Disclaimer

By clicking, "I Accept" below, you accept and acknowledge the following:

The purpose of this website is to provide general information and insights about TLH, Advocates & Solicitors, and not to advertise or solicit work in any manner whatsoever.

Please note that as per the Bar Council of India Rules, advocates in India are prohibited from advertising or soliciting work in any form or manner. You acknowledge that you are visiting this website at your discretion and that there has been no solicitation, invitation, or inducement of any sort whatsoever from TLH, Advocates & Solicitors or any of its professionals in relation to this website.

The content available on this website does not constitute legal or other professional advice and should not be substituted for advice relevant to particular circumstances.

The access and use of this website does not establish any fiduciary or other relationship between you and TLH, Advocates & Solicitors or any of its advocates.

Please read the ‘Terms of Use’ and our ‘Privacy Policy’ before accessing this website.

I Accept
Blog default background
Blog
Corporate Law

Harmonising Regulation and Routine: Analysing the DPDP Act’s Exemption of Personal and Domestic Purpose

Authors:
Arko Mitra
February 7, 2026
5 min read
Share this post
Copied!

Introduction

On 14th November 2025, the Central Government vide G.S.R. 843(E) notified the Digital Personal Data Protection Act, 2023 (“Act”), with the substantive provisions coming into force in 18 months, i.e., 14th May 2027. One of the notable features of the Act is the exemption carved out under Section 3(c)(i), which excludes the processing of personal data for ‘any personal or domestic purpose’ from the scope of the statute. This article examines the contours of the personal or domestic purpose exemption under the Act, the rationale underlying the exemption, and the implications it carries for individuals and entities assessing whether their data processing activities fall within the ambit of the Act.

Statutory Provisions

A similar exemption provided under Section 3(c)(i) of the Act is found in Article 2(c) of the General Data Protection Regulation (“GDPR”), making the GDPR inapplicable for processing of personal data ‘by a natural person in the course of a purely personal or household activity.’

Recital 18 of the GDPR provides more context by placing a test of no connection to any kind of ‘professional or commercial activity’ to avail the exemption. It also elucidates that one of the objectives of the exemption is to ensure that social networking and general online activity done by natural persons do not attract GDPR compliance requirements, while stating a caveat that controllers or processors that provide for the means of processing such personal data would not be eligible for the exemption.

Case Laws

As of now, there are no Indian case laws on the scope and interpretation of this exemption. However, several European Union (“EU”) cases provide valuable interpretative guidance that may influence Indian courts. The 2018 Justice B.N. Srikrishna Committee Report (“2018 Report”) that preceded the Act, recognised the importance of exempting activities “carried out by individuals for a private purpose, or in fulfilment of a daily domestic task”.[1] The 2018 Report emphasised that this exemption should be “narrowly tailored” to ensure it does not inadvertently exclude processing of data that should be regulated.[2] In this regard, the 2018 Report cited various EU case laws, some of which are analysed below.

In Bodil Lindqvist (2003), the defendant created personal web pages and hosted them on a Church website, which she was managing. The pages contained personal information of the defendant and several of her colleagues, including private medical details, which were posted without taking consent from the affected parties.[3] While the defendant argued that her actions were not economically motivated and in furtherance of parish activities, and thus ought to be protected, the court held that charitable or religious activities, even if not economically motivated, aren’t covered by the exemption.[4] The exemption must be interpreted as “relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with processing of personal data consisting in publication on the internet so that those are made accessible to an indefinite number of people.”[5]

In Kordowski (2011), the defendant operated a website that facilitated individuals to anonymously post complaints against various solicitors and law firms, encouraging naming and shaming them without verification of the facts, thereby causing reputational harm.[6] Furthermore, the defendant demanded fees for removing the content. Despite the claimants serving a notice demanding that the defendant cease processing and destroy data, he ignored it, leading to claims for breaches. There had already been prior libel cases against him, noting patterns of malice and inaccuracy. Thus, the court held that when the processing of data itself is done in a ‘grossly unfair and unlawful way’, it cannot be protected by any exemption.[7]

In Frantisek Rynes (2014), the defendant installed a security system with cameras that captured the entrance to his house, part of a public footpath, and the entrance of the house on the opposite side.[8] The defendant was the only person with access to the data, and the recording done was only visual, with no scope for real-time surveillance. The court held that, as the camera covered the front view of the street and the entrance to the opposite house, it would count as processing personal data of others. The act of recording itself constitutes automatic processing, and real-time observation did not play a factor. Moreover, monitoring a public space would not amount to processing data in the course of a ‘purely’ personal or household activity, with an emphasis on the qualifier ‘purely’.

Lastly, in DSB (2022), the defendant digitally shared private medical information and other sensitive information of his ex-partner to a closed circle of people with no public dissemination.[9] The court held that the personal and domestic exemption ought to be construed broadly and covers informal relationships beyond familial ties. The lack of an economic motive, as well as no public dissemination, makes the situation fall squarely within the ambit of the exemption. This judgment reinforced a narrow GDPR application to private, non-public activities. It extended the meaning of ‘household’ to informal networks, provided that there are no economic ties. Victims of such non-consensual sharing of private information are still free to seek remedies under other applicable laws.

Conclusion

The aforementioned judgments show that the GDPR strictly applies whenever there is any question of unauthorised dissemination of private data to the public, and/or unauthorised processing of data of unrelated individuals. The law is inapplicable when such processing is limited to a closed circle and based solely on personal matters.

However, a seemingly subtle but potentially significant difference exists in the wording of the personal/domestic exemptions found in the Act and the GDPR. In India, the law states ‘any personal or domestic purpose’, while in the EU it is ‘purely personal or household activity’. ‘any’ is a much broader qualifier, while ‘purely’ is significantly more restrictive. The 2018 Report recommended a “narrowly tailored exemption for purely personal or domestic processing”, but the qualifier ‘purely’ has been replaced with ‘any’ in the Act. While there is no official explanation for this, it was probably done to ease regulatory burden in an Indian context. Accordingly, the Indian legal regime on data protection may not be as stringent as the EU GDPR regime.

References

[1] Page 141, Justice B.N. Srikrishna Committee Report

[2] Ibid.

[3] Lindqvist v Åklagarkammaren i Jönköping, Case C-101/01

[4] Paragraph 45

[5] Paragraph 47

[6] Law Society and others v Kordowski [2011] EWHC 3185 (QB)1D03791

[7] Paragraph 84

[8] C-212/13

[9] ECLI:AT:DSB:2022:2022.0.332.606

Personal Data

Footnotes

Share this post
Copied!

Latest posts

Corporate Law
February 8, 2026
Harmonising Regulation and Routine: Analysing the DPDP Act’s Exemption of Personal and Domestic Purpose
An analysis of the DPDP Act, 2023 and its exemption for personal and domestic data processing, comparing India’s approach with GDPR jurisprudence.
Read more
Arrow Right
Real Estate
February 7, 2026
Revenue Records: Can they confer Title?
Read more
Arrow Right
Real Estate
February 4, 2026
Dual Safeguards: The Complementary Roles of Consumer Protection Law and RERA in Protection of Homebuyers
Explains how RERA and the Consumer Protection Act operate together to protect homebuyers through concurrent remedies.
Read more
Arrow Right
Corporate Law
February 4, 2026
The SHA- AoA Intersection: Decoding An Evolving Judicial Approach
Read more
Arrow Right
Corporate Law
February 4, 2026
Redefining Materiality: SEBI’s Proposed Changes in the RPT Framework
Read more
Arrow Right
Employment Law
February 4, 2026
Cross-Border Workforce Management in India: The Role of Employer of Record Model
Read more
Arrow Right
View All Blogs
Arrow Right