Government power to exempt any agency from DPDPA obligations in the interest of national security and sovereignty.
Under DPDPA Section 17(1), the Central Government may by notification exempt any Government agency from all provisions of the Act in the interest of sovereignty and integrity of India, security of the State, friendly relations with foreign states, maintenance of public order, or prevention of incitement to any offence. This is a broad executive power that can override all DPDPA protections for designated agencies. The exemption extends to the agency's data processing activities entirely.
While this exemption primarily affects government intelligence and security agencies, private companies can be directed to share data with exempt agencies. Understanding this helps you build compliant data sharing mechanisms for lawful government requests.
An intelligence agency exempted under Section 17(1) requests user data from a Bengaluru social media startup. The startup must comply with lawful requests while ensuring: the request comes from a legitimately exempt entity, it is documented for audit trail purposes, and minimum necessary data is shared.
The national security exemption only applies to Government agencies specifically notified by the Central Government — not to private companies working on government contracts. A defence contractor is still fully subject to DPDPA.