Exemptions (Section 17)

Definition

Section 17 of the Digital Personal Data Protection Act, 2023 specifies circumstances in which certain provisions of the Act do not apply to the processing of personal data, subject to the conditions laid down in the law.

Section 17 of the Digital Personal Data Protection Act, 2023 (DPDP Act) sets out specific exemptions from certain obligations under the Act. These exemptions recognize that, in limited situations, applying every provision of the Act may not be appropriate due to public interest, legal requirements, or the nature of the processing activity. Importantly, Section 17 does not create a blanket exemption from the entire Act. The scope of each exemption depends on the specific provision, purpose, and conditions prescribed in the legislation.

The exemptions under Section 17 cover a range of scenarios. These include processing of personal data for the prevention, detection, investigation, or prosecution of offences; enforcement of legal rights or claims; judicial or quasi-judicial functions; processing necessary to comply with judgments, decrees, or legal obligations; research, archiving, or statistical purposes where applicable conditions are met; mergers, amalgamations, or corporate restructuring approved by a competent authority; and other situations specified under the Act. The Central Government is also empowered to exempt certain Data Fiduciaries or classes of Data Fiduciaries, including specified government instrumentalities, from particular provisions of the Act under defined circumstances.

Organizations should interpret Section 17 carefully rather than assuming that an exemption removes all privacy obligations. Each exemption has a defined legal scope and should be applied only where its statutory conditions are satisfied. Even where an exemption is available, organizations should maintain appropriate governance, document the legal basis for relying on the exemption, implement reasonable security safeguards, and be prepared to demonstrate why the exemption applies. Misinterpreting Section 17 may expose organizations to compliance risks and regulatory scrutiny.

In practice, gaps emerge when:

  • Organizations assume an exemption removes all obligations under the DPDP Act.
  • Exemptions are applied without documenting the legal basis or supporting evidence.
  • Business teams rely on broad interpretations instead of assessing the specific conditions under Section 17.
  • Internal policies fail to distinguish between exempt and non-exempt processing activities.
  • Processing activities continue under an exemption even after the qualifying circumstances no longer exist.

Organizations reduce compliance risks by documenting the purpose of processing, maintaining records supporting reliance on exemptions, periodically reviewing exempt processing activities, and involving legal and privacy teams when interpreting statutory provisions. Within Privy, capabilities such as data discovery, data mapping, governance workflows, privacy assessments, and audit-ready reporting help organizations document processing activities and demonstrate accountability when exemptions are relied upon.

Questions About Staying in Control?

Here’s everything you need to know about this term and how it fits into your compliance program.

Section 17 specifies circumstances in which certain provisions of the DPDP Act do not apply to particular processing activities, subject to the conditions prescribed in the Act.

No. Section 17 does not provide a blanket exemption. It applies only to specific provisions and only where the statutory conditions for a particular exemption are satisfied.

Yes, certain exemptions may apply to private organizations depending on the nature and purpose of the processing, such as processing for legal claims or corporate restructuring. The applicability depends on the specific provision of the Act and the relevant facts.

No. The Act enables the Central Government to notify exemptions for certain government instrumentalities under specified circumstances. Such exemptions are not automatic and depend on the applicable notification and statutory conditions.

Privy helps organizations maintain visibility into personal data processing through data discovery, data mapping, governance workflows, privacy assessments, and audit-ready reporting, making it easier to document processing activities and support compliance decisions.

Still have a question?

Latest Blog

RBI's New Data Governance Framework Meets DPDP: What Banks and NBFCs Must Build
DPDP Rules

Jul 16, 2026

RBI's New Data Governance Framework Meets DPDP: What Banks and NBFCs Must Build

DPDPA for Schools and EdTechs: The 2026 Guide to Children's Data Compliance
DPDP Rules

Jul 11, 2026

DPDPA for Schools and EdTechs: The 2026 Guide to Children's Data Compliance

Incident Response Management Lifecycle for DPDPA in 2026: How to Detect, Contain, and Report a Personal Data Breach
Incident Management

Jul 10, 2026

Incident Response Management Lifecycle for DPDPA in 2026: How to Detect, Contain, and Report a Personal Data Breach