and sector-specific regulations, ensuring that you understand where exemptions apply and where they do not. The startup compliance module provides a streamlined compliance pathway for eligible startups, implementing the provisions that apply while flagging those from which you are exempt. For organisations processing data under the law enforcement or legal rights exemptions, Kraver.ai provides documentation frameworks that demonstrate the necessity of processing for the exempt purpose - critical evidence if the application of the exemption is ever challenged. Our audit trail maintains a complete record of exemption reliance, documenting why each exemption was applied and the basis for the determination. Navigate Section 17 with clarity using Kraver.ai. Explore our full range of compliance services or contact us for a personalised assessment.