BACK TO DPDP ACT
DPDP Act 2023

Section 17

Exemptions

THE STATUTE

Original Text

(1) The Central Government may, having regard to the sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order, or preventing incitement to any cognisable offence relating to any of the above, by notification, exempt from the application of the provisions of this Act, the processing of personal data, or any class thereof, by any instrumentality of the State or class of instrumentalities of the State. (2) Compliance with any provision of this Act may be exempted in the interests of prevention, detection, investigation or prosecution of any offence or contravention of any law. (3) Processing of personal data is exempt from certain provisions of this Act — (a) in the interest of research, archiving, or statistical purposes: compliance with certain provisions specified may be exempted; (b) for processing of personal data in the exercise of any judicial or quasi-judicial function; (c) for processing for journalistic, research, academic, or similar public interest purposes where compliance would prejudice such purpose. (4) The Central Government may, by notification, exempt from the application of any or all provisions of this Act, any class of Data Fiduciaries relating to the processing of personal data, subject to conditions as may be specified.

Simplified

Section 17 is the most contested provision in the DPDP Act — and the most politically significant. It contains the exemptions that determine how far the Act's privacy protections actually extend when they conflict with state power and other public interests. Section 17(1) is the broadest and most criticised exemption: the Central Government can, by notification, exempt any instrumentality of the State from the entire Act on grounds of sovereignty, security, friendly foreign relations, public order, or preventing cognisable offences. This effectively means the Indian state and its agencies — including intelligence and law enforcement bodies — can be exempted from DPDP Act obligations by executive notification. Critics, including legal scholars and the Opposition, have noted that this is significantly broader than comparable exemptions in the GDPR (Article 23 requires exemptions to be necessary and proportionate) or even the original Srikrishna Committee draft, which had more specific carve-outs. There is no requirement of judicial oversight, proportionality, or parliamentary scrutiny for exemptions under Section 17(1) — the Central Government notifies and it is done. Section 17(2) exempts processing for law enforcement purposes — investigation, detection, and prosecution of offences. This is a narrower and more conventional exemption found in all major data protection regimes. Sections 17(3) provides purpose-based exemptions: research and statistics (comparable to GDPR's special category provisions for public interest research), judicial and quasi-judicial functions (courts cannot be required to delete personal data in judgments), and journalism and academic research in the public interest. Section 17(4) is a catch-all executive power: the Central Government can exempt any class of Data Fiduciaries from any or all provisions of the Act by notification. This has been used (or is expected to be used) to exempt startups and small businesses from certain compliance obligations, reducing the burden on early-stage entities without the resources for full DPDP compliance. The interaction between the state surveillance exemption in Section 17(1) and the lack of an independent data regulator (the Board's independence is limited given government control over appointments under Section 18/20) has been described as a structural weakness: the government can both exempt itself from the Act's obligations and control the regulator that would otherwise oversight it.

Common Queries

Yes, under Section 17(1). The Central Government can notify any instrumentality of the State as exempt from the Act on grounds of sovereignty, security, public order, or friendly foreign relations — without any requirement of proportionality, necessity, or judicial oversight. This is the most criticised provision of the Act.
Section 17(3)(c) provides an exemption for journalistic, research, and academic processing in the public interest where compliance would prejudice that purpose. However, this exemption has limits — it covers processing for the specific public interest purpose, not blanket exemption from all obligations.
Courts exercising judicial or quasi-judicial functions are exempt under Section 17(3)(b). Court judgments naming parties, police FIRs, and tribunal orders all process personal data in the exercise of judicial functions and are not subject to DPDP Act obligations.
Yes. Section 17(1) exemptions must comply with the constitutional right to privacy from Puttaswamy. A notification exempting a state instrumentality from the entire Act without proportionality justification could be challenged as unconstitutional if the underlying surveillance or data processing violates the proportionality standard.
Section 17(4) allows the Central Government to exempt any class of Data Fiduciaries from any provisions of the Act. This is expected to be used to provide lighter-touch compliance obligations for startups and small businesses — the specific exempted classes, conditions, and which provisions are exempted will be specified in the DPDP Rules.

Legal Context

The state security exemption was the single most contentious issue in the DPDP Act's parliamentary passage. The Srikrishna Committee 2018 draft had included specific grounds for state access to data with proportionality requirements. The Personal Data Protection Bills 2019 and 2021 had progressively broader exemptions. The final DPDP Act 2023's Section 17(1) is the broadest version — giving the Central Government near-unfettered power to exempt state instrumentalities. The Opposition's key argument against the Act was that it purported to protect privacy while simultaneously giving the government unlimited power to circumvent those protections without judicial oversight.

Key Rules & Provisions

Broadest state security exemption of all DPDP bill drafts — entire Act can be disapplied to state instrumentalities by notification.

No proportionality or necessity requirement for Section 17(1) exemptions — unlike GDPR Article 23.

No judicial oversight or parliamentary scrutiny required for Section 17(1) notifications.

Section 17(4) catch-all for startup/small business exemptions — expect the DPDP Rules to specify eligible classes.

Related Case Laws

K.S. Puttaswamy v. Union of India (2017)

(2017) 10 SCC 1
RELEVANCE

The Puttaswamy judgment's proportionality test — that any restriction on privacy must be necessary, proportionate, and have procedural safeguards — provides the constitutional framework against which the breadth of Section 17(1) exemptions may be challenged.

Justice K.S. Puttaswamy v. Union of India (Aadhaar) (2018)

(2019) 1 SCC 1
RELEVANCE

The Aadhaar judgment's balancing of state data collection interests against individual privacy rights, and its scrutiny of the proportionality of surveillance infrastructure, is directly relevant to the constitutional limits on Section 17(1) exemptions.