CHAPTER VIII
EXEMPTIONS
35.Power of Central Government to exempt any agency of Government from application of Act
Where the Central Government
is satisfied that it is necessary or expedient,—
(i) in the interest of sovereignty and integrity of India, the security
of the State, friendly relations with foreign States, public order; or
(ii) for preventing incitement to the commission of any cognizable
offence relating to sovereignty and integrity of India, the security of
the State, friendly relations with foreign States, public order,
it may, by order, for reasons to be recorded in writing, direct that all
or any of the provisions of this Act shall not apply to any agency of
the Government in respect of processing of such personal data, as may be
specified in the order subject to such procedure, safeguards and
oversight mechanism to be followed by the agency, as may be prescribed.
Explanation.—For the purposes of this section,—
(i) the term "cognizable offence" means the offence as defined in clause
(c) of section 2 of the Code of Criminal Procedure, 1973;
(ii) the expression "processing of such personal data" includes sharing
by or sharing with such agency of the Government by any data fiduciary,
data processor or data principal.
36.Exemption of certain provisions for certain processing of personal
data.
The provisions of Chapter II except section 4, Chapters III to V,
Chapter VI except section 24, and Chapter VII shall not apply where—
(a) personal data is processed in the interests of prevention,
detection, investigation and prosecution of any offence or any other
contravention of any law for the time being in force;
(b) disclosure of personal data is necessary for enforcing any legal
right or claim, seeking any relief, defending any charge, opposing any
claim, or obtaining any legal advice from an advocate in any impending
legal proceeding;
(c) processing of personal data by any court or tribunal in India is
necessary for
the exercise of any judicial function;
(d) personal data is processed by a natural person for any personal or
domestic purpose, except where such processing involves disclosure to
the public, or is undertaken in connection with any professional or
commercial activity; or
(e) processing of personal data is necessary for or relevant to a
journalistic purpose, by any person and is in compliance with any code
of ethics issued by the
Press Council of India, or by any media self-regulatory organisation.
37. Power of Central Government to exempt certain data processors.
The Central Government may, by notification, exempt from the application of this Act, the processing of personal data of data principals not within the territory of India, pursuant to any contract entered into with any person outside the territory of India, including any company incorporated outside the territory of India, by any data processor or any class of data processors incorporated under Indian law.
38.Exemption for research, archiving or statistical purposes.
Where the processing of personal data is necessary for research,
archiving, or statistical purposes, and the Authority is satisfied that—
(a) the compliance with the provisions of this Act shall
disproportionately divert resources from such purpose;
(b) the purposes of processing cannot be achieved if the personal data
is anonymised;
(c) the data fiduciary has carried out de-identification in accordance
with the code of practice specified under section 50 and the purpose of
processing can be achieved if the personal data is in de-identified
form;
(d) the personal data shall not be used to take any decision specific to
or action directed to the data principal; and
(e) the personal data shall not be processed in the manner that gives
rise to a risk of significant harm to the data principal,
it may, by notification, exempt such class of research, archiving, or
statistical purposes from the application of any of the provisions of
this Act as may be specified by regulations.
39. Exemption for manual processing by small entities
(1) The provisions of sections 7, 8, 9, clause (c) of sub-section (1) of
section 17 and sections 19 to 32 shall not apply where the processing of
personal data by a small entity is not automated.
(2) For the purposes of sub-section (1), a "small entity" means such
data fiduciary as
may be classified, by regulations, by Authority, having regard to—
(a) the turnover of data fiduciary in the preceding financial year;
(b) the purpose of collection of personal data for disclosure to any
other individuals or entities; and
(c) the volume of personal
data processed by such data fiduciary in any one day
in the preceding twelve calendar months.
40. Sandbox for encouraging innovation, etc.
(1) The Authority shall, for the purposes of encouraging innovation in
artificial intelligence, machine-learning or any other emerging
technology in public interest, create a Sandbox.
(2) Any data fiduciary whose privacy by design policy is certified by
the Authority under sub-section (3) of section 22 shall be eligible to
apply, in such manner as may be specified by regulations, for inclusion
in the Sandbox created under sub-section (1).
(3) Any data fiduciary applying for inclusion in the Sandbox under
sub-section (2)
shall furnish the following information, namely:—
(a) the term for which it seeks to utilise the benefits of Sandbox,
provided that such term shall not exceed twelve months;
(b) the innovative use of technology and its beneficial uses;
(c) the data principals or categories of data principals participating
under the proposed processing; and
(d) any other information as may be specified by regulations.
(4) The Authority shall, while including any data fiduciary in the
Sandbox, specify—
(a) the term of the inclusion in the Sandbox, which
may be renewed not more
than twice, subject to a total period of thirty-six months;
(b) the safeguards including terms and conditions in view of the
obligations under clause (c) including the requirement of consent of
data principals participating under any licensed activity, compensation
to such data principals and penalties in relation to such safeguards;
and
(c) that the following obligations shall not apply or apply with
modified form to such data fiduciary, namely:—
(i) the obligation to specify clear and specific purposes under sections
4 and 5;
(ii) limitation on collection of personal data under section 6; and
(iii) any other obligation to the extent, it is directly depending on
the obligations under sections 5 and 6; and
(iv) the restriction on retention of personal data under section 9.