Part V: Exemptions Under DPDPA
πŸ“‹

Part V: Exemptions Under DPDPA

PART V: EXEMPTIONS UNDER DPDPA

The DPDPA, under Section 17, also provides for multiple situations where data fiduciaries are exempted from their obligations under Chapter II of the Act. There are two sets of exemptions covered under Section 17.
The first set of exemptions outlined in Section 17(1) will not apply to the obligation to comply with the Act (Section 8(1)) and the obligation to ensure reasonable safeguards of personal data collected (Section 8(5)). Notably, this cannot be prejudicial to the rights and obligations of the data principal under Chapter III, and the conditions regarding cross-border data transfer under Section 16.
The exemptions apply in the following cases of:
  1. Enforcing Rights and Legal Functions – it is necessary for enforcing legal rights and claims. Similarly, courts, tribunals, and statutory bodies carrying out judicial, quasi-judicial, regulatory, or supervisory functions can process personal data in order to discharge those duties.
  1. Criminal Investigations/Prosecution – Where personal data is required for preventing, detecting, investigating, or prosecuting offences or violations of law, the Act's obligations do not apply. This ensures that law enforcement agencies are not obstructed by procedural consent requirements when dealing with criminality.
  1. Extra-territorial Processing – If data principals are not located in India, but their data is processed in India under a contract with a foreign party, the obligations of Chapters II-III and Section 16 will not apply. This provision is primarily aimed at outsourcing and cross-border service arrangements, allowing Indian service providers to handle foreign data without being bound by Indian rights and duties. However, note that in case of an Indian data principal's data being processed abroad, protections offered under the Act will continue to exist.
  1. Corporate Restructuring – Personal data can also be processed without the consent framework where it is necessary for schemes of merger, amalgamation, demerger, reconstruction, or transfer of undertakings, provided these are approved by a competent court, tribunal, or authority under law. In practice, this means due diligence and restructuring exercises are not hampered by the Act. However, since the competent court (often times the NCLT/NCLAT) does not examine the nature of personal data, this may end up creating a new set of risks. Prudence with respect to how sensitive personal data (at least) is protected is an important consideration.
  1. Information Regarding Default – If the data being processed is used to acquire financial information about a defaulter of a loan to a registered financial institution as long as disclosures and processing comply with existing laws on the same.
The second set of exemptions under Section 17(2) provide for situations where the provisions of the Act would apply at a general level:
  1. National Security and Sovereignty – The Central Government retains broad power to exempt processing carried out by notified State bodies in the interests of sovereignty, security of the State, friendly relations with foreign States, public order, or preventing incitement to cognizable offences. Where such State body furnishes data to the Central Government, the processing by the Government itself is also exempt.
  1. Research Exemptions – Cases of public interest uses of data in research, archiving, and statistical analysis are exempted. If the data is not used to take decisions affecting individuals, and the processing is conducted in line with prescribed standards, these activities are exempt from compliance.
Apart from these broad sets, Section 17(3) provides that in some cases, the obligations for mandatory notice (Section 5), ensuring completeness and accuracy of data in case of processing that impacts the principal (Section 8(3)), storage limitation (Section 8(7)), Significant Data Fiduciary (Section 10) and Right of Access (Section 11) shall be relaxed by the Central Government for specific classes of fiduciaries as may be notified. This exemption is aimed at reducing compliance burdens on smaller entities and enabling innovation.
Section 17(4) goes ahead to state that if the State or any of its bodies process data in pursuance of their functions, the provisions of storage limitation (Section 8(7)) and the Right to Erasure (Section 12(3)) shall not apply. Furthermore, in case the processing does not directly impact the data principal, the Right to Correction of data (Section 12(2)) shall not apply either.
The GDPR is quite flexible in granting States with the power to restrict the scope of the obligations and rights provided for, and, under Article 23(1) read with Recital 73, recognizes the following as valid (but non-exhaustive) reasons for such restrictions:
  • National security;
  • Defence;
  • Public security;
  • Investigation and prosecution of criminal offences;
  • Economic, financial or other matters of public good;
  • Protection of judicial independence and judicial proceedings;
  • Prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
  • Protection of the data subject or the rights and freedoms of others;
  • Enforcement of civil law claims.
As a matter of balance, Article 23(2) requires that in case of such limitations being implemented, certain information must be communicated along with such legislative changes, specifically: why and how data will be processed, what data and controllers are involved, the extent of restrictions, safeguards against misuse, how long the data will be stored, risks to individuals' rights, and whether people will be informed about the restriction (unless telling them would undermine its purpose).
When read with Recital 73, we understand that laws limiting data rights must both (i) specify in detail the scope and safeguards of the restriction, and (ii) ensure that such restrictions are only applied when necessary and proportionate in a democratic society. Restrictions can cover rights such as access, rectification, erasure, portability, objection, profiling, or breach notification, but only for legitimate aims as discussed. Any such measure must comply with fundamental rights standards under the EU Charter and the European Convention on Human Rights.
Implementation of necessity and proportionality principles in India is important. Given that Puttuswamy upheld the Right to Privacy as a fundamental right, reasonable restrictions to Article 21 will continue to apply with restrictions as per the proportionality test – i.e., held that any such restriction must satisfy the following four conditions of the proportionality test:
a) The action or restriction must be based on a valid law.
b) The law must pursue a legitimate state aim. This ensures that the state is not acting arbitrarily and has a justifiable purpose for the restriction.
c) The measure taken must have a rational connection to the purpose it seeks to achieve. It must be a suitable and effective means to accomplish the legitimate aim.
d) The measure must be the least restrictive means available to achieve the purpose. If there is a less intrusive way to accomplish the same goal, the more restrictive measure will be considered unconstitutional.
However, despite existing constitutional principles, there is inadequate mechanisation in the letter of the law. That is, while GDPR Article 23(2) requires laws imposing restrictions to spell out scope, purpose, categories of data, risks, safeguards, and storage limits, DPDPA lacks such a structured framework. Exemptions are listed broadly but without parallel obligations to define how safeguards must operate. Adding mandatory specification of safeguards and risks when invoking exemptions would build accountability and transparency, and would effectively implement the Puttusamy judgement into the letter of the law.