Introduction
The Digital Personal Data Protection Act, 2023 (“Act”), marked a pivotal development in India’s framework for data protection by addressing the longstanding need for safeguarding personal information, data protection, and data handling.
The recently released Draft Digital Personal Data Protection Rules, 2025 (“Rules”), aim to clarify the provisions, processes, and implementation of the Act. The Act seeks to safeguard the various rights of individuals (“Data Principal”) over their personal data while simultaneously enabling lawful data processing required by entities (“Data Fiduciaries”) for economic and governance practices in the digital age. It strikes this balance by imposing stringent obligations on Data Fiduciaries to protect these rights. Yet, the Act carves out key exemptions from performing obligations as it recognises the specific circumstances necessitating access to personal data.[1] One such circumstance is the practice of internal investigations.
Internal investigations are a formal inquiry into an organisation’s operations to identify and address possible wrongdoings and acts of behavioural or financial misconduct. Such investigations require seamless access to data to consummate the fact-finding process. The data collected for such investigations may also include personal data, which allows to identify the individuals or parties involved, establish facts, and ensure accountability.
This article examines the interplay between the obligations upon Data Fiduciaries and the possibility of extending the exemption under Section 17(1)(c) of the Act to internal investigations. It also provides a comparative analysis with the General Data Protection Regulation (“GDPR”) and other international legislations to underscore the contrast between the Act and other frameworks.
Obligations of Data Fiduciaries under the Act
A Data Fiduciary must obtain unconditional, free, specific, and informed consent from a Data Principal before processing personal data.[2] Such consent must be, inter alia, granular (i.e., purpose specific) and obtained via a clear and concise notice at the time of data collection,[3] which informs the Data Principal of the type of data collected and purpose behind processing it. Data Principals retain the right to withdraw consent at any time, and Data Fiduciaries are obligated to ensure a complete and accessible withdrawal process.[4] Besides these, Data Fiduciaries must ensure data minimisation and accuracy, establish reasonable safeguards to protect personal data, and implement robust grievance redressal mechanisms.[5] Non-compliance with these requirements will attract significant penalties.[6]
The Rules supplement the obligations under the Act. For example, Rule 3 spells out the requirements regarding the Data Fiduciary’s notice to the Data Principal, further effectuating these obligations.[7] Rule 6 expands on the requirement of “reasonable security safeguards” by setting the minimum standard of protection.[8] In conjunction, Rule 7 reinforces the Data Fiduciary’s duty to intimate the Data Principal of breach.[9]
Analysing the Scope of Exemptions under Section 17 of the Act
The scope of the exemptions enumerated under Section 17 of the Act remains uncertain without adequate jurisprudence and clarifications from the Ministry of Electronics and Information Technology. However, in accordance with settled law, provisions for exemptions or concessions of any kind require strict interpretation.[10] Exceptions to the general rule of strict interpretation only apply vis-à-vis beneficial exemptions that seek to promote certain activities.[11]
At present, the exemption to conduct an “investigation” or “detection” under Section 17(1)(c) of the Act is not conditional on a specific authority undertaking the same,[12] indicating the legislative intent of having a broad exemption that subsumes all forms of investigations, whether conducted by a statutory authority or a private entity.
Presumably, when determining the scope of Section 17(1)(c) of the Act, Indian courts could seek assistance from the data protection legislations of the United Kingdom (“UK”) and France. Although based on similar jurisprudence, these legislations incorporate significant distinctions, as elaborated upon below.
Comparative Analysis
UK’s Data Protection Act, 2018 (“DPA 2018”), and France’s Data Protection Act, 1978 (“DPA 1978”) have been enacted in furtherance of the EUGDPR. The GDPR, alongside incorporating explicit exemptions to certain rights, as under Article 17, also allows member States to incorporate exemptions independently.
Articles 22 to 42 – Part 3 of the DPA 2018 that deal with law enforcement processing – have limited application only to the processing of data by a “competent authority” for the prevention, investigation, detection, or prosecution of criminal offences, wherein, “competent authorities” are limited to public authorities.[13] Further, while detailing the situations where exemptions from the obligations of the Data Controller during law enforcement processing apply,[14] Paragraph 2(1)(a), Schedule 2 of the DPA 2018 excludes “investigations” despite its explicit mention in Article 31 of the DPA 2018.
Similarly, the French legislature has created a distinct regime under Title III of the DPA 1978 for the processing of personal data by “competent authorities” for the prevention, investigation, detection, or prosecution of crimes, wherein “competent authorities” are any public competent authority or any other body or entity entrusted to exercise public authority and public powers. This implies the exclusion of any private authority. The drafting of Article 107, Title III of the DPA 1978, bolsters this by allowing the restriction of a data subject’s rights only to avoid the obstruction of official or legal inquiries, investigations, or procedures.
Essentially, the DPA 2018 and 1978 explicitly limit the exemptions for investigations that are legal or official or conducted by public authorities. This is distinct from the text of Section 17(1)(c) of the Act that chooses not to incorporate any limitations basis the nature of the investigation or investigating authority. This solidifies the possibility of the Indian legislature intending to incorporate a broad exemption that deviates from the EU’s contemporaneous approach. Consequently, the key distinctions in the language of the EU legislations and the Act nullify the possibility of the former being a viable tool to interpret the potential ambiguities under Section 17(1)(c) of the Act.
Key Takeaways
Companies operating in multiple jurisdictions should keep in mind the differing standards of data protection applicable during internal investigation processes. They should pay special attention to identifying the empowered authorities to claim exemptions and override the obligations of Data Fiduciaries. This is important in the India–EU context, where India’s exemptions apply to all investigations, while those of the EU’s are statutorily restricted.
Further, Data Fiduciaries should evaluate if the potential internal investigation qualifies under the exemptions provided under Section 17(1)(c). Section 17(1)(c) uses the expression “prosecution of any offence or contravention of any law”, while carving out the exemption for, inter alia, conducting an investigation. Therefore, a bare reading of the provision suggests that it may not be necessary for Data Fiduciaries to perform the obligations specified in Chapter II of the Act if the potential investigation only pertains to an offence or contravention of Indian laws. In this context, before claiming exemptions, a Data Fiduciary must be completely certain about the illegality of the act or conduct that set off the investigation.
Data Fiduciaries can also conduct Data Protection Impact Assessments (“DPIAs”) to ascertain the volume and nature of personal data involved, thereby preempting potential risks. DPIAs can also be useful for ensuring compliance, indicating that the Data Fiduciary has exercised due diligence while collecting investigation-relevant data. Lastly, to mitigate non-compliance risks, Data Fiduciaries can also implement data minimisation practices and collect personal data only if necessary and justified for the investigation.
In conclusion, the Act does not explicitly restrict the scope of investigations under Section 17(1)(c). It is still in the nascent stage, especially considering that the Rules neither mitigate, nor attempt to clarify the ambiguity of Section 17 on its scope regarding investigations (i.e., whether it only includes investigations conducted by statutory authorities). This leaves the actual limits and execution of such obligations open to multiple interpretations, which could lead to inconsistent standards across entities. To ensure foreseeability and compliance by Data Fiduciaries undertaking internal investigations, adequate jurisprudence on the limits, if any, to the exemptions under Section 17 is necessary. Such clarifications on the scope of Section 17 scope will help avoid imposing penalties on Data Fiduciaries for non-compliance with the obligations under Chapter II of the Act because of their misconception that Section 17(1)(c) does not necessitate these obligations.
For further information, please contact:
Sara Sundaram, Partner, Cyril Amarchand Mangaldas
sara.sundaram@cyrilshroff.com
[1] Section 17 of the Digital Personal Data Protection Act, 2023.
[2] Section 6 of the Digital Personal Data Protection Act, 2023.
[3] Section 5 of the Digital Personal Data Protection Act, 2023.
[4] Section 6 of the Digital Personal Data Protection Act, 2023.
[5] Section 8 of the Digital Personal Data Protection Act, 2023.
[6] Section 33 of the Digital Personal Data Protection Act, 2023.
[7] Rule 3 of the Draft Digital Personal Data Protection Rules, 2025.
[8] Rule 6 of the Draft Digital Personal Data Protection Rules, 2025.
[9] Rule 7 of the of the Draft Digital Personal Data Protection Rules, 2025.
[10] Commissioner of Customs (Import) Mumbai v. Dilip Kumar and Company, (2018) 9 SCC 1.
[11] Commissioner of Customs (Preventive) Mumbai v. M. Ambalal and Company, (2011) 2 SCC 74.
[12] Section 17(c) of the Digital Personal Data Protection Act 2023.
[13] Schedule 7 of the Data Protection Act 2018.
[14] Article 34 of the Data Protection Act 2018.
