35.Power of Central Government to exempt any agency of Government from application of Act
Where the Central Government is satisfied that it is necessary or expedient,—
(i) in the interest of sovereignty and integrity of India, the security
of the State, friendly relations with foreign States, public order; or
(ii) for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order,
it may, by order, for reasons to be recorded in writing, direct that all
or any of the provisions of this Act shall not apply to any agency of
the Government in respect of processing of such personal data, as may be
specified in the order subject to such procedure, safeguards and
oversight mechanism to be followed by the agency, as may be prescribed.
Explanation.—For the purposes of this section,—
(i) the term "cognizable offence" means the offence as defined in clause (c) of section 2 of the Code of Criminal Procedure, 1973;
(ii) the expression "processing of such personal data" includes sharing by or sharing with such agency of the Government by any data fiduciary, data processor or data principal.
36.Exemption of certain provisions for certain processing of personal
The provisions of Chapter II except section 4, Chapters III to V, Chapter VI except section 24, and Chapter VII shall not apply where—
(a) personal data is processed in the interests of prevention,
detection, investigation and prosecution of any offence or any other
contravention of any law for the time being in force;
(b) disclosure of personal data is necessary for enforcing any legal right or claim, seeking any relief, defending any charge, opposing any claim, or obtaining any legal advice from an advocate in any impending legal proceeding;
(c) processing of personal data by any court or tribunal in India is necessary for the exercise of any judicial function;
(d) personal data is processed by a natural person for any personal or domestic purpose, except where such processing involves disclosure to the public, or is undertaken in connection with any professional or commercial activity; or
(e) processing of personal data is necessary for or relevant to a journalistic purpose, by any person and is in compliance with any code of ethics issued by the Press Council of India, or by any media self-regulatory organisation.
37. Power of Central Government to exempt certain data processors.
The Central Government may, by notification, exempt from the application of this Act, the processing of personal data of data principals not within the territory of India, pursuant to any contract entered into with any person outside the territory of India, including any company incorporated outside the territory of India, by any data processor or any class of data processors incorporated under Indian law.
38.Exemption for research, archiving or statistical purposes.
Where the processing of personal data is necessary for research, archiving, or statistical purposes, and the Authority is satisfied that—
(a) the compliance with the provisions of this Act shall
disproportionately divert resources from such purpose;
(b) the purposes of processing cannot be achieved if the personal data is anonymised;
(c) the data fiduciary has carried out de-identification in accordance with the code of practice specified under section 50 and the purpose of processing can be achieved if the personal data is in de-identified form;
(d) the personal data shall not be used to take any decision specific to or action directed to the data principal; and
(e) the personal data shall not be processed in the manner that gives rise to a risk of significant harm to the data principal,
it may, by notification, exempt such class of research, archiving, or statistical purposes from the application of any of the provisions of this Act as may be specified by regulations.
39. Exemption for manual processing by small entities
(1) The provisions of sections 7, 8, 9, clause (c) of sub-section (1) of section 17 and sections 19 to 32 shall not apply where the processing of personal data by a small entity is not automated.
(2) For the purposes of sub-section (1), a "small entity" means such data fiduciary as may be classified, by regulations, by Authority, having regard to—
(a) the turnover of data fiduciary in the preceding financial year;
(b) the purpose of collection of personal data for disclosure to any other individuals or entities; and
(c) the volume of personal data processed by such data fiduciary in any one day in the preceding twelve calendar months.
40. Sandbox for encouraging innovation, etc.
(1) The Authority shall, for the purposes of encouraging innovation in artificial intelligence, machine-learning or any other emerging technology in public interest, create a Sandbox.
(2) Any data fiduciary whose privacy by design policy is certified by the Authority under sub-section (3) of section 22 shall be eligible to apply, in such manner as may be specified by regulations, for inclusion in the Sandbox created under sub-section (1).
(3) Any data fiduciary applying for inclusion in the Sandbox under sub-section (2) shall furnish the following information, namely:—
(a) the term for which it seeks to utilise the benefits of Sandbox,
provided that such term shall not exceed twelve months;
(b) the innovative use of technology and its beneficial uses;
(c) the data principals or categories of data principals participating under the proposed processing; and
(d) any other information as may be specified by regulations.
(4) The Authority shall, while including any data fiduciary in the Sandbox, specify—
(a) the term of the inclusion in the Sandbox, which
may be renewed not more
than twice, subject to a total period of thirty-six months;
(b) the safeguards including terms and conditions in view of the obligations under clause (c) including the requirement of consent of data principals participating under any licensed activity, compensation to such data principals and penalties in relation to such safeguards; and
(c) that the following obligations shall not apply or apply with modified form to such data fiduciary, namely:—
(i) the obligation to specify clear and specific purposes under sections
4 and 5;
(ii) limitation on collection of personal data under section 6; and
(iii) any other obligation to the extent, it is directly depending on the obligations under sections 5 and 6; and
(iv) the restriction on retention of personal data under section 9.