Introduction 

The Digital Personal Data Protection (DPDP) Act, 2023, and the Digital Personal Data Protection Rules, 2025 establish a comprehensive legal framework to regulate personal data protection in India. While the Act emphasizes the importance of data privacy, security, and compliance, it also recognizes the need for certain exemptions that allow specific entities to process personal data without strictly adhering to all provisions. Understanding these exemptions is crucial for businesses, government agencies, and individuals. These exceptions shape compliance obligations and influence operational strategies.  

Key Exemptions Under the DPDP Act, 2023  

Let’s decode the exemptions granted by India’s first comprehensive legislative framework for data protection-  

Exemptions for Government Agencies and National Security Concerns  

To ensure that national security, sovereignty, and public order are not compromised, the DPDP Act grants certain exemptions to government agencies. As per Section 17(2)(a), the Central Government has the authority to exempt certain agencies from compliance obligations if their data processing activities are deemed necessary for safeguarding the sovereignty, integrity, or security of the state, maintaining friendly relations with foreign nations, or preserving public order. These exemptions allow government entities to carry out operations without being hindered by compliance requirements that may slow down critical functions. For private entities handling data in collaboration with the government, there may be a reduced compliance burden.   

Standards for Processing by State and its Instrumentalities and for Specified Purposes  

Section 17 (2) (a) of the DPDPA exempts the processing of personal data by a state instrumentality notified by the Central Government for sovereignty, security, foreign relations, public order, or crime prevention from fulfilling certain obligations under the Act. However, these exemptions are subject to the conditions outlined in the Schedule 2 of the Draft Rules, which include limiting personal data to what is necessary and implementing reasonable security safeguards to prevent data breaches. Similarly, processing activities by the state and its instrumentalities are done based on legitimate uses outlined under Section 7 of the Act, one of the legal bases for processing information under the DPDPA. In such cases, consent of the data principle is not required. According to Section 7, the State and its instrumentalities may process a Data Principal’s personal data to provide prescribed subsidies, benefits, services, certificates, licenses, or permits, either with prior consent or if the data exists in a notified database as long as it fulfils the standards laid out in Schedule 2 of the Draft Rules. 

Exemptions for Research, Archiving, and Statistical Purposes  

Recognizing the importance of research and data-driven insights in fostering innovation, the DPDP Act provides relief for organizations engaged in research and statistical analysis. Section 17(2)(b) states that personal data can be processed for research, archiving, or statistical purposes, provided that such data is not used to make decisions that directly affect data principals. The same is reinforced by Rule 15 under the DPDP Rules 2025. It is also emphasized that processing for the above mentioned purposes must be done in accordance with the standards laid down under Schedule 2 of the Draft Rules. This exemption benefits universities, think tanks, and analytics firms, allowing them to work with large datasets without facing stringent compliance obligations.   

Exemptions for Startups and Certain Data Fiduciaries  

Acknowledging the challenges faced by startups and small enterprises, the DPDP Act includes provisions to ease compliance burdens for certain data fiduciaries based on the scale and nature of data processing. Section 17(3) allows the government to grant exemptions to specific data fiduciaries including startups from selected provisions of the Act. This exemption is based on the volume and nature of data processes. In addition to this, certain other exceptions stem from the Act.  

• Startups are not required to issue detailed notices to data principals before processing their data, helping them streamline operations without excessive paperwork.  

• Unlike larger organizations, startups are not mandated to ensure the accuracy and completeness of personal data. 

• Eligibility Criteria for startups: These exemptions apply to startups that meet specific government-defined criteria. 

Legal Rights and Judicial Functions Exemptions  

To facilitate judicial and legal processes, the Act permits data processing under specific legal contexts to be exempted from specific provisions. Section 17 allows the processing of personal data when necessary for legal proceedings, investigations, and prosecutions, for the enforcement of legal rights and claims. However, organizations utilizing this exemption must ensure that data is processed strictly within the boundaries of legal frameworks and is not misused.  

Exemptions for Corporate Restructuring and Financial Assessments  

Business transactions such as mergers, acquisitions, and financial evaluations often require extensive data exchange. The DPDP Act accommodates these needs by providing exemptions in relevant scenarios. Section 17(1)(e) allows the processing of personal data during corporate restructuring activities, including mergers, acquisitions, and demergers.  

Publicly Available Data and Personal Use Exemptions  

Certain categories of data are excluded from the Act’s purview, reducing regulatory burdens on businesses and individuals. Section 3(c) exempts personal data that has been voluntarily made publicly available by individuals. Businesses leveraging publicly available data and involved in data scraping must be cautious to avoid infringing on individuals’ rights or unethical processing. 

Conditional Exemptions for Processing Children’s Data  

Under Section 9, a Data Fiduciary must obtain verifiable consent from the parent or lawful guardian before processing the personal data of a child or a person with a disability. Additionally, Section 9 specifically prohibits the processing of children’s data for behavioural monitoring or tracking. The Central Government may exempt Data Fiduciaries from these obligations if they demonstrate verifiable safety in their processing practices. Organizations working with children’s data must adhere to stringent guidelines, but certain exemptions apply under specific conditions.  While these exemptions facilitate essential services, organizations must implement additional safeguards and security measures to prevent exploitation and ensure child safety.   

The Draft Rule 11 and Fourth Schedule of the Draft DPDP Rules exempt certain classes of data fiduciaries and certain processing activities from complying with the requirements provided under Section 9 of the Act. Part A of the schedule specifies that a Data Fiduciary who is an educational institution is exempt when processing data is restricted to tracking and behavioural monitoring for educational activities or the safety of children enrolled in the institution. Similarly, a Data Fiduciary who is an individual responsible for the care of infants or children in a crèche or child daycare centre is exempt when the data processing is limited to tracking and behavioural monitoring for the safety of the children under their care. Additionally, a Data Fiduciary engaged by an educational institution, crèche, or childcare centre to transport children is exempt when processing data is restricted to tracking the children’s location during their travel to and from the institution or centre, ensuring their safety. 

The aim behind this is to ensure the well-being and safety of the child and to ensure that any processing involved is done within a defined and limited scope. Part B of the fourth schedule exempts certain processing activities. For example, where a child’s personal data is processed for providing subsidy, benefit, service, certificate, license, or permit in the interests of a child, the obligations under Additional CPD Requirements may be exempt if processing is restricted to the extent necessary for such provision or issuance.  

Conclusion  

Organizations must strike a balance between leveraging exemptions for operational efficiency and upholding individuals’ rights to data privacy. Companies should proactively implement robust data protection frameworks to navigate these regulatory complexities while maintaining compliance with the DPDP Act. Understanding these exemptions is essential for businesses and individuals to ensure compliance, mitigate risks, and uphold ethical data-handling practices in an evolving regulatory landscape. 

Tsaaro Consulting, in collaboration with PSA Legal Counsellors and Advertising Standards Council of India, has authored a whitepaper titled ‘Navigating Cookies: Recalibrating Your Cookie Strategy in Light of the DPDPA’. If you want to learn more about cookie consent management, read the whitepaper by clicking here.   

The Ministry of Electronics and Information Technology (MeitY) has released the Draft DPDP Rules, 2025 for Public Consultation!  

Learn more about the Draft Rules here: