Section 17 of the DPDP Act 2023 is arguably the most misread provision in the entire statute. I have heard it cited as blanket permission for government surveillance, as a free pass for startups, and as proof that research institutions can process personal data however they wish. None of those characterisations survive a careful reading of the text.
The exemptions framework in Section 17 is not a single on/off switch. It is a layered system of complete exemptions, partial exemptions, and conditional carve-outs, each with distinct scope and distinct obligations that survive even where the exemption applies. Getting this wrong carries real consequences. A business that incorrectly claims an exemption and processes personal data without consent has no defence when the Data Protection Board comes calling.
Key Takeaways
- Section 17 of the DPDP Act 2023 creates 10 distinct exemption categories, ranging from complete to partial, each with different provisions disapplied.
- Complete exemptions (legal rights enforcement, judicial functions, offence investigation, BPO processing, corporate restructuring, loan defaulter data) remove most of Chapter II, all of Chapter III, and Section 16.
- Partial exemptions (state security, research, publicly available data) remove only specific sections while leaving others intact. Security safeguards and breach notification survive.
- Section 17(3) allows the Central Government to exempt startups from specific provisions including notice (Section 5), data accuracy (Section 8(3)), erasure (Section 8(7)), and SDF obligations (Sections 10-11). As of February 2026, no startup exemption notification has been issued.
- Section 17(5) gives the Central Government a five-year window from the Act's commencement to exempt any Data Fiduciary from any provision. This power expires in August 2028.
Why Do the DPDP Exemptions Matter?
Every data protection law has exemptions. The GDPR has Article 23. The UK Data Protection Act has Schedule 2. The question is never whether exemptions exist; it is how they are structured and who controls their scope.
Under the DPDP Act, the exemption architecture is unusual in two respects.
First, the Central Government holds significant discretionary power. Unlike GDPR, where exemptions are largely fixed in the legislative text, several DPDP exemptions activate only when the Central Government issues a notification. Until that notification arrives, the exemption exists in law but not in practice.
Second, the Act draws a clear line between complete and partial exemptions. Some processing activities are entirely outside most of the Act's requirements. Others are exempt from consent and notice obligations but remain subject to security, breach notification, and Data Principal rights. This distinction is where most businesses trip up.
What Are the Complete Exemptions Under Section 17(1)?
Section 17(1) lists six scenarios where the provisions of Chapter II (except subsections (1) and (5) of Section 8), Chapter III, and Section 16 do not apply. In practical terms, these exemptions remove most substantive obligations while preserving two critical duties: the overarching compliance responsibility of the Data Fiduciary under Section 8(1), and the requirement that Data Processors act only under a valid contract under Section 8(5).
1. Enforcing Legal Rights or Claims
Section 17(1)(a) exempts processing that is "necessary for enforcing any legal right or claim." This covers litigation, arbitration, and pre-litigation evidence gathering. A company processing personal data to pursue a breach of contract action, or to defend itself against a consumer complaint, falls within this exemption.
The boundary: "necessary" is doing real work in that sentence. Processing must be genuinely required for the legal proceeding. Maintaining a database of every customer interaction on the off-chance that one might sue someday does not qualify. The data processing must have a direct, demonstrable connection to an actual or reasonably anticipated legal claim.
2. Courts and Regulatory Bodies
Section 17(1)(b) exempts processing by any court, tribunal, or other body in India "entrusted by law with judicial or quasi-judicial functions, or regulatory or supervisory functions." This is broad but bounded. The National Company Law Tribunal processing personal data in a corporate insolvency resolution, or SEBI processing data during an insider trading investigation, are exempt.
Note: this exempts the courts and regulators themselves, not the private parties appearing before them. A company does not become exempt from the Act simply because its data was subpoenaed by a tribunal.
3. Prevention, Detection, and Investigation of Offences
Section 17(1)(c) exempts processing "in the interest of prevention, detection, investigation, or prosecution of any offence or contravention of any law." This covers law enforcement agencies, investigative bodies, and prosecution authorities.
The exemption covers not just police and CBI but also sectoral regulators investigating contraventions. The RBI investigating an NBFC for regulatory non-compliance, or CERT-In investigating a cybersecurity incident, would fall within this provision.
4. BPO and Offshore Processing
Section 17(1)(d) is the exemption that India's IT services industry lobbied for. Processing of personal data of Data Principals "not within the territory of India" is exempt when carried out by an Indian entity pursuant to a contract with a foreign entity.
This is the BPO carve-out. When a Bangalore-based process outsourcing company handles customer service data for a US insurance company, the personal data belongs to American consumers, not Indian residents. The DPDP Act's obligations do not apply to that processing, provided it operates under a valid contract with the foreign client.
The limitation is geographical, not contractual. If the same BPO company also processes data of Indian customers for the same client, the exemption does not cover that Indian data. The exemption applies only to the personal data of individuals outside India's territory.
5. Corporate Restructuring
Section 17(1)(e) exempts processing necessary for "any scheme of compromise or arrangement or merger or amalgamation or reconstruction or winding up or transfer of undertaking" approved by a competent court or authority. During a merger, the acquiring company inevitably needs to process personal data from the target company's databases to complete due diligence and integration.
This is a practical acknowledgment that corporate transactions cannot function under strict purpose-limitation rules. The personal data of the target company's customers, employees, and vendors must be processable for the restructuring to proceed.
6. Loan Defaulter Information
Section 17(1)(f) exempts processing for "ascertaining the financial information, assets and liabilities of any person who has defaulted in payment due on account of a loan or advance taken from a financial institution." This enables banks and financial institutions to access and share information about loan defaulters without triggering consent and notice obligations.
The exemption is narrower than it appears. It covers defaulter data specifically, not all borrower data. A bank cannot invoke this exemption to process the personal data of a customer who is current on their loan payments.
| Exemption | Section | Scope | Who Benefits |
|---|---|---|---|
| Enforcing legal rights or claims | 17(1)(a) | Data processing necessary for legal proceedings | Any Data Fiduciary pursuing or defending legal claims |
| Judicial and regulatory functions | 17(1)(b) | Processing by courts, tribunals, and regulatory bodies | Courts, NCLT, SEBI, RBI, IRDAI, and similar bodies |
| Offence investigation | 17(1)(c) | Prevention, detection, investigation, prosecution | Law enforcement, investigative agencies |
| BPO processing | 17(1)(d) | Data of non-Indian Data Principals under foreign contract | Indian IT services and outsourcing companies |
| Corporate restructuring | 17(1)(e) | Mergers, amalgamations, demergers, winding up | Companies undergoing court-approved restructuring |
| Loan defaulter data | 17(1)(f) | Financial information of defaulting borrowers | Banks, NBFCs, financial institutions |
What Are the Partial Exemptions Under Section 17(2)?
Section 17(2) creates three categories of partial exemption. Unlike the complete exemptions in Section 17(1), these disapply only specific sections while leaving the rest of the Act operative. This is where most compliance errors originate, because businesses read "exempt" and assume it means "exempt from everything."
State Security (Section 17(2)(a))
The broadest, and most debated, exemption. Section 17(2)(a) states that Chapters II and III and Section 16 shall not apply to "such instrumentality of the State as the Central Government may, by notification, notify" when processing is in the interests of:
- Sovereignty and integrity of India
- Security of the State
- Friendly relations with foreign States
- Maintenance of public order
- Preventing incitement to any cognisable offence relating to these interests
Three things to understand about this exemption.
First, it requires a Central Government notification. The exemption does not activate automatically. A state instrumentality is not exempt until it is specifically notified as such. As of February 2026, no notification has been issued under this provision.
Second, the exemption extends beyond the instrumentality itself. Section 17(2)(a) also covers "the processing by the Central Government of any personal data" furnished by a notified instrumentality. This means data does not lose its exempt status when it flows from a notified agency to the Central Government.
Third, what survives: Section 8(1) (the overarching Data Fiduciary compliance obligation) and Section 8(5) (the requirement for valid Data Processor contracts) remain applicable. Even state agencies processing data under a security exemption must maintain reasonable security safeguards and valid processing agreements.
This provision has drawn significant scrutiny from privacy advocates. The scope of "security of the State" and "maintenance of public order" could, depending on the notification, cover mass surveillance programmes without meaningful judicial oversight. The Act itself provides no independent review mechanism for these exemptions; the notification power rests entirely with the executive.
Research, Archiving, and Statistical Purposes (Section 17(2)(b))
Section 17(2)(b) exempts processing that is "necessary for research, archiving or statistical purposes," subject to two conditions:
- The personal data must not be used to make any decision specific to a Data Principal
- The processing must follow standards prescribed by the Central Government
This exemption disapplies Sections 5 (notice), 6 (consent), 7 (legitimate uses), and 8 (Data Fiduciary obligations except subsections (1) and (5)). But Data Principal rights under Chapter III remain applicable. A research institute analysing health outcomes across 10 million anonymised patient records does not need individual consent, but those patients retain the right to access, correction, and grievance redressal for their underlying data.
As of February 2026, the Central Government has not published the prescribed standards. This creates an operational vacuum: the exemption exists in the statute but its conditions remain undefined. For healthcare and academic research, we covered the practical implications in our DPDP for healthcare analysis.
The critical boundary: "not used to make any decision specific to a Data Principal." A pharmaceutical company using patient data for aggregate drug efficacy studies is within the exemption. The same company using that data to target individual patients with personalised drug recommendations is not.
Publicly Available Personal Data (Section 17(2)(c))
Section 17(2)(c) exempts processing of "publicly available personal data." This covers personal data that has been made publicly available by the Data Principal themselves, or by another person under a legal obligation.
The exemption disapplies Sections 5, 6, 7, and 8 (except subsections (1) and (5)). You do not need consent to process data that is already legitimately public: company directors listed on the MCA portal, court judgments naming parties, property records in public registries, or social media posts that the individual chose to make publicly accessible.
Two important caveats.
First, "publicly available" has a specific meaning. Data scraped from a private profile through a security vulnerability is not publicly available. Data from a LinkedIn profile set to "public" likely is. The test is whether the data was legitimately accessible to the general public.
Second, the exemption does not grant unlimited processing rights. If the publicly available data is used to make decisions specific to individuals, the scope narrows considerably. An AI system that scrapes publicly available data and uses it to score, rank, or profile individuals may fall outside this exemption depending on how the outputs affect those individuals.
| Partial Exemption | Section | Sections Disapplied | Sections That Survive |
|---|---|---|---|
| State security | 17(2)(a) | Ch. II (except s.8(1), s.8(5)), Ch. III, s.16 | s.8(1) compliance obligation, s.8(5) processor contracts |
| Research/archiving/statistical | 17(2)(b) | s.5, s.6, s.7, s.8 (except s.8(1), s.8(5)) | Ch. III (Data Principal rights), s.16 (cross-border transfers) |
| Publicly available data | 17(2)(c) | s.5, s.6, s.7, s.8 (except s.8(1), s.8(5)) | Ch. III (Data Principal rights), s.16 (cross-border transfers) |
What Exemptions Exist for Startups Under Section 17(3)?
Section 17(3) empowers the Central Government to notify certain Data Fiduciaries, "including startups," to whom specific provisions shall not apply. The provisions eligible for startup exemption are:
- Section 5: Notice before collecting personal data
- Section 8(3): Data accuracy and completeness obligations
- Section 8(7): Data erasure and retention limits
- Section 10: Significant Data Fiduciary additional obligations
- Section 11: Right to information (Data Principal's access right)
The Act defines a "startup" for these purposes as a private limited company, partnership firm, or limited liability partnership incorporated in India that has been recognised as a startup under the criteria notified by the DPIIT (Department for Promotion of Industry and Internal Trade).
As of February 2026, the Central Government has not issued any notification under Section 17(3). This means the startup exemption exists on paper but is not yet operative. Every startup processing personal data in India today must comply with the full Act.
The intention behind this provision is clear: reduce compliance burden on early-stage companies that process limited volumes of personal data. The risk is equally clear: if the notification is drafted too broadly, it could exempt thousands of companies processing personal data with no notice, no accuracy obligations, and no erasure requirements.
When the notification eventually issues, expect it to include conditions based on the volume and nature of personal data processed, similar to the qualifiers already present in Section 17(3)'s text. A 10-person startup with a customer waitlist is a different compliance proposition from a funded Series B company processing financial data for 500,000 users.
What is the Five-Year Sunset Power Under Section 17(5)?
Section 17(5) is the broadest executive power in the Act. It states:
The Central Government may, before the expiry of five years from the date of commencement of this Act, by notification, declare that any provision of this Act shall not apply to such Data Fiduciary or class of Data Fiduciaries, for such period as may be specified in the notification.
The Act received Presidential assent on August 11, 2023. This five-year window closes in August 2028. During this period, the Central Government can exempt any entity from any provision of the Act, for any duration it specifies.
This is a transitional provision, designed to give the government flexibility to ease businesses into the new compliance regime. But its scope is remarkable. Unlike Section 17(3), which limits startup exemptions to specific sections, Section 17(5) has no such limitation. The Central Government could theoretically exempt an entire industry vertical from the Act for a specified period.
As of February 2026, no notification has been issued under Section 17(5). The provision remains an unused power. Whether, and how, the government exercises it will significantly shape the DPDP compliance landscape between now and full enforcement in May 2027.
What About Processing by Government Bodies?
Section 17(4) addresses processing by the State and its instrumentalities that falls outside the security exemption in Section 17(2)(a). For government processing that does not relate to sovereignty, security, or public order:
- Section 8(7) (data erasure obligations) does not apply
- Section 12(3) (erasure upon consent withdrawal) does not apply where processing does not require consent
- Section 12(2) does not apply where processing does not affect the Data Principal's decision
In practice, this means government databases can retain personal data beyond the standard erasure timelines. A government subsidy programme that collected beneficiary data under Section 7's legitimate use framework is not required to erase that data when the subsidy period ends, as a private Data Fiduciary would be.
The remaining obligations still apply. Government entities must implement security safeguards, notify breaches, and respond to Data Principal access and correction requests. The exemption is from retention limits, not from accountability.
What Obligations Survive All Exemptions?
This is the question most businesses fail to ask. Even under the broadest exemptions, certain core obligations are never disapplied.
Section 8(1) survives every exemption. This is the overarching provision that places compliance responsibility on the Data Fiduciary "in respect of any processing undertaken by it or on its behalf by a Data Processor." No exemption in the Act removes this foundational accountability.
Section 8(5) survives every exemption. This requires that any Data Processor acting on behalf of a Data Fiduciary must do so under a valid contract. Even in national security processing, the instrumentality must have a contract with its service providers.
For the DPDP Rules 2025, the security safeguards specified under Section 8(4) are not explicitly disapplied under the partial exemptions. This creates an interpretive question: if Section 8 is disapplied "except subsections (1) and (5)," does subsection (4) (security safeguards) fall away? A strict textual reading says yes. But the Central Government's intent, as signalled in the parliamentary debate and MeitY's public commentary, suggests that security expectations survive even where other obligations are lifted. Until the DPBI adjudicates a case on this point, the prudent approach is to maintain security safeguards regardless of exemption status.
What Are the Most Common Exemption Mistakes?
Having advised companies on DPDP compliance since the Act's passage, I see the same errors repeatedly.
Mistake 1: "We process publicly available data, so the Act doesn't apply to us." The Act still applies. Section 17(2)(c) is a partial exemption: it disapplies consent and notice, not Data Principal rights or the overarching compliance obligation. If someone whose public data you have processed files an access request, you must respond within 90 days.
Mistake 2: "We're a startup, so we're exempt." No notification has been issued under Section 17(3) as of February 2026. Every startup in India must comply with the full Act. Planning your compliance programme around a hypothetical future exemption is a gamble, not a strategy.
Mistake 3: "Our BPO processes foreign data, so none of our processing is covered." The BPO exemption under Section 17(1)(d) covers only the personal data of individuals outside India's territory. If the same operation also handles data of Indian residents, even incidentally, that data is fully within the Act's scope.
Mistake 4: "Research is exempt, so we don't need consent for our analytics." The research exemption under Section 17(2)(b) requires that data not be used to make decisions specific to any individual. Customer analytics, personalised recommendations, and targeted marketing are decisions specific to individuals. They are not research.
Mistake 5: "The government exemption means all government contractors are exempt." Section 17(2)(a) exempts notified state instrumentalities, not their private contractors. A cybersecurity firm hired by a government agency to process personal data is a Data Processor operating on behalf of a Data Fiduciary, and it needs a valid contract under Section 8(5). The exemption does not cascade to the supply chain.
How Do DPDP Exemptions Compare to GDPR?
Indian companies with European operations consistently ask whether the DPDP exemption framework mirrors GDPR. It does not. The structural differences are significant.
| Feature | DPDP Act 2023 (Section 17) | GDPR (Article 23 and Recitals) |
|---|---|---|
| Exemption structure | Complete + partial, with different sections disapplied | Restrictions on rights/obligations, not full disapplications |
| National security | Executive notification (no judicial oversight required) | Member State law, subject to necessity and proportionality |
| Research/statistics | Partial exemption with prescribed standards (unpublished) | Safeguards under Article 89, including pseudonymisation |
| Publicly available data | Explicit partial exemption | No standalone exemption; lawful basis still required |
| Startup carve-out | Expressly provided (Section 17(3)) | No startup-specific exemption |
| Sunset clause | 5-year executive power to exempt any entity (Section 17(5)) | No equivalent provision |
| BPO/offshore processing | Territorial exemption for non-Indian Data Principals | GDPR applies to all processing by EU-established entities |
| Judicial oversight | None required for executive exemptions | Court of Justice oversight on adequacy and proportionality |
The most significant structural difference is the executive discretion embedded in the DPDP framework. GDPR exemptions are predominantly legislative, fixed in the regulation text and subject to judicial review by the Court of Justice. DPDP exemptions are substantially executive, activated by Central Government notification with no express requirement for judicial review or proportionality assessment.
For Indian businesses that have built compliance programmes on the GDPR model, the key takeaway: DPDP exemptions operate differently and cannot be mapped one-to-one onto GDPR's restriction framework. The startup exemption, the BPO carve-out, and the five-year sunset power have no GDPR equivalents. The absence of judicial oversight on national security exemptions is a structural divergence that may create tensions for companies subject to both regimes.
Frequently Asked Questions
Does the DPDP Act apply to government agencies?
Yes, with significant qualifications. Government agencies are Data Fiduciaries under the DPDP Act 2023 when they determine the purpose and means of processing personal data. However, Section 17(2)(a) empowers the Central Government to exempt specific state instrumentalities from most obligations when processing relates to sovereignty, state security, public order, or foreign relations. Section 17(4) additionally exempts government bodies from data erasure obligations. As of February 2026, no state instrumentality has been formally notified as exempt under Section 17(2)(a).
Are startups exempt from the DPDP Act?
Not currently. Section 17(3) of the DPDP Act 2023 empowers the Central Government to notify exemptions for startups recognised by the DPIIT, potentially removing obligations around notice (Section 5), data accuracy (Section 8(3)), erasure (Section 8(7)), and Significant Data Fiduciary requirements (Sections 10-11). However, as of February 2026, no such notification has been issued. Every startup processing personal data in India must comply with the full Act until a notification is published.
What is the research exemption under DPDP and what are its limits?
Section 17(2)(b) of the DPDP Act 2023 partially exempts processing that is necessary for research, archiving, or statistical purposes. Two conditions must be met: the personal data must not be used to make any decision specific to an individual Data Principal, and the processing must follow standards prescribed by the Central Government. As of February 2026, these prescribed standards remain unpublished. The exemption removes consent and notice obligations but preserves Data Principal rights under Chapter III, including the right to access and correction.
Does the BPO exemption under DPDP cover all outsourcing companies?
The BPO exemption under Section 17(1)(d) applies specifically to the processing of personal data of Data Principals "not within the territory of India" by an Indian entity under a contract with a foreign entity. It covers Indian outsourcing companies processing data of foreign nationals under foreign contracts. It does not cover processing of Indian residents' data, even by BPO companies. If the same BPO operation handles both Indian and foreign customer data, only the foreign data falls within the exemption.
When does the Central Government's power to grant exemptions expire?
The broadest exemption power under Section 17(5) expires five years from the Act's commencement. Since the DPDP Act received Presidential assent on August 11, 2023, this power lapses in August 2028. After that date, the Central Government can no longer issue new blanket exemptions under Section 17(5), though exemptions issued before the deadline continue for their specified period. The narrower exemption powers under Sections 17(2) and 17(3) have no such expiry.
Simplify Your DPDP Compliance
This article is for informational purposes and reflects the DPDP Act 2023 and DPDP Rules 2025 as understood at the time of writing. For guidance specific to your business, we recommend consulting a qualified data protection professional.
Understanding which exemptions apply to your processing activities is the first analytical step. The operational step, building compliant consent mechanisms, security safeguards, and Data Principal rights infrastructure for the processing that is not exempt, is where most businesses stall. ComplyZero's self-serve platform helps Indian businesses implement DPDP compliance in minutes, not months: automated consent management, privacy notices in 22 Indian languages, and audit-ready compliance records, all without needing to hire a consultant.
Simplify Your DPDP Compliance
This article is for informational purposes and reflects the DPDP Act 2023 and DPDP Rules 2025 as understood at the time of writing. For guidance specific to your business, we recommend consulting a qualified data protection professional.
ComplyZero handles the complexity for you: consent management, privacy notices in 22 languages, DSR workflows, and audit-ready compliance records. Get your business DPDP-ready in minutes, not months.