Exemptions and Accountability in India’s Data Protection Framework 

India's data privacy law, the Digital Personal Data Protection Act of 2023, is facing a major challenge. It must balance growing AI technology with the need to protect personal Data. Section 17(5) of the Act is the major point of debate. Payment platforms like Paytm, Google Pay, PhonePe, and Amazon Pay have formally requested exemptions under this clause. They have cited operational disruptions and innovation challenges, particularly when processing publicly available personal data for AI training and digital transactions.  

The Internet and Mobile Association of India (IAMAI), which represents over 600 digital businesses, has backed these requests. It stated that ambiguities in the Act, especially around what qualifies as “voluntarily made available” personal data under Section 3(c)(ii), could stall AI development and disproportionately burden startups. IAMAI argues that without clearer definitions or interim relief, data fiduciaries may be forced to conduct impractical provenance checks on public datasets, which can hinder scalability and competitiveness. Their submission urges the government to issue targeted exemptions and clarify the scope of lawful processing to avoid regulatory overreach in the future.  

Understanding Section 17(5) of the Act 

Section 17(5) of India’s Digital Personal Data Protection Act, 2023, gives power to the central government to exempt certain data fiduciaries or entire classes from specific provisions of the law for up to five years. On paper, it’s a pragmatic clause that is created to accommodate sectors facing disproportionate compliance burdens or undergoing rapid technological shifts. In practice, it’s quickly becoming a focal point for the debate.  

Major tech platforms and payment providers are now invoking this clause. They are seeking relief from obligations that could disrupt AI model training or digital payment flows. For example, Tech companies that are developing voice-enabled AI assistants in smartphones, smart speakers, or wearables often rely on ambient voice data collected from publicly accessible environments (e.g., voice queries made in public spaces or shared audio snippets from open forums). Under the DPDP Act, if such data contains personal identifiers and cannot be clearly traced to voluntary disclosure by the data principal, its use for training speech recognition models may violate compliance norms.  

These companies are now seeking exemptions under Section 17(5) to continue refining multilingual voice models without breaching consent requirements, especially in low-resource Indian languages where annotated datasets are scarce. Their argument is based on operational feasibility; that rigid enforcement, especially around publicly available personal data, risks throttling innovation and complicating service delivery. The exemption clause, they argue, is not sidelining accountability. According to them, the clause provides continuity and competitiveness in a fast-moving digital economy. 

Publicly Available Personal Data: A Legal Grey Zone 

The current debate centres on publicly available personal data information that’s accessible online or disclosed under legal obligations. The DPDP Act does make room for such data under Section 3(c)(ii), which excludes personal data made public by the data principal or disclosed under law from the Act’s scope. But IAMAI argues that this language is ambiguous. 

For AI developers, especially those training large language models or building context-aware systems, publicly available data is a critical resource. Yet determining whether such data was “voluntarily” disclosed by individuals or whether it remains legally usable after being reshared or republished is practically unfeasible. This unfeasibility is coming from the sheer volume and heterogeneity of data sources, millions of posts, comments, and reviews scattered across platforms with varying disclosure norms. IAMAI’s submission to the Ministry of Electronics and Information Technology (MeitY) points out that privacy settings change, platforms evolve, and data provenance becomes murky. 

Why AI Needs Breathing Room, especially in India 

India’s AI sector is still in its starting stages. While big global companies have enough resources to handle compliance requirements, this is not the case with small startups. IAMAI warns that restrictions on publicly available personal data could raise entry barriers. It can lead to more development costs and can also stifle competition. 

Many Indian startups are working on AI models that are suitable for local languages, cultural contexts, and economic conditions. These models require diverse datasets often scraped from publicly accessible sources to reflect the lived realities of Indian users. If access to such data is stopped, innovation will suffer, and India could fall behind in the global AI race. 

Payment Platforms and the Compliance Dilemma   

The exemption requests from payment providers are another aspect of the debate. Digital payment platforms routinely process personal data like names, phone numbers, and transaction histories to provide better user experiences. While much of this data is shared voluntarily, the DPDP Act’s provisions around consent, purpose limitation, and data minimisation could complicate routine operations. Platforms like Google Pay and PhonePe argue that while publicly available personal data is nominally exempt under Section 3(c)(ii) of the DPDP Act, the lack of clarity around what qualifies as “publicly available” creates operational uncertainty. For example, if a user’s data was once public but later restricted through privacy settings, or if the data was republished by third parties, platforms may struggle to determine whether continued processing remains lawful.  

This ambiguity, along with strict consent and notice requirements, could force payment providers to overhaul backend systems, revalidate data sources, and implement granular consent tracking, all of which could disrupt real-time transaction flows and increase compliance costs. But critics are raising concerns that if such exemptions are granted too broadly or without clear guardrails, it could set a precedent that could weaken the enforcement of the law. Interestingly, IAMAI’s submission isn’t unanimous. Members like Reliance Jio and Culver Max Entertainment have reportedly expressed different views, suggesting that not all stakeholders agree on the need or scope of exemptions. This internal split reflects a bigger concern because while some companies prioritise operational flexibility, others may see long-term value in strong privacy laws. It also tells us about the importance of transparency in policymaking. If exemptions are granted, the rationale, scope, and duration must be clearly communicated. Otherwise, the law risks losing public trust before it’s even fully implemented.  What’s at Stake? While the current exemption requests centre on AI and digital payments, the implications of Section 17(5) stretch far wider. This clause could be invoked by social media platforms, health tech firms, or even government agencies, each with distinct data practices and risk profiles. Its application will shape not just compliance norms, but public trust in India’s data governance framework. The first few exemptions will set a precedent. If granted too broadly or opaquely, they can weaken the law before it’s even fully operational. But if they are drafted with precision, like being narrow in scope, time-bound, and transparently reviewed, they could help India build a rights-respecting innovation system. The stakes are high, and the margin for error is very slim.  A Call for Clarity, Not Deregulation IAMAI’s submission is a call for clarity. It acknowledges the importance of privacy but argues that the current law doesn’t reflect the operational realities of AI development. By seeking exemptions for publicly available personal data, it’s asking the government to recognise the unique challenges presented by large-scale data processing. But clarity must come with accountability. Any exemption granted under Section 17(5) should be: Narrowly defined: Limited to specific use cases like AI model training or payment facilitation. Time-bound: Valid only for a fixed period, with sunset clauses and renewal conditions. Transparent: Subject to public disclosure and parliamentary oversight. Reviewable: Open to challenge or revision based on evolving legal and technological contexts.  Conclusion The DPDP Act is a landmark legislation that is designed to give citizens control over their personal data. But legislation alone is not enough. The act must also be implemented in a way that supports the country’s technological aspirations. This is especially true in the context of AI, where data is both infrastructure and a competitive edge. Section 17(5) provides an opportunity to balance innovation with accountability, but it must be used with restraint, clarity, and foresight. Exemptions should remain rare and rigorously justified. They must not become a backdoor to bypass core protections like consent, purpose limitation, and transparency. As the government reviews IAMAI’s submission and exemption requests from payment platforms, there is a major choice that lies ahead. Will the law grow as a framework that allows innovation without compromising rights, or will it be remembered as a missed opportunity where flexibility became fragility? The answer will definitely define India’s digital future.   

Reference  

Lawful Legal, The Intersection of AI and Data Privacy: Challenges Under India’s Digital Personal Data Protection Act 2023, https://lawfullegal.in/the-intersection-of-ai-and-data-privacy-challenges-under-indias-digital-personal-data-protection-act-2023/ (last visited Aug. 19, 2025). Digital Payment Firms Request Exemption from DPDP Act’s Consent Clause, Econ. Times (Aug. 5, 2025), https://government.economictimes.indiatimes.com/news/digital-payments/digital-payment-firms-request-exemption-from-dpdp-acts-consent-clause/123111628. IAMAI Raises Concerns Over DPDP Act Clause Impacting AI Model Training in India, Moneycontrol (Aug. 7, 2025), https://www.moneycontrol.com/artificial-intelligence/iamai-raises-concerns-over-dpdp-act-clause-impacting-ai-model-training-in-india-article-13414149.html. Taxmann, DPDP Act: Impact on Startups and SMEs in India, https://www.taxmann.com/post/blog/dpdp-act-impact-on-startups-and-smes-in-india (last visited Aug. 21, 2025). IAMAI Seeks Exemption for AI Firms from Certain Data Privacy Rules in Using Publicly Available Personal Data, Bus. Today (Aug. 8, 2025), https://www.businesstoday.in/technology/news/story/iamai-seeks-exemption-for-ai-firms-from-certain-data-privacy-rules-in-using-publicly-available-personal-data-488440-2025-08-08.