Home >Newsletters & Updates>JSA Prism>JSA Prism | Data Privacy (Edition 7) | October 2024

JSA Prism | Data Privacy (Edition 7) | October 2024

Please click here to download the Prism as a PDF.

 

Specific processing and general exemptions under the Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act, 2023 (“DPDPA”) includes guidelines for processing personal data with special considerations for minors and general exemptions to certain types of processing. In the seventh instalment of the Prism series, we will delve into these specific processing and also understand the exemptions given under the DPDPA for certain types of processing and classes of fiduciaries. In the latter section of the Prism, we examine how major data protection laws, such as the General Data Protection Regulation (“GDPR”), California Consumer Protection Act (“CCPA”), Singapore’s Personal Data Protection Act (“PDPA”) address similar provisions, comparing their approaches to specific personal data processing requirements and general exemptions in order to highlight the nuances and potential implications for organisations navigating these regulatory landscapes.

 

Specific processing: Data relating to children and persons with disabilities

DPDPA lays out specific guidelines for the processing of personal data related to children and individuals with disabilities, who are under the care of a lawful guardian. These provisions emphasise the protection of vulnerable groups from potential misuse of their data.

  1. Verifiable consent requirement: Before processing any personal data of a child (below 18 (eighteen) years of age) or of a person with disability under a lawful guardian, verifiable consent of the parent or guardian must be obtained. This ensures that only authorised adults may give permission for data processing in these cases, thereby safeguarding the privacy of children and vulnerable individuals.
    • The expression, ‘consent of the parent’ includes the consent of lawful guardian, wherever applicable.
    • The Rights of Persons with Disabilities Act, 2016 defines ‘Person with disability’ as a person with long term physical, mental, intellectual or sensory impairment which, in interaction with barriers, hinders his full and effective participation in society equally with others.
  1. Protection of well-being: Data fiduciaries are expressly forbidden from processing personal data in a manner that could have a detrimental effect on the well-being of the child. This clause prioritises the physical and mental welfare of minors, ensuring that harmful data practices do not negatively impact them.
  2. Prohibition on tracking, monitoring, and targeted advertising: Data fiduciaries are prohibited from tracking, conducting behavioural monitoring, or serving targeted advertising towards children. This addresses concerns about digital surveillance and manipulative advertising that can exploit children’s vulnerable and impressionable mind.
    • Digital surveillance involves the tracking of users’ online activities to gather personal data, often without explicit consent, while manipulative advertising uses this data to influence consumer behavior in subtle or exploitative ways.
    • Tracking refers to the practice of collecting information about users’ activities across websites, apps, or online services over time. This can include details like browsing history, location, and interactions, often done through cookies or other tracking technologies.
    • Behavioral monitoring involves analysing the patterns of a user’s behavior such as their clicks, searches, or time spent on certain content to build a profile or predict future actions. For children, this can raise privacy concerns, as it allows for detailed surveillance of their online habits.
    • Targeted advertising uses collected data to deliver advertisements specifically tailored to an individual’s preference or behavior. When applied to children, this can be manipulative, as it takes advantage of their undeveloped ability to critically assess marketing tactics, increasing the risk of exploitation.
  1. Exemptions for specific classes of data fiduciaries for processing data of a child or individuals with disability: The Central Government has the authority to exempt certain classes of data fiduciaries from adhering to the provisions regarding obtaining verifiable consent and avoiding tracking or targeted advertising. These exemptions would be made only under prescribed conditions or for specific purposes, ensuring flexibility for legitimate processing needs, while still protecting children’s rights.
  2. Age-based exemptions for safe processing: If a data fiduciary demonstrates that its data processing practices regarding children’s data are verifiably safe, the Central Government may permit the data fiduciary to process data of individuals above a specific age without the necessity of obtaining consent or avoiding tracking.

 

General exemptions

Exemptions applicable to certain types of data processing

DPDPA provides for exemptions where certain data processing requirements do not apply.

Section 17 of DPDPA states that the provisions of the Act mentioned above do not apply under certain conditions. Here is a detailed breakdown of the processing activities that are exempted from the above provisions:

  1. Legal and judicial exemptions: DPDPA provides the exemptions listed above for processing in circumstances where it is necessary for enforcing any legal right or claim. Additionally, personal data processing by any court, tribunal, or regulatory body that is entrusted by law with performing judicial, quasi-judicial, or supervisory functions is exempted. This ensures that these bodies can perform their functions effectively.
  2. Prevention, detection, and investigation of offences: DPDPA allows exemptions listed above for data processing that is necessary for the prevention, detection, investigation, or prosecution of offences or contraventions of laws in India. This exemption is crucial for law enforcement agencies to carry out their duties efficiently without needing to navigate through consent-based data processing regulations, which may otherwise delay the timely investigation and prosecution of crimes.
  3. Corporate restructuring: DPDPA allows exemptions from data processing necessary for corporate restructuring activities, including mergers, amalgamations, demergers, and other forms of restructuring approved by courts or competent authorities. These processes often involve large volumes of sensitive data, and DPDPA recognises the practical necessity of processing this data without restrictive consent obligations.
  4. Outsourcing contracts: DPDPA states that the processing of personal data of data principals who are not within the territory of India is exempted from the above-mentioned provisions, as long as the processing is conducted pursuant to a contract with a foreign entity.

This provision stipulates that when an Indian entity processes the personal data of individuals located outside India under a contract with someone outside India, it must comply only with Sections 8(1) and (5). Essentially, this means that, irrespective of any agreement to the contrary, the fiduciary must ensure compliance with the Act for any processing, including that performed by a data processor on its behalf (as per Section 8(1)), and must take reasonable security safeguards to prevent data breaches (as required by Section 8(5)).

  1. Loan defaults: Exemptions are also provided when personal data is processed to ascertain the financial information and assets and liabilities of a person who has defaulted on loans or advances from financial institutions. This provision aligns with the Insolvency and Bankruptcy Code, 2016 and enables financial institutions to assess the financial status of defaulters. In such cases, stringent data processing requirements are relaxed, allowing financial institutions to take necessary action for recovery of dues.
    • For the purposes of this clause, the expressions ‘default’ and ‘financial institution’ will have the meaning respectively assigned to them in sub-sections (12) and (14) of Section 3 of the Insolvency and Bankruptcy Code, 2016.
    • ‘Default’ means, non-payment of debt when whole or any part or instalment of the amount of debt has become due and payable and is not repaid by the debtor.
    • ‘Financial Institution’ means a schedule bank, financial institution as defined by the Reserve Bank of India Act, 1934, public financial institutions defined by the Companies Act, 2013 and such other institutions as the central government may by notification specify as financial institution.

 

Exemption for Research, archiving, and statistical purposes:

Personal data processing for research, archiving, or statistical purposes is also exempt from the provisions of the DPDPA, provided that the data is not used to make decisions specific to any individual and complies with prescribed standards. This provision acknowledges the importance of data for academic and policy-making endeavours, facilitating research without imposing excessive data protection barriers.

 

Exemptions by class of fiduciaries:

DPDPA provides exemptions for specific classes of fiduciaries, including startups and state entities. These exemptions reduce compliance burdens for certain organisations while maintaining core data protection standards.

 

Startups:

DPDPA empowers the Central Government to declare that specific provisions of the DPDPA will not apply to certain classes of data fiduciaries for a specified period. This power enables the Government to exempt certain entities from the provisions of DPDPA based on the volume and nature of the personal data they process. This includes startups, which may be given exemptions from Section 5 (notice for data processing), Section 8(3) and (7) (data accuracy and erasure), Sections 10 and 11 (significant fiduciary obligations and right to access information), to promote innovation and growth in their early stages.

This approach fosters a favourable environment for startups while ensuring that they remain compliant with the broader objectives of the DPDPA. Startups can thereby operate with reduced regulatory burden during their initial growth phases, encouraging innovation while gradually moving toward full compliance as they scale.

A ‘startup’ refers to a private limited company, partnership firm, or limited liability partnership established in India that is not older than 10 (ten) years, has an annual turnover of less than INR 100,00,00,000 (Indian Rupees one hundred crore), and is focused on innovation or scalable business models. It must also receive recognition under the guidelines defined by the Department for Promotion of Industry and Internal Trade.

 

State entities:

States or any instrumentalities of the State, are provided exemptions from provisions of Section 8(7) (erasure) and Section 12(3) (right to erasure) of the DPDPA. and, where such processing is for a purpose that does not include making of a decision that affects the data principal, Section 12(2) (right to correction) is also exempted. This ensures that administrative functions of the State are carried out efficiently without violating privacy standards.

DPDPA exempts processing by States or any instrumentalities of the State notified by the Central Government from the provisions of the DPDPA when such processing is essential for the sovereignty and integrity of India, national security, friendly relations with foreign nations, maintenance of public order, or preventing incitement to cognizable offenses.

  • The Central Government may, within 5 (five) years of the commencement of DPDPA, issue a notification to exempt certain provisions of DPDPA from applying to specified data fiduciaries or classes of data fiduciaries for a designated period.
  • Moreover, the DPDPA also recognises that the States or any instrumentalities of the State often need to process personal data for the delivery of services and benefits to citizens. Under the DPDPA, a data fiduciary may process the personal data of a data principal when the State is providing subsidies, benefits, services, certificates, licenses, or permits. For instance, when an individual consents to provide data for maternity benefits, as is illustrated in Section 7(b) of DPDPA, the Government can continue to use this data for other related services, such as health or social benefits, without needing fresh consent each time. This provision allows government welfare programs to function without unnecessary administrative hurdles, ensuring that personal data already collected can be utilised across different services efficiently. In essence, this provision compliments the exemptions under DPDPA by enabling smoother governmental operations where data is already consented for or maintained by state bodies.

 

Comparison with Global Data Protection Laws

The special provisions and exemptions under the DPDPA align with international data protection laws on certain aspects and exhibit differences in others. Below is a comparative analysis of these provisions alongside the GDPR (European Union), CCPA (California), and PDPA (Singapore):

Concept DPDPA GDPR CCPA PDPA
Legal rights or claims Provides for an exemption when processing is necessary to enforce a legal right or claim. Retaining data for the purpose of the establishment, exercise, or defence of legal claims, or for compliance with legal obligations, is exempt from the right to erasure, right to restriction of processing, and other such rights of the data subject. Exempts personal data processing for compliance with legal obligations from the CCPA’s provisions on the right to deletion. PDPA does not affect any authority, right, privilege or immunity conferred, or obligation or limitation imposed, by or under the law, including legal privilege.
Law enforcement and crime prevention Provides an exemption for the processing of personal data for the purposes of, preventing, detecting, investigating, or prosecuting violations of law. Allows for the processing of personal data relating to prevention and detection of crime, convictions and offences or related security measures, but only under the control of official authority or when authorised by union or member state law providing for appropriate safeguards for the rights and freedom of data subjects as provided under European Union law enforcement directive. No specific exemption provided for. No specific exemption provided for.
Corporate restructuring Exempts processing when it is required for the legal approval of the company mergers, acquisitions, demergers, or restructuring by a court or relevant authority. No specific mention of corporate restructuring being exempted. Sale or merger triggers consumer rights if the third party materially alters personal information during the course of such transaction; however, there is no mention of such transactions being exempted from certain provisions relating to data processing. No specific mention of corporate restructuring as an exemption.

 
Loan defaults Provides for exemption to processing when the purpose is for ascertaining financial information and assets and liabilities of any person who has defaulted in payment due on account of a loan or advance taken from a financial institution. There is no specific mention that loan defaults or the collection of financial information are exempted. There is no specific mention that loan defaults or the collection of financial information are exempted. There is no specific mention that loan defaults or the collection of financial information are exempted.
Startups and State entities Exempts certain startups from specific provisions as notified by the Central Government, based on the volume and nature of data processed. No specific exemption for startups or state entities. No specific exemption for startups or state entities. No specific exemption for startups or state entities.
Children’s data protection Verifiable parental consent required for children under 18 (eighteen) years; no tracking or behavioural monitoring.

DPDPA further prohibits tracking/targeted advertising for children

 Where the child is below the age of 16 (sixteen) years, processing will be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. While the CCPA doesn’t have special provisions for children’s data, COPPA (Children’s Online Privacy Protection Act of 1998) does require verifiable parental consent before collecting, using, or disclosing personal information from children under the age of 13 (thirteen) years. PDPC states that children aged between 13 (thirteen) and 17 (seventeen) years are allowed to give valid consent if the data policies are clear and understandable to them, including the consequences of providing and withdrawing consent. However, if the organisation believes the child lacks sufficient understanding, consent should be obtained from the child’s parent or guardian.

 

This Prism has been prepared by:

Akshaya Suresh
Partner

Drishya A. Kamath
Associate

 

For more details, please contact [email protected].

 

POST TAGS

MORE NEWSLETTER BY THE AUTHOR

JSA Prism JSA Prism | Insolvency | April 2025
JSA Prism JSA Prism | Finance | April 2025
JSA Prism JSA Prism | Climate Change | April 2025
 

Search

Popular Posts

Newsletters & Updates

  • JSA Prism
  • April 28, 2025

JSA Prism | Insolvency | April 2025
  • JSA Prism
  • April 28, 2025

JSA Prism | Finance | April 2025
  • JSA Prism
  • April 28, 2025

JSA Prism | Climate Change | April 2025
  • Newsletters
  • April 25, 2025

JSA Newsletter | Highways & Logistics | January - March 2025 edition
  • JSA Prism
  • April 25, 2025

JSA Prism | Finance | April 2025
  • JSA Prism
  • April 24, 2025

JSA Prism | Real Estate | April 2025
View More