top of page

Data Privacy Counsultant

Exemptions Under the Digital Personal Data Protection (DPDP) Act, 2023

  • Writer: Davies Parker
    Davies Parker
  • Mar 12
  • 3 min read

Introduction

The Digital Personal Data Protection (DPDP) Act, 2023, and the Digital Personal Data Protection Rules, 2025 establish a comprehensive legal framework to regulate personal data protection in India. While the Act emphasizes the importance of data privacy, security, and compliance, it also recognizes the need for certain exemptions that allow specific entities to process personal data without strictly adhering to all provisions. Understanding these exemptions is crucial for businesses, government agencies, and individuals. These exceptions shape compliance obligations and influence operational strategies.

Key Exemptions Under the DPDP Act, 2023

Let’s decode the exemptions granted by India’s first comprehensive legislative framework for data protection-

Exemptions for Government Agencies and National Security Concerns

To ensure that national security, sovereignty, and public order are not compromised, the DPDP Act grants certain exemptions to government agencies. As per Section 17(2)(a), the Central Government has the authority to exempt certain agencies from compliance obligations if their data processing activities are deemed necessary for safeguarding the sovereignty, integrity, or security of the state, maintaining friendly relations with foreign nations, or preserving public order. These exemptions allow government entities to carry out operations without being hindered by compliance requirements that may slow down critical functions. For private entities handling data in collaboration with the government, there may be a reduced compliance burden.

Standards for Processing by State and its Instrumentalities and for Specified Purposes

Section 17 (2) (a) of the DPDPA exempts the processing of personal data by a state instrumentality notified by the Central Government for sovereignty, security, foreign relations, public order, or crime prevention from fulfilling certain obligations under the Act. However, these exemptions are subject to the conditions outlined in the Schedule 2 of the Draft Rules, which include limiting personal data to what is necessary and implementing reasonable security safeguards to prevent data breaches. Similarly, processing activities by the state and its instrumentalities are done based on legitimate uses outlined under Section 7 of the Act, one of the legal bases for processing information under the DPDPA. In such cases, consent of the data principle is not required. According to Section 7, the State and its instrumentalities may process a Data Principal’s personal data to provide prescribed subsidies, benefits, services, certificates, licenses, or permits, either with prior consent or if the data exists in a notified database as long as it fulfils the standards laid out in Schedule 2 of the Draft Rules.

Exemptions for Research, Archiving, and Statistical Purposes

Recognizing the importance of research and data-driven insights in fostering innovation, the DPDP Act provides relief for organizations engaged in research and statistical analysis. Section 17(2)(b) states that personal data can be processed for research, archiving, or statistical purposes, provided that such data is not used to make decisions that directly affect data principals. The same is reinforced by Rule 15 under the DPDP Rules 2025. It is also emphasized that processing for the above mentioned purposes must be done in accordance with the standards laid down under Schedule 2 of the Draft Rules. This exemption benefits universities, think tanks, and analytics firms, allowing them to work with large datasets without facing stringent compliance obligations.

Exemptions for Startups and Certain Data Fiduciaries

Acknowledging the challenges faced by startups and small enterprises, the DPDP Act includes provisions to ease compliance burdens for certain data fiduciaries based on the scale and nature of data processing. Section 17(3) allows the government to grant exemptions to specific data fiduciaries including startups from selected provisions of the Act. This exemption is based on the volume and nature of data processes. In addition to this, certain other exceptions stem from the Act.

  • Startups are not required to issue detailed notices to data principals before processing their data, helping them streamline operations without excessive paperwork.

  • Unlike larger organizations, startups are not mandated to ensure the accuracy and completeness of personal data.

  • Eligibility Criteria for startups: These exemptions apply to startups that meet specific government-defined criteria.

 
 
 

Recent Posts

See All

Comments

bottom of page