-Fathima Rena Abdulla*
ABSTRACT
Can we protect genetic privacy while fostering scientific innovation? This article tackles this crucial question by examining India's bold but potentially problematic research exemption under Section 17(2)(b) of the Digital Personal Data Protection Act, 2023 (“DPDPA”) and Rule 15 of the Draft Digital Personal Data Protection Rules, 2025 (“2025 Draft Rules”). The article examines India’s inspiring journey from historic hesitance in genetic research to its current ambitious Genome India Project and the implications of the research exemption to the current state of biomedical research and genetic privacy. Through a comparative analysis with the GDPR and previous iterations of India's data protection legislation, alongside examination of international biomedical research standards, the article argues that the DPDPA's blanket research exemption under Section 17(2)(b) and the 2025 Draft Rules fails to strike an appropriate balance between privacy and innovation, potentially hindering India's participation in global genetic research while simultaneously failing to adequately protect sensitive genetic data.
INTRODUCTION
India’s data protection journey presents a paradox. On the one hand, at its root, the recognition of the fundamental right to privacy in Puttaswamy v. Union of India (“Puttaswamy”) devolved out of concerns over the en masse storage of biometric data. On the other hand, the fruit of this recognition, the Digital Personal Data Protection Act, 2023 (“DPDPA”), appears to be diverging from its roots. In Puttaswamy, the Court went to the extent of pointing out the need for special protections for biometric information since it is “intimately connected to the individual.” But, under the DPDPA, there is not only a noticeable absence of special protections for sensitive data, but it also contains vaguely worded but broad provisions for exempting the Act’s application for research. Section 17(2)(b) exempts application of the Act for data processing for “research, archiving, or statistical purposes” provided the data is not used “to take any decision specific to a Data Principal” and adheres to “standards as may be prescribed.” .
Such an exemption could also apply to Biobanks. The National Ethical Guidelines for Biomedical and Health Research Involving Human Participants, 2017 (“ICMR guidelines”) defines a biobank as an “organized collection of human biological materials with usually associated dataset stored for years in appropriate facilities for research and potential commercial purposes with inbuilt policies for transparency.” Research studies show that the collected biospecimens are “linked to relevant personal and health information – health records, family history, lifestyle, genetic information etc.” So, it is not difficult to make the case that it requires at least some level of data protection. As India positions itself at the forefront of genetic research, a careful examination of the DPDPA’s relevant provisions and their potential impact on privacy and innovation is a crucial question that must be answered.
This blog focuses on Section 17(2)(b)’s “research” exemption under the DPDPA alongside the 2025 Draft Rules, analyzing and questioning the blanket nature of this exemption through a comparative lens with the GDPR and other global standards. The analysis is centered specifically on Biobanks. It does not address the exemption for “archival or statistical purposes.” The article begins with India's evolving position in global genomic science. It then follows a three-part approach: first, examining the provision's scope and limitations through textual analysis; second, evaluating its necessity, suitability, and proportionality for fostering innovation; and third, assessing its alignment with international standards for biological sample research. It finally concludes that while the exemption aims to promote innovation, its broad scope could affect India's participation in international genetic research and raise concerns about privacy protection in biomedical research.
GENETIC PRIVACY AND INNOVATION: A BALANCING ACT(?)
India’s relationship with genetic research has been historically fraught with apprehension. In the 1990s India opted out of the Human Genome Project (“HGP”) and imposed restrictions on the transfer of genetic material. The HGP concluded in 2003 resulting in a paradigm shift in medical research by mapping genetic mutations and proclivities. The country’s top molecular biologist, P.M. Bhargava, lamented that India was “the only country in the world [with] extensive scientific infrastructure and capabilities that was not a part of the international human genome sequencing project.” Sukhumar (2019), in his book ‘Midnight’s Machines’ attributes this to India’s “deep-rooted discomfort with placing the human body as the site of technological innovation.”
One of the causes of this discomfort, as noted by Vaz et al. (2022), is the general distrust of confidentiality mechanisms in place which results in hesitancy to participate or volunteer for such research due to genetic discrimination concerns. This distrust is not unsubstantiated, as although the ICMR guidelines provide for data protection in such research, they lack enforceable value and fail to comprehensively address specific data protection concerns, such as purpose limitation for secondary research. There were attempts to pass a Bill governing biobanks around 2006-07, but it never came to fruition.
However, the genetic diversity in India also presents an opportunity. For example, studies on the CYP2C19 gene variants in Indian populations have shown varied responses to certain antiplatelet drugs, which could inform more precise dosing strategies. Also, some Indian communities in Jammu & Kashmir show unusual longevity. The Longevity India Initiative launched on April 18, 2024, by IISc can potentially look into that and provide globally sought-after insights into healthy ageing and age-related diseases.
Nonetheless, it took more than two decades after the HGP’s completion for India to finally complete a large-scale mapping exercise for its population. On February 27, 2024, the Department of Biotechnology (“DBT”) announced the success of the Genome India Project in finally creating a reference Indian human genome using whole-genome sequences of 10,000 Indians. The DBT Secretary, Dr. Rajesh Gokhale, compared the achievement to creating a “baseline map of the country.” The positive implications for healthcare innovation and research possibilities from such a dataset are endless.
In the wake of this breakthrough, biobanks – both public and commercial – have begun to emerge at an unprecedented pace. However, the lingering distrust in existing confidentiality mechanisms threatens to impede these research efforts. The DPDPA has potential to address these trust issues; however, paradoxically, its research exemption may inadvertently undermine genetic privacy while hindering the very innovation it seeks to foster.
A. SECTION 17(2)(b) AND ITS DISCONTENTS
Section 17(2)(b) of the DPDPA states that the “provisions of the Act shall not apply to the processing of personal data necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed.” For the sake of bringing clarity, these aspects are compared to the General Data Protection Regulation (“GDPR”) and the previous versions of the Bill to trace how the safeguards have become increasingly diluted as the Bill evolved.
The DPDPA exempts the application of the entire Act as opposed to GDPR, where Article 89 does not exempt core principles like fairness, transparency, purpose limitation, and storage limitation. Clause 45(1) of the Personal Data Protection Bill, 2018 (“PDPB 2018”) similarly allowed for a research exemption, but Clause 4 (fair and reasonable processing), and Clause 33 (data protection impact assessment) still applied. The B.N. Srikrishna Report, 2018 (“2018 Report”) also suggested a similar measure. Clause 40 of the Personal Data Protection Bill, 2019 (“PDPB 2019”), however, introduced a provision for a “sandbox for encouraging innovation” that similarly granted selective exemptions for specific provisions where obligations could be applied in a modified form. Nevertheless, Clause 18(2)(b) of the Digital Personal Data Protection Bill, 2022 (“DPDPB 2022”) departed from these standards and brought an exemption similar to the one found in the current DPDPA. The only difference is that the exemption under DPDPB 2022 was to be provided by the central government through a notification.
While Draft Rule 15 and the Second Schedule to the recently notified 2025 Draft Rules seem to impose additional safeguards and obligations for processing under Section 17(2)(b), they fail to remedy the DPDPA’s deficiencies. The Schedule’s para (c) for purpose limitation and para (e) for storage limitation do not provide what they seem to promise and merely reiterate that processing/storage must be limited to the exempted “purposes” under Section 17(2)(b) (see, para (b)) creating a self-referential loop that renders the rules toothless. In effect, processing/storage merely has to align with one of the broad exemptions like “research” under Section 17(2)(b), and Data Principals cannot define, restrict, or even know the specific purpose—e.g., health data collected for cancer research may be repurposed for unrelated behavioral analytics without consent or recourse. Fiduciaries define the broad purpose (e.g. research), which in turn legitimizes the processing as the Data Principal lacks rights with regards to consent, notice, access, withdrawal etc. to limit what they have consented to.
Although para (g) mandates accountability mechanisms (e.g., providing contact details), this is not applicable to the Section 17 exemptions and is only applicable to the government exemption under Section 7. Critically, the Second Schedule’s “lawful” threshold (para (a)), is tied to Section 4(2) of the DPDPA’s permissive definition i.e. “any purpose not expressly forbidden by law”—a negative obligation that imposes no affirmative duty to align purposes with Data Principal expectations or rights. The 2025 Draft Rules do not improve upon the existing DPDPA framework apart from its provisions for reasonable security safeguards and accuracy which is outside the scope of this Article. By divorcing purpose or storage limitations from the Data Principal’s agency, the Rules reduce privacy safeguards to theoretical constructs, enabling unchecked processing as long as they fit within the broad banner of “research.”
The DPDPA applies this provision uniformly to all research, contrary to recommendations in the 2018 Report. The report suggested a contextual approach, acknowledging that a “bright line test” for all research could be overly broad, especially for sensitive areas like medical research where consent should be the norm. Hence, it recommended a contextual approach where the Data Protection Authority (“DPA”) can evaluate if compliance will “disproportionally divert resources” from the research purpose. This approach can also be found in the Article 14(5)(b) of GDPR, Clause 45(3)(a) of PDPB 2018, and Clause 38(a) of PDPB 2019.
Further, the DPDPA, and the 2025 Draft Rules (or even the previous Bills) do not define “research,” raising questions about the term’s scope: Will it also include commercial research that does not serve the public interest? The GDPR under Article 21(6) allows data subjects to object to exemptions if the research is not in the public interest. Further, the DPDPA effectively conveys that the exemption will not apply if the personal data is “used to take any decision specific to a data principal.” This standard was inspired by Section 33 of the U.K.’s Data Protection Act of 1998, which has since then repealed the provision. Does this mean that the exemption will not apply if the research was used to prescribe personalized or precision medicine? If yes, then the entire Act would apply, including the right to access under Section 11. This could force institutions to deanonymize data at an onerous cost, potentially undermining the exemption’s purpose by creating a more restrictive environment for innovation.
B. DOES INNOVATION TIP THE BALANCE?
The 2018 Report justifies a research exemption in data protection law by invoking the fundamental right to freedom of expression under Article 19(1)(a) and the fundamental duty to develop scientific temper under Article 51A(h) of the Constitution of India. It cites the research exemption under Section 47(3) of the Indian Patent Act, 1970 as a parallel. The Committee deemed this “necessary to foster scientific innovation and the free flow of ideas.” The obvious next question would be does such an exception, in reality, help further its goal of fostering innovation and if it’s a necessary, suitable and proportional exemption of privacy?
One of the criteria used to assess necessity is checking if it’s the “least intrusive measure” on privacy which helps further the objective. This is not the case since less invasive alternatives exist that better safeguard privacy while furthering the objective of fostering innovation, such as specific exemptions contingent on meeting specific criteria like anonymization techniques. This was recommended by the 2018 Report, and was followed in Clause 45(2) of PDPB, 2018 and Clause 38(c) of PDPB, 2019. Even for consent, DPDPA and the ICMR guidelines follow a broad consent model. Broad consent assumes consent for a wide range of future research uses. But more nuanced approaches exist. In contrast, a dynamic consent model allows participants to modify their preferences over time, and a tiered consent model offers multiple options for different categories of data. Ambiguity around protecting data for secondary uses—those beyond the original consent—under a broad consent model undermines trust. Individuals may avoid participating out of fear their sensitive information will not be adequately safeguarded.
It is also questionable if Section 17(2)(b) is actually a suitable measure for furthering the objective of fostering innovation. As discussed above, it risks undermining its own objective by neglecting the critical link between public trust and participation. Innovation in fields like healthcare, social sciences, and technology relies on robust datasets derived from voluntary public engagement. However, the exemption’s suspension of core privacy safeguards—such as specific consent, notice, etc.—creates a perception of risk that discourages participation. As evidenced by India’s history with genetic research, this ambiguity erodes trust, leading to smaller, less diverse datasets that compromise research validity and slow breakthroughs.
Further, for research activities that rely on data anonymization or aggregated datasets, the provision may not provide sufficient incentives or flexibility to drive meaningful innovation. This provision exempts data use only “if the personal data is not to be used to take any decision specific to a Data Principal.” By limiting flexibility in data use, it risks failing to incentivize meaningful advancements. For example, precision medicine relies on tailoring treatments to individuals, such as selecting targeted therapies, and may fall outside the exemption because it is used to make decisions affecting the data principal. This field is critical for advancing healthcare, improving outcomes, and minimizing side effects, especially in areas like oncology and rare diseases. In biobanks, the data is usually reversibly or irreversibly anonymized to protect privacy.
The GDPR exempts truly anonymized data from access requests and offers research-friendly provisions for pseudonymized data, reducing burdens and fostering innovation. In contrast, the exemption for precision medicine would be lost under Section 17(2)(b) which, as mentioned earlier, triggers right to access under Section 11, potentially requiring re-identification to fulfill requests. This process is costly, resource-intensive, and sometimes impossible in the case of irreversibly de-identified data. This could result in a situation where researchers are hesitant to carry out research due to legal uncertainties and expensive compliance demands. Additionally, precision medicine depends on analyzing vast amounts of genomic and medical data to identify effective treatments but fears about inadequate safeguards for sensitive information may discourage individuals from sharing their data, jeopardizing the large-scale participation necessary for innovation.
The exemption ultimately fails to achieve a meaningful balance between privacy protection and fostering innovation. While positioned as supporting research and innovation, Section 17(2)(b)'s broad scope encompasses all types of research, including those that may not serve or could even harm the public interest. This indiscriminate approach contrasts sharply with previous versions of the Bill, which incorporated specific privacy safeguards and protective measures. The absence of these safeguards creates legal uncertainty that can paradoxically stifle innovation - researchers may hesitate to pursue projects due to unclear compliance requirements, while individuals may be reluctant to share data without adequate privacy protections.
C. MOVING TOWARDS BALANCE: INTERNATIONAL STANDARDS AND SOFT LAW INSTRUMENTS
Biomedical research is one area where there is a lot of international collaboration. But countries are cautious about partnering with countries with weak data governance frameworks. The greatest example of this being “adequacy decisions” for governing data transfer under Article 45 of GDPR that evaluate if an “equivalent level of protection” is provided in another country. International standards like the Universal Declaration on Bioethics and Human Rights (“UNESCO Declaration”), World Medical Association’s (“WMA”) Declarations, the OECD Recommendation on Human Biobanks and Genetic Research Databases (“OECD Recommendation”) set the framework for these protections. Given the research exemption, prominent rights such as informed consent or withdrawal are rendered non-applicable to the data collected for such purposes, however, the same can be detrimental for privacy and genetic research. The following section takes guidance from international conventions and guidelines on the same and highlights the necessity of such rights to be granted even with respect to personal data being collected for such research purposes.
Firstly, the nature of the right to informed consent is frequently addressed in these instruments since it is an especially important concern due to implications for the secondary use of these data. Article 26 of the WMA Declaration of Helsinki mandates comprehensive informed consent, covering “research aims, methods, funding, conflicts of interest, benefits, risks, and institutional affiliations etc.” Article 12 of the WMA Taipei Declaration further details the need to inform participants about “data storage, usage, privacy protections, and the impact of data anonymization.”
Imagine a scenario where excess residual tissue is stored in a biobank after a routine biopsy. The patient later learns that it is being used to develop a commercial cell line. Informed consent ensures that participants understand and agree to how their genetic material may be used in the future. Using tiered consent forms can help avoid such a situation, allowing participants to specify which types of secondary research they approve. However, one valid concern that was pointed out in the 2018 Report is that in clinical trials involving large-scale population health research, the consent and notification model is not appropriate since non-participation could affect the accuracy of the results.
Secondly, most international guidelines, including Article 6(1) of the UNESCO Declaration and Article 15 of the WMA Taipei Declaration, mandate procedures for consent withdrawal. Imagine a scenario where a biobank initially collected DNA samples for cardiovascular research and later used it for a controversial study on genetic markers for criminal behavior. The right to withdrawal gives individuals ongoing control over their biological materials and associated data, respecting their evolving personal and ethical stance. Additionally, the deletion of disseminated data and its integration into broader datasets are particularly critical for research—where collaborative reproducibility (e.g., multi-institutional clinical trials) and longitudinal analysis (e.g., epidemiological studies) rely on seamless data sharing, yet there is an absence of clear protocols.
Thirdly, the right to access is a very tricky situation, as mentioned above, that these instruments navigate better. Article 14 of the WMA Taipei Declaration provides individuals with the right to request and be provided with information about their data. For example, say, a biobank participant’s genome reveals a rare genetic variant linked to drug resistance. Without access rights, this information will never reach the participant causing ineffective treatment. The 2018 Report talks about how access rights can be difficult to comply with because research organizations may have to incur onerous costs for re-identification. However, access rights with specific limitations for anonymized data – an approach adopted by the GDPR as mentioned above – can ensure that individuals can benefit from discoveries made using their genetic information. Pseudonymization allows researchers to retain data utility (e.g., tracking patient outcomes via coded identifiers) while minimizing re-identification risks, fostering public trust and participation.
Finally, certain instruments provide data portability. Section 5(ii) of the OECD Recommendation allows data subjects to request the sharing of their data for health-related purposes. It mandates providing a legal basis if such a request is denied. Imagine a scenario where a participant’s “anonymized” genetic data is used in a large-scale study. The participant wants to share these comprehensive results with a specialist for a rare condition. Data portability will enable individuals to maximize the utility of their genetic information for benefit sharing. However, in general, the DPDPA does not recognize the right to data portability anywhere in the Act. The lack of data portability could limit participants’ ability to leverage their genetic information for personalized healthcare or benefit sharing, potentially making India’s framework less attractive for global research collaborations.
CONCLUSION
The analysis of Section 17(2)(b) of the DPDPA reveals fundamental inadequacies in its approach to research exemptions, particularly in the context of biobanks and genetic research. The exemption's expansive scope, and blanket approach, coupled with its ambiguous parameters regarding "decisions specific to a Data Principal," potentially undermines both privacy safeguards and research innovation, notably in precision medicine. The exemption effectively nullifies crucial protections concerning informed consent, withdrawal rights, and data access—protections that are cornerstone principles in international biomedical research frameworks. While the 2025 Draft Rules attempt to address these concerns, the structural limitations inherent in the primary legislation's blanket exemption approach raise significant questions about India's preparedness to participate in and regulate genetic research, particularly as initiatives like the Genome India Project position the country at the frontier of genomic science.
*The Author is a fourth-year law student at the National University of Advanced Legal Studies, Kochi. The author would like to acknowledge Niyati Prabhu, Ananya Arun, and Anasruta Roy for their comments on the earlier drafts of this piece.