Applicability & Exemptions
Mastering the territorial scope, material scope, and statutory exemptions that define DPDPA's reach and limitations
📋 Introduction
Every law's effectiveness depends on two critical questions: To whom does it apply? and What exceptions exist? For data protection practitioners, mastering these boundaries is not merely academic—it determines whether your client faces compliance obligations, potential penalties up to ₹250 crores, or falls outside the law's reach entirely.
The scope of law reflects legislative intent about the universe of regulated conduct. As Justice Holmes observed in Southern Pacific Co. v. Jensen (1917): "The life of the law has not been logic; it has been experience." The DPDPA's applicability provisions reflect India's experience with cross-border digital commerce while balancing sovereignty concerns with global data flows.
Section 3 defines DPDPA's application domain, while Section 17 carves out exemptions. Together, they create a regulatory perimeter that every data protection lawyer must navigate with precision. This lesson provides the analytical framework to make these determinations confidently.
Learning Objectives
By completing this lesson, you will be able to:
- Analyze whether DPDPA applies to specific data processing scenarios
- Explain the territorial and material scope of DPDPA
- Identify and apply the various exemptions under Section 17
- Evaluate constitutional challenges to exemption provisions
- Compare DPDPA's scope with GDPR and other frameworks
- Advise clients on exemption applicability and limitations
⚡ Section 3: Application of the Act
(a) collected online; or
(b) collected offline and is digitised subsequently."
Section 3 establishes three cumulative conditions for DPDPA applicability:
Digital Personal Data
The data must be "personal data" (§2(t)) in digital form. Purely manual, non-digitised records are excluded. The processing must be wholly or partly automated.
Processing Activity
There must be "processing" as defined in §2(x)—collection, storage, use, disclosure, or any automated operation on the data.
Territorial Nexus
Either: (a) Processing occurs within India; OR (b) Processing is extraterritorial but relates to offering goods/services in India.
Unlike GDPR which covers manual filing systems (Art. 2(1)), DPDPA applies only to digital data. A paper-based patient register in a rural clinic is outside DPDPA—until the moment it's scanned or entered into a computer. This "digital threshold" has significant implications for India's semi-digitised economy.
Collection Pathways: Online vs. Digitised Offline
Section 3(1) creates two pathways by which data enters DPDPA's scope:
Online Collection
Data collected through websites, mobile apps, IoT devices, online forms, email, social media, or any digital channel. Born digital—automatically within scope.
✓ Directly within DPDPA
Offline → Digitised
Data initially collected on paper forms, handwritten records, physical documents—enters DPDPA scope upon digitisation (scanning, data entry, OCR).
⚠️ Enters scope upon digitisation
Purely Offline
Paper records that remain non-digitised—visitor registers, handwritten notes, physical files never scanned or entered into databases.
✗ Outside DPDPA scope
Question: A hospital maintains handwritten patient records. A data entry operator types some records into a computer system. Which records fall under DPDPA?
Analysis: Only the digitised records (those entered into the computer) are subject to DPDPA. The remaining handwritten records are outside scope—until digitised. The hospital must comply with DPDPA for digitised records (consent, notice, security) while the paper records may be governed by other laws (medical confidentiality, contract).
🌍 Territorial Scope: India and Beyond
Section 3(2) extends DPDPA's reach beyond India's borders through the "offering test"—a concept borrowed from GDPR Article 3(2). This creates two regulatory zones:
| Aspect | Intra-territorial (§3(1)) | Extra-territorial (§3(2)) |
|---|---|---|
| Location of Processing | Within India | Outside India |
| Connection to India | Physical processing location | Offering goods/services to Indians |
| Data Principal Location | Any (data processed in India) | Must be in India |
| Example | Indian company processing employee data in Mumbai servers | US e-commerce site selling to Indian customers |
| Jurisdictional Basis | Territorial sovereignty | Effects doctrine |
The "Offering Test" Decoded
When does a foreign entity "offer goods or services" to Indians? Drawing from GDPR jurisprudence (CJEU in Google v CNIL, C-507/17), relevant factors include:
- Language: Website available in Hindi or Indian regional languages
- Currency: Prices displayed in Indian Rupees (₹)
- Domain: Use of .in domain or India-specific subdomain
- Marketing: Advertising targeted at Indian audiences
- Delivery: Shipping to Indian addresses
- Payment: Acceptance of Indian payment methods (UPI, Paytm, Indian cards)
- Customer Support: India-based helplines or support in Indian time zones
Unlike GDPR Article 3(2)(b), DPDPA does not include a "monitoring" ground for extraterritorial application. This means behavioural tracking of Indians by foreign entities—without offering goods/services—may fall outside DPDPA's explicit scope. This gap could be exploited by surveillance-oriented entities that don't sell to Indians but extensively profile them.
The CJEU's landmark "Right to be Forgotten" case established that EU data protection law applies to search engine operations affecting EU residents, even when the data controller is headquartered elsewhere. While Google Spain interpreted the earlier Directive 95/46/EC, its reasoning on extraterritorial reach influenced GDPR's drafting and provides interpretive guidance for DPDPA's similar provisions.
Citation: Case C-131/12, Google Spain SL v Agencia Española de Protección de Datos (AEPD)
Exclusions from Application
(a) personal data processed by an individual for any personal or domestic purpose; and
(b) personal data about an individual that is contained in a record that has been in existence for at least 100 years."
Personal/Domestic Purpose
Data processed purely for household activities—personal contact lists, family photos, home recipes. No commercial, professional, or organizational use.
Historical Records (100+ years)
Records existing for at least 100 years—historical archives, genealogical records, century-old documents. Preserves research and heritage access.
The 100-year exception protects historical research and genealogical activities. A 150-year-old British-era census record in the National Archives falls outside DPDPA, enabling historians and genealogists to access such data freely. However, a 50-year-old record is still within scope—creating an interesting temporal sliding window as records age into exemption.
📊 Material Scope: What Data is Covered?
DPDPA's material scope is defined by the intersection of three concepts: "personal data," "processing," and "digital form." Understanding each element is critical for scope determinations.
Personal Data Requirement
Only "personal data" as defined in §2(t)—"data about an individual who is identifiable by or in relation to such data"—falls within scope. This excludes:
Organizational Data
Data about companies, partnerships, trusts, or other legal entities. Corporate financial data, business records, B2B transaction data.
Anonymised Data
Data from which individuals cannot be identified, directly or indirectly. Properly anonymised datasets, aggregate statistics.
Pseudonymised Data
Data processed so identification requires additional information held separately. Still personal data if re-identification is possible.
The key question: Can a natural person be identified from the data, directly or indirectly? Indirect identification includes using additional data, linking datasets, or inferring identity from context. Following the CJEU's reasoning in Breyer v Germany (C-582/14), dynamic IP addresses may be personal data if the data holder has legal means to obtain additional information enabling identification.
Processing Requirement
The activity must constitute "processing" under §2(x)—wholly or partly automated operations including collection, storage, use, disclosure, and erasure. Mere storage of digitised paper (such as scanned documents stored without any automated processing) may trigger debate about whether passive storage constitutes "processing."
Digital Form Requirement
The data must be in digital form—electronically recorded, stored, or transmitted. This distinguishes DPDPA from broader personal data laws:
| Data Type | DPDPA Scope? | Rationale |
|---|---|---|
| Database records | ✓ Yes | Digital by nature |
| Scanned documents | ✓ Yes | Digitised upon scanning |
| Digital photographs | ✓ Yes | Digital form from capture |
| Email contents | ✓ Yes | Born digital |
| Paper files (not scanned) | ✗ No | Not in digital form |
| Handwritten notes | ✗ No | Not in digital form |
| Analogue audio/video tapes | ✗ No | Analogue format |
🛡️ Section 17: Exemptions
Section 17 creates a framework of exemptions that exclude certain processing activities from some or all DPDPA obligations. These exemptions are not absolute—the Central Government must balance necessity against data protection rights, and courts will scrutinize exemptions against Puttaswamy's proportionality test.
(a) which is necessary for enforcing any legal right or claim;
(b) by any court or tribunal or any other body in India which performs any judicial or quasi-judicial function;
(c) for prevention, detection, investigation and prosecution of offences..."
Exemption Categories Overview
Legal Rights Enforcement
§17(1)(a)Processing necessary for enforcing any legal right or claim. Covers litigation support, debt recovery, contractual enforcement.
- Evidence collection for legal proceedings
- Debt recovery data processing
- Insurance claim investigations
- IP enforcement activities
Judicial Functions
§17(1)(b)Processing by courts, tribunals, or bodies performing judicial/quasi-judicial functions.
- Court case management systems
- Tribunal records and proceedings
- Quasi-judicial regulatory bodies
- Arbitration proceedings
Law Enforcement
§17(1)(c)Prevention, detection, investigation, and prosecution of offences—contravention of any law.
- Criminal investigations
- Regulatory enforcement
- Financial crime detection
- Cybercrime investigation
Foreign Processing
§17(1)(d)Processing by foreign entities under contract with Indian entities, subject to specified conditions.
- Outsourced data processing
- Cross-border data services
- International BPO operations
- Cloud service providers abroad
Approved Mergers
§17(1)(e)Processing necessary for mergers, acquisitions, or restructuring approved by courts or competent authorities.
- Due diligence data rooms
- Post-merger integration
- Asset transfer documentation
- NCLT-approved schemes
Default Detection
§17(1)(f)Processing reasonably necessary to identify defaulters and their financial assets.
- Credit bureau operations
- Willful defaulter identification
- Asset tracing for recovery
- Fraud detection systems
🔒 The State Security Exemption: Section 17(2)
(a) in the interest of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order; or
(b) for preventing incitement to any cognizable offence relating to sovereignty or integrity of India, the security of the State, or public order."
Section 17(2) is the most constitutionally sensitive provision in DPDPA. It empowers the Central Government to exempt processing from the entire Act for national security and public order reasons—potentially creating a "black hole" where data protection rights cease to exist.
The Section 17(2) exemption raises serious constitutional concerns:
- Breadth: "Security of the State" is undefined—potentially covering any government processing
- Notification Power: Executive can exempt agencies without Parliamentary oversight
- No Proportionality Requirement: No explicit balancing test in the statute
- No Judicial Review: No provision for independent oversight of exemption notifications
- Blanket Nature: Can exempt from "provisions of this Act"—potentially the entire framework
The Puttaswamy Proportionality Test
Any Section 17(2) notification will be tested against the four-pronged proportionality standard from K.S. Puttaswamy v Union of India (2017):
Legality
The restriction must be backed by existing law. Section 17(2) provides the statutory basis, but the notification must comply with the enabling provision and not exceed its scope.
Legitimate Aim
Must pursue a legitimate state aim. Sovereignty, security of state, public order are recognized grounds under Article 19(2)-(6), but the claimed aim must be genuine and not pretextual.
Necessity
The exemption must be necessary—not merely convenient—for achieving the aim. Are less restrictive alternatives available? Why is complete exemption needed rather than procedural safeguards?
Proportionality Stricto Sensu
Even if necessary, the measure must not impose disproportionate burden on privacy rights relative to the benefit achieved. A complete exemption for minor security concerns would fail this test.
The Supreme Court held that telephone tapping under the Telegraph Act must follow procedures established by law, and such procedures must be fair, just, and reasonable. The Court read in safeguards including judicial oversight, necessity requirement, and time limits. This precedent suggests courts may read procedural safeguards into Section 17(2) exemptions.
Citation: (1997) 1 SCC 301
Section 17(3): Instrumentality Exemption
Section 17(3) allows blanket exemption of entire government agencies ("instrumentalities of the State")—an even broader power than Section 17(2)'s activity-based exemption. An exempted agency would operate entirely outside DPDPA's framework.
Section 17(3) raises the spectre of selective non-application of fundamental rights. If an agency is exempted, individuals have no statutory remedy for privacy violations by that agency. They would need to invoke Article 21 directly in writ jurisdiction—a more expensive, slower, and uncertain path.
The constitutionality of blanket agency exemptions will likely be tested against:
- Article 14: Is the classification (exempted vs. non-exempted agencies) reasonable?
- Article 21: Does complete exemption pass the Puttaswamy proportionality test?
- Article 19(1)(a): For data relating to speech/expression, is exemption a reasonable restriction?
📋 Other Important Exemptions
Section 17(4): Research & Statistics
This exemption recognizes the public interest in research and statistics while acknowledging that strict consent requirements could impede valuable research. However, the exemption is conditional—the notification must specify that processing is for research/archiving/statistical purposes, and presumably only to the extent necessary for those purposes.
Even if exempted, research entities should adopt ethical data practices:
- Ethics committee approval for human subjects research
- Data minimisation—collect only what's necessary
- Pseudonymisation or anonymisation where possible
- Secure storage and access controls
- Clear retention limits aligned with research timelines
Section 17(5): Startups & Small Entities
This provision enables calibrated regulation based on organizational size and processing volume—potentially exempting small businesses, startups, or specific processing purposes from certain DPDPA requirements. This reflects the scalability principle seen in other regulations like GDPR's SME provisions.
Until the Central Government issues notifications under Section 17(5), all data fiduciaries—regardless of size—must comply with full DPDPA requirements. Advise startup clients to:
- Implement baseline compliance now rather than wait for exemptions
- Document processing activities to demonstrate "volume and nature" if exemptions are issued
- Monitor regulatory developments for exemption notifications
- Design systems for "privacy by default" to minimize future compliance burden
Exemption Summary Table
| Section | Exemption Type | Scope of Exemption | Notification Required? |
|---|---|---|---|
| §17(1)(a) | Legal Rights Enforcement | Self-executing for necessary processing | No |
| §17(1)(b) | Judicial Functions | Courts, tribunals, quasi-judicial bodies | No |
| §17(1)(c) | Law Enforcement | Offence prevention, detection, prosecution | No |
| §17(1)(d) | Foreign Contracts | Processing abroad under Indian contracts | Conditions apply |
| §17(1)(e) | Mergers/Restructuring | Court/authority approved transactions | No |
| §17(1)(f) | Default Detection | Identifying defaulters and assets | No |
| §17(2) | State Security | Sovereignty, security, public order | Yes—Central Government |
| §17(3) | Instrumentalities | Entire agencies can be exempted | Yes—Central Government |
| §17(4) | Research/Statistics | Research, archiving, statistical purposes | Yes—Central Government |
| §17(5) | Small Entities | Based on volume/nature of processing | Yes—Central Government |
📜 Constitutional Analysis of Exemptions
DPDPA's exemption framework will inevitably face constitutional scrutiny. Understanding the analytical framework prepares practitioners to challenge or defend exemptions in court.
Article 14: Right to Equality
The classification of "exempted" vs. "non-exempted" processing must satisfy the traditional two-pronged test:
- Intelligible Differentia: Is there a clear basis for distinguishing exempted processing?
- Rational Nexus: Does the classification bear rational connection to the legislative objective?
Additionally, under Navtej Singh Johar v Union of India (2018), the Court may apply heightened scrutiny if the exemption disproportionately affects vulnerable groups.
The majority adopted "manifest arbitrariness" as a ground for striking down legislation under Article 14. A law is manifestly arbitrary if it is "capricious, irrational, or without adequate determining principle." Section 17(2)'s broad language—"security of the State"—without any criteria or procedural safeguards may be vulnerable to this challenge.
Citation: (2017) 9 SCC 1
Article 21: Right to Privacy
Post-Puttaswamy, any statutory exemption from privacy protection must pass the four-pronged proportionality test. Key arguments against exemptions:
- Over-breadth: Complete exemption exceeds what's necessary for legitimate aims
- Under-inclusion of Safeguards: No procedural protections against misuse
- Lack of Proportionality: Benefits to security don't outweigh privacy harms
- No Sunset Clause: Exemptions could continue indefinitely without review
Article 19(1)(a): Freedom of Expression
Data protection and free expression are intertwined—surveillance chills speech. Where exemptions enable government monitoring of communications, they must satisfy Article 19(2)'s "reasonable restriction" standard for grounds like security of State or public order.
Challenging Section 17(2)/(3) Notifications:
- Identify specific notification exempting processing/agency
- Establish locus standi (affected individual or public interest)
- Frame issue as Article 14/21 violation
- Apply Puttaswamy proportionality test to specific exemption
- Seek reading down of blanket exemptions to include procedural safeguards
- Request court to read in requirements like: necessity determination, independent oversight, time limits, audit requirements
🌐 Global Comparison: Scope & Exemptions
How does DPDPA's scope compare with global frameworks? Understanding these differences aids practitioners advising multinational clients.
| Aspect | DPDPA (India) | GDPR (EU) | CCPA (California) |
|---|---|---|---|
| Territorial Scope | India + extraterritorial for "offering" to Indians | EU + offering/monitoring EU residents | California + doing business with CA residents |
| Monitoring Trigger | ❌ Not included | ✓ Art. 3(2)(b) includes monitoring | ❌ Not explicit |
| Material Scope | Digital data only | Digital + structured manual files | Electronic + paper records |
| Personal/Domestic Exemption | ✓ Yes (§3(3)(a)) | ✓ Yes (Art. 2(2)(c)) | ✓ Yes (implied) |
| National Security Exemption | Broad—§17(2)/(3) via notification | Narrow—Art. 2(2) excludes Member State security | Limited—government agencies exempt |
| SME Exemption | Possible via §17(5) notification | Limited reliefs (records, DPO) | Revenue/data volume thresholds |
| Historical Records | 100+ years exempted | Archive exemptions for research | No specific provision |
GDPR: Rights-based framework—exemptions are narrow, specific, and subject to proportionality principle embedded in the text itself (Art. 5(1)(c), Recital 4).
CCPA: Consumer protection focus—exemptions carved around business models and transaction types, with revenue-based thresholds.
DPDPA: Balancing act—broad exemption powers delegated to executive, reflecting India's national security priorities and developing regulatory capacity. The philosophy seems to be: establish framework now, calibrate through notifications later.
⚖️ Practice Notes: Advising on Applicability
Client Intake Checklist: Is DPDPA Applicable?
Is it Personal Data?
Can a natural person be identified from the data, directly or indirectly? If data is about legal entities only, or is properly anonymised → DPDPA does not apply.
Is it in Digital Form?
Is the data electronic/digital, or has offline data been digitised? Purely paper records → DPDPA does not apply.
Is There Processing?
Is there collection, storage, use, disclosure, or any automated operation? Mere passive possession without any operations may be debatable.
Territorial Nexus?
Is processing in India, OR is entity offering goods/services to Data Principals in India? No nexus → DPDPA does not apply.
Any Exemption?
Does personal/domestic purpose, 100-year rule, or Section 17 exemption apply? If yes → Full or partial exemption may be available.
Practical Scenarios
Facts: A Delaware-incorporated company operates an e-commerce website. It ships products worldwide, accepts Rupees, and has Hindi language option. 15% of customers are in India.
Analysis: DPDPA applies under §3(2)—company is "offering goods" to Data Principals in India. Evidence: Hindi language, Rupee pricing, Indian shipping, significant Indian customer base.
Advice: Full DPDPA compliance required for Indian customer data. Consider appointing representative in India if required under Rules.
Facts: A detective agency collects personal information about individuals for matrimonial investigations, suspected fraud, and debt recovery. Clients include banks and individuals.
Analysis: Multiple exemptions may apply:
- §17(1)(a): Legal rights enforcement (debt recovery, fraud investigation)
- §17(1)(f): Default detection for banks
However, matrimonial investigations may not fit any exemption.
Advice: Segment processing by purpose. Maintain separate records for exempted vs. non-exempted activities. For non-exempted work, full compliance including consent, notice, security required.
Facts: A 50-bed hospital maintains patient records—some in handwritten registers (1990s patients), some in Excel sheets (2010s), some in hospital management software (current).
Analysis:
- Handwritten registers: Outside DPDPA (not digital)
- Excel sheets: Within DPDPA (digitised)
- HMS database: Within DPDPA (digital collection)
Advice: Implement DPDPA compliance for all digital records. If handwritten records are scanned/digitised for archival, they enter DPDPA scope at that point. Consider legitimate use exemptions for treatment purposes.
Documentation Templates
When advising on applicability and exemptions, maintain clear documentation:
- Applicability Assessment Memo: Analysis of each scope element for client
- Exemption Claim Record: Which exemptions claimed, basis, limitations
- Processing Activity Register: Map activities to exempted/non-exempted categories
- Jurisdictional Analysis: For multinational clients, identify applicable laws per jurisdiction
- Exemption Watch List: Track Central Government notifications for client-relevant exemptions
📌 Key Takeaways
- Digital Threshold: DPDPA applies only to digital personal data—purely offline records are excluded until digitised
- Territorial Reach: Intra-territorial (processing in India) + extraterritorial (offering goods/services to Indians)
- No Monitoring Trigger: Unlike GDPR, mere monitoring of Indians without offering doesn't trigger DPDPA
- Self-Executing Exemptions: §17(1) exemptions apply automatically when conditions are met
- Notification-Based Exemptions: §17(2)-(5) require Central Government notification
- Constitutional Vulnerability: Blanket security exemptions will face Puttaswamy proportionality scrutiny
- Practical Approach: Segment processing activities, document exemption claims, monitor notifications