Section 17 of the Digital Personal Data Protection Act, 2023

1. Section 17(1) - Partial Exemptions

As per Section 17(1), certain provisions of the DPDP Act (Chapter II, except Sections 8(1) and 8(5), Chapter III, and Section 16) do not apply in the following circumstances:

• Processing necessary for enforcing legal rights or claims
• Processing by courts, tribunals, or regulatory bodies for judicial or quasi-judicial functions
• Processing for prevention, detection, investigation, or prosecution of offenses
• Processing of data of principals outside India under contracts entered by persons in India
• Processing for corporate restructuring approved by competent authorities
• Processing to ascertain financial information of loan defaulters

2. Section 17(2) - Complete Exemptions

Section 17(2) provides for complete exemptions from the applicability of the DPDP Act. These exemptions include:

• Processing by state instrumentalities notified by the Central Government for sovereignty, security, foreign relations, public order, or preventing cognizable offenses
• Processing necessary for research, archiving, or statistical purposes if the data is not used for decisions specific to a Data Principal and follows prescribed standards

3. Section 17(3) - Special Exemptions for Startups and Other Entities

The Central Government can notify certain Data Fiduciaries, including startups, to be exempt from specific provisions (Section 5, Sections 8(3) and 8(7), and Sections 10 and 11).

4. Section 17(4) - Exemption to State in Cases of Certain Processing

For data processing by the State or its instrumentalities, certain provisions (Section 8(7), Section 12(3), and in some cases, Section 12(2)) do not apply.

5. Section 17(5) - Temporary Exemptions

The Central Government can declare any provision of the DPDP Act inapplicable to specific Data Fiduciaries for up to five years from the commencement of the legislation.

1. Definition Gaps

The DPDP Act and Draft DPDP Rules do not clearly define "research," "archiving," or "statistical purposes." This creates uncertainty regarding:

• Whether medical research, including clinical trials, falls under the "research" exemption.
• The scope of "archiving purposes" and whether it extends to private archives.
• What constitutes a legitimate "statistical purpose"?

2. Safeguard Implementation

While the exemptions provide flexibility, the lack of clear safeguards raises concerns about potential misuse, especially of the complete exemptions under Section 17(2).

3. Government Notification Power

The broad powers granted to the Central Government to notify exemptions under Sections 17(2)(a), 17(3), and 17(5) create potential for expansive interpretation of exemptions.

4. Standards Implementation

The term "standards as may be prescribed" in Section 17(2)(b) needs clear elaboration to ensure the appropriate implementation.

1. Research in Medicine

The research exemption under the DPDP Act may offer benefits to medical research, encompassing clinical trials and health data analysis. However, the lack of a clear definition for "research" introduces ambiguity and potential uncertainty for key sectors such as healthcare institutions and pharmaceutical companies.

2. Academic and Scientific Research

Universities and research institutions benefit from increased operational flexibility under these exemptions. However, it remains critical that these entities ensure data processing activities do not result in decisions specifically impacting individual Data Principals to maintain compliance.

3. Government and National Security

Government bodies benefit from substantial exemptions under Sections 17(2)(a) and 17(4) of the DPDP Act, granting operational flexibility crucial for maintaining national security and conducting law enforcement activities.