Can DPDPA’s Research Exemption Power Private Sector Breakthroughs?
October 01, 2025 | Wednesday | Views
India’s Digital Personal Data Protection Act, 2023 (DPDPA), imposes uniform data protection obligations across sectors, significantly affecting healthcare, pharma, and biotech firms due to their use of sensitive personal data. Section 17(2)(b) provides limited exemptions for “research, archiving, or statistical purposes,” which some stakeholders interpret as broad immunity. This article challenges that view, arguing that Indian policy generally restricts exemptions for private, profit-driven research unless a clear public interest is demonstrated. Drawing on parallels with the GDPR, it concludes that the exemption will likely be narrowly construed, and the forthcoming DPDPA Rules are unlikely to support a wide carve-out.
image credit- shutterstock
The Digital Personal Data Protection Act, 2023 (DPDPA) is a law that primarily affects and benefits people and organisations that deal with personal data. From tech giants to hospitals, from law firms to educational boards, the law places clear obligations on all those processing personal data. Healthcare, pharma, and biotech companies are no exception. While much attention has been drawn to how social media companies are affected, the impact on healthcare, pharma, and biotech sectors has not been adequately analysed.
Many such companies believe that the research exemption under Section 17(2)(b) of the DPDPA will save them from onerous compliance. But that belief may be flawed. In this article, we explain why.
The regulatory intent behind Sec. 17(2)(b) of DPDPA
Section 17(2)(b) allows personal data use for research, archiving, or statistics, if not tied to individuals and done per government norms.
It reads as:
- ‘(b) necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed.’
The “standards as may be prescribed” have not yet been prescribed, which means the exemption is not yet live. The rules for the DPDPA will propose standards and give other clarifications regarding the clause.
The direction of India’s public policy
To understand how this exemption might play out, we can learn from Indian laws like the Biological Diversity Act, 2002. This law allows for non-commercial research using any biological resource obtained from India with approval from the Biodiversity Authority of India. It is expected that the DPDPA Rules also propose exemptions only for non-commercial research or research undertaken in the public interest and not private research.
Government data policies, including DPDPA, have shown a pattern of protecting public functions while regulating private ones. For example, many government functions, like issuing birth certificates or public services, are exempt under the DPDPA. In line with this approach, the government will likely protect public research such as that conducted by The Indian Council of Medical Research (ICMR), Census of India, Indian Statistical Institute, or All India Institute of Medical Sciences (AIIMS), but not private research done for commercial gain.
Some examples wherein research undertaken in public interest will in all likelihood fall within the exemption of DPDPA are–
- On July 17, 2025, the Gujarat Government launched a tribal genome sequencing project titled “Creation of Reference Genome Database for Tribal Population in Gujarat,” which is being implemented by the Gujarat Biotechnology Research Centre under the aegis of the Gujarat Tribal Development Ministry. In this project, the government will sequence the genomes of nearly 2000 tribal individuals to identify genetic health risks.
- On July 6, 2025, the Ministry of Science and Technology launched the ‘National Biobank’, where clinical data of more than 10,000 individuals will be stored and researched. The purpose of this will be to aid early diagnosis, improve therapeutic targeting, and bolster the fight against complex diseases such as diabetes, cancer, cardiovascular ailments, and rare genetic disorders.
Why may private research not qualify?
Many companies hope their research will fall under the exemption in Section 17(2)(b) of the DPDPA. But in reality, most commercial research is unlikely to meet the standard. The law only allows exemptions when data is used strictly for “research, archiving, or statistical purposes” and never when it influences decisions about individuals. In practice, much of the work done in healthcare, pharma, and biotech — such as clinical trials, personalised medicine, drug development, or market analysis is tied to commercial goals and business decisions. That makes it hard to separate from “pure research” as the law intends.
The real test lies in distinguishing archiving for the public interest from keeping records for business or legal reasons. Companies often call it “archiving” when they send old files to storage or shift data out of active systems. But under the law, archiving means preserving material that has genuine and lasting public value. If records are kept only to serve current business needs or for legal compliance, they don’t count as archiving in the public interest and therefore don’t qualify for the exemption.
Comparison with GDPR
India’s DPDPA has some similarities with the EU’s General Data Protection Regulation (GDPR), but even under the GDPR, private research is not exempt by default. Article 89 of the GDPR permits limited relaxations for research, archiving, and statistical use but only under strict conditions, including data minimisation, pseudonymisation, and a clear restriction on using the data for unrelated purposes. Crucially, commercial research is not granted blanket immunity.
What is covered in GDPR?
The General Data Protection Regulation (GDPR) recognises the tension between privacy and research. Like the DPDPA, it allows exemptions for processing personal data for archiving, scientific or historical research, and statistical purposes. These are not blanket exemptions; they apply only when research serves the public interest and includes safeguards such as anonymisation, pseudonymisation, and ensuring results are not used to make individual decisions (Article 89, GDPR).
The risks of overreaching are illustrated by Iceland’s “deCODE” controversy. In the late 1990s, Iceland sought to build a central health database combining medical, genetic, and genealogical records, licensed to a private company on a “presumed consent” basis. While promising advances, it drew criticism for undermining privacy. In 2003, the Icelandic Supreme Court held that the daughter of a deceased man could object to his data being included, as it might reveal her own information.
The case highlights that even under public interest grounds, research cannot override fundamental rights. GDPR’s research exemptions thus demand a careful balance between innovation and the individual’s right to dignity, autonomy, and control of data.
Recommendation
The life sciences industry should approach the DPDPA as an enabler of responsible innovation. Core principles such as informed consent, data minimisation, secure storage, and employee training must be embedded into operations, not merely to satisfy legal requirements, but to strengthen public confidence. Rather than relying on exemptions, companies should actively collaborate with policymakers to frame clear and balanced rules.
It is equally important to note that the research exemption under Section 17(2)(b) is limited in scope and contingent on future government standards. Until such clarity emerges, healthcare, pharmaceutical, and biotechnology firms must prioritise comprehensive compliance over attempts at circumvention.
Authors-
Dr Goutam Bhattacharyya, Senior Partner, K&S Partners IP Attorneys; and Aman Varma, Sr. Manager – Legal & Regulatory Affairs, K&S Digiprotect Services Pvt. Ltd
