India’s Digital Personal Data Protection Act, 2023 (DPDPA), imposes uniform data protection obligations across sectors, significantly affecting healthcare, pharma, and biotech firms due to their use of sensitive personal data. Section 17(2)(b) provides limited exemptions for “research, archiving, or statistical purposes,” which some stakeholders interpret as broad immunity. This article challenges that view, arguing that Indian policy generally restricts exemptions for private, profit-driven research unless a clear public interest is demonstrated. Drawing on parallels with the GDPR, it concludes that the exemption will likely be narrowly construed, and the forthcoming DPDPA Rules are unlikely to support a wide carve-out.
ABOUT THE AUTHOR
Aman Verma
Aman Verma is the Manager – Legal & Regulatory Affairs at K&S Digiprotect. His area of work spans across helping data fiduciaries with data privacy compliances to handling regulatory affairs under telecom, media, and technology law areas.
- aman@knsdigiprotect.com
