Section 17 DPDPA

Exemptions.


17.(1) The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where—
(a) the processing of personal data is necessary for enforcing any legal right or claim;
(b) the processing of personal data by any court or tribunal or any other bodyin India which is entrusted by law with the performance of any judicial or quasi-judicial or regulatory or supervisory function, where such processing is necessary for the performance of such function;
(c) personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law for the time being in force in India;
(d) personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India;
(e) the processing is necessary for a scheme of compromise or arrangement or merger or amalgamation of two or more companies or a reconstruction by way of demerger or otherwise of a company, or transfer of undertaking of one or more company to another company, or involving division of one or more companies, approved by a court or tribunal or other authority competent to do so by any law for the time being in force; and
(f) the processing is for the purpose of ascertaining the financial information and assets and liabilities of any person who has defaulted in payment due on account of a loan or advance taken from a financial institution, subject to such processing being in accordance with the provisions regarding disclosure of information or data in any other law for the time being in force.
Explanation.—For the purposes of this clause, the expressions “default” and “financial institution” shall have the meanings respectively assigned to them in sub-sections (12) and (14) of section 3 of the Insolvency and Bankruptcy Code, 2016.

Illustration.

X, an individual, takes a loan from Y, a bank. X defaults in paying her monthly loan repayment instalment on the date on which it falls due. Y may process the personal data of X for ascertaining her financial information and assets and liabilities.

(2) The provisions of this Act shall not apply in respect of the processing of personal data—

(a) by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and
(b) necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed.
(3) The Central Government may, having regard to the volume and nature of personal data processed, notify certain Data Fiduciaries or class of Data Fiduciaries, including startups, as Data Fiduciaries to whom the provisions of section 5, sub-sections (3) and (7) of section 8 and sections 10 and 11 shall not apply.

Explanation.—For the purposes of this sub-section, the term “startup” means a private limited company or a partnership firm or a limited liability partnership incorporated in India, which is eligible to be and is recognised as such in accordance with the criteria and process notified by the department to which matters relating to startups are allocated in the Central Government.
(4) In respect of processing by the State or any instrumentality of the State, the provisions of sub-section (7) of section 8 and sub-section (3) of section 12 and, where such processing is for a purpose that does not include making of a decision that affects the Data Principal, sub-section (2) of section 12 shall not apply.

(5) The Central Government may, before expiry of five years from the date of commencement of this Act, by notification, declare that any provision of this Act shall not apply to such Data Fiduciary or classes of Data Fiduciaries for such period as may be specified in the notification.

Applicable DPDP Rule 2025

Rule 15: Exemption from Act for Research, Archiving or Statistical Purpose

Section 18 DPDPA →
DPDPA
Table of contents


Report error

Legal Interpretation of the

Section 17 of the Digital Personal Data Protection Act, 2023 (DPDPA)

Introduction

Section 17 of the Digital Personal Data Protection Act, 2023 (India) lays out scenarios where certain obligations under the Act may not fully apply, or where Data Fiduciaries and Data Processors may be exempt from complying with specific provisions. These exemptions reflect the legislature’s recognition that applying every privacy protection to all situations might not always be practical or in the public interest. By defining explicit exemptions, Section 17 balances the fundamental right to privacy with other critical societal objectives such as national security, law enforcement, research, and public interest journalism.

Key Provisions of Section 17

1. Certain Legitimate Uses and Circumstances

Section 17 identifies categories of processing activities or contexts in which compliance with all or some obligations of the Act may not be required. These can include:

  • National Security and Public Order: If personal data processing is necessary for India’s sovereignty, integrity, or security, certain obligations may be relaxed.
  • Prevention, Detection, Investigation, and Prosecution of Offences: Law enforcement agencies handling crime-related data might be granted flexibility in applying consent requirements or other obligations.
  • Judicial Functions and Legal Proceedings: Courts or judicial bodies may process personal data without adhering to all data protection obligations when required for the administration of justice.
  • Research, Archiving, and Statistics: Data processing activities for historical research, statistical analysis, or archival purposes may have limited obligations, provided they serve the public interest and include appropriate safeguards.

2. Conditions and Safeguards

Even in exempted scenarios, Section 17 typically does not provide a blanket waiver. It expects that:

  • The exemption is applied only to the extent necessary for the purpose at hand.
  • Reasonable security safeguards remain to prevent misuse.
  • The exemption does not completely strip the Data Principal of all protections; core principles like preventing unauthorized disclosure and ensuring data security often still apply.

3. Proportionality and Necessity

The underlying principle is proportionality. The processing and corresponding exemption should be no more intrusive than necessary. Exemptions must be narrowly tailored to achieve the intended legitimate objective without unduly compromising individual privacy rights.

4. Governmental and Institutional Oversight

In contexts like national security or policing, government or designated authorities may oversee or regulate the extent and manner of data processing. This ensures exemptions are not misused or invoked arbitrarily.

Legal Interpretation

Balancing Competing Interests:
Section 17 exemplifies the Act’s attempt to balance the right to privacy with other societal imperatives. It recognizes that absolute privacy protections might hinder effective governance, public safety, scientific progress, or the fair administration of justice.

Limited Scope and Purpose:
Exemptions serve specific public interest purposes. They are not a free pass but a careful carve-out to ensure that the Act’s privacy protections do not impede essential functions.

Aligning with Global Practices:
Other data protection frameworks, like the EU’s GDPR, also have exemptions for law enforcement, public interest research, and more. Section 17 aligns with these global standards by providing necessary carve-outs while retaining a rights-based approach.

Illustrations

1. National Security and Intelligence Agencies

Scenario:
A government intelligence agency monitors communications to prevent a terrorist attack.

Application:
The agency may be exempt from obtaining consent or providing detailed notices. However, the exemption only applies to the extent necessary. Unrelated personal data or unnecessary disclosure should be avoided.

2. Criminal Investigations by Law Enforcement

Scenario:
Police investigating a cybercrime ring may process suspect data without fulfilling all data principal rights.

Application:
The exemption ensures investigations are not hampered, but the police cannot arbitrarily use or disclose the data outside the scope of the investigation.

3. Judicial Proceedings

Scenario:
A court handling a sensitive case uses personal financial and health records as evidence.

Application:
The court may be exempt from granting certain rights during the trial to maintain the integrity of proceedings, but it must still protect data from unauthorized disclosure.

4. Public Interest Research and Archival Activities

Scenario:
A research institute uses historical census data for demographic studies.

Application:
The institute may not need consent from every individual listed in decades-old records. Still, it must not misuse the data for commercial purposes or compromise privacy.

Significance and Broader Impact

Effective Governance and Public Safety:
Exemptions allow law enforcement, national security operations, and judiciary to function efficiently without excessive procedural constraints, ensuring public interests are upheld.

Facilitating Knowledge and Innovation:
Exemptions for research and archival activities ensure privacy laws don’t stifle intellectual progress or the understanding of social trends.

Ensuring Trust through Transparency and Oversight:
Although obligations are relaxed, oversight and regulation ensure exemptions aren’t misused. This maintains public trust in the data protection framework.

Conclusion

Section 17 of the DPDP Act, 2023 recognizes the complexity of real-world scenarios and the need for flexibility within a robust data protection regime. By granting narrowly tailored exemptions, the law allows critical state functions, public interest research, and the judicial process to continue unimpeded. At the same time, these exemptions are regulated and monitored, ensuring that the fundamental right to privacy remains a guiding principle in India’s data protection landscape.

© 2024 Advocate (Dr.) Prashant Mali