The DPDP Act carves out certain exemptions, under which some or all provisions of the law will not apply. These are generally in contexts where imposing consent or other requirements could hinder important functions. Key exemptions include: Government-notified exemptions for sovereignty, security, and public order – the government may exempt its agencies from specified duties for purposes such as national security, law enforcement, or research, by issuing a notification (with reasons). Legal Proceedings: Processing of personal data necessary for the establishment or defense of a legal claim, or by courts and tribunals in the course of judicial functions, is exempt from consent and many rights and obligations. Law Enforcement: Data processing for the prevention, investigation, or prosecution of offences is exempted to the extent necessary for those purposes. Publicly Available Data: Although not explicitly a blanket exemption in the Act, information that a data principal has “voluntarily made publicly available” may be considered under legitimate use; however, this is nuanced, and using such data must still respect the Act’s principles unless formally exempted. Outside India Data (Outsourcing): As noted, personal data of individuals not located in India, when processed by Indian companies under contract with foreign entities, is exempt from many provisions – these companies must mainly ensure data security, but are not bound by rights like access/erasure for such data. Small Entities: The government can, via future rules, exempt certain Data Fiduciaries or classes (for example, startups or small businesses) from select provisions or provide adapted requirements, likely to avoid undue burden on them. Any such exemption would come with conditions and would be time-bound. Organizations need to review whether any of their data processing activities fall under these categories. If they do, those specific operations might not need full compliance (for instance, a company need not obtain consent for processing data when responding to a court subpoena, as that is exempt). However, these exemptions are narrowly construed, and most day-to-day commercial data processing will not qualify; therefore, they should be applied carefully, usually in consultation with legal experts.