At a glance
The DPDP Act exempts processing for “enforcement of legal rights or claims” from most of its obligations (Section 17(1)) — a broad carve-out covering much of what litigation and advisory firms do. What it does not exempt is the security-safeguards duty (Section 8(1) and 8(5)): a firm still has to protect client documents and report a breach, even inside privileged, exempt work. Privilege and professional confidentiality were never a security standard on their own; the Act’s surviving duty makes that explicit.
Educational resource only. This explains how the legal-claims exemption and surviving security duties under India’s Digital Personal Data Protection Act, 2023 (DPDP Act) apply to client-attorney document handling; it is not formal legal advice.
The situation
Law firms sometimes read the Section 17(1) exemption as a blanket pass — “we’re exempt from DPDP for litigation work” — and stop there. That’s an understandable but incomplete read. The exemption is real and broad, but it’s not total, and the piece that survives is the one most directly tied to a firm’s actual document-handling practice.
What the legal-claims exemption actually covers
Section 17(1) exempts processing necessary for enforcing a legal right or claim, or that a court or tribunal requires, from most of the DPDP Act’s substantive obligations. That reaches deep into what a litigation or advisory practice does day to day: preparing pleadings, gathering evidence, managing discovery, and advising on legal rights — processing that would otherwise need the full DPDP machinery (notice, per-purpose consent tracking, some rights-fulfilment duties) can proceed without it when it genuinely falls within this exemption.
What survives the exemption
Section 8(1) and Section 8(5) — the security-safeguards and breach-notification duties — are not exempted. Even where a firm’s processing is otherwise covered by the Section 17(1) legal-claims exemption, it must still take reasonable security safeguards to protect the personal data it holds, and it must still report a personal-data breach if one occurs. This is a deliberate design: the exemption relieves the procedural and consent-related machinery around exempt processing, but it doesn’t relieve the basic duty to keep the data secure and to be honest when security fails.
Why privilege isn’t a security standard
Attorney-client privilege and professional confidentiality govern who can be compelled to disclose information — they say nothing about how a document is actually stored or transmitted. A firm can maintain rigorous privilege discipline (never disclosing a client’s confidential matter without authorisation) while still emailing unencrypted evidence bundles, storing client documents on an unsecured shared drive, or leaving digital signatures and case files accessible to more staff than the matter needs. the Act’s surviving security duty is the layer that specifically targets that gap — it doesn’t ask whether disclosure was authorised, it asks whether reasonable safeguards were in place regardless.
What this means for firm practice
The exemption changes what a firm has to document about why it’s processing data; it doesn’t change how the firm should be storing and transmitting it.
- Keep the security basics in place for every matter, exempt or not — access control by matter/team, encryption for sensitive documents in transit, no case files sitting in personal-device downloads folders.
- Have a breach-response plan that covers exempt matters too — a leaked litigation file is reportable the same way a leaked client-onboarding record is.
- Don’t let “it’s exempt” become “it’s unmonitored.” The exemption is about the notice-and-consent machinery, not a licence to relax storage and access discipline.
- Distinguish exempt processing from the rest of the file. A firm handling both the litigation matter and, say, the client’s general billing and onboarding data should apply full DPDP discipline to the latter even while the former sits under the exemption.
Choosing tools that actually meet the security bar
“We use email and a shared drive” isn’t a security architecture — it’s the absence of one, and it’s still the default at a large share of Indian litigation practices. A defensible baseline doesn’t require enterprise legal-tech spend; it requires deliberately choosing tools over defaults. A case-management or document-management platform with genuine matter-level access control (not just folders anyone at the firm can browse into) replaces the shared-drive default. Encrypted email or a secure file-transfer tool replaces sending evidence bundles as plain attachments. A password manager with firm-wide enforcement replaces the informal habit of reused or weak passwords on client-facing accounts. None of this is exotic technology — the gap at most firms isn’t availability, it’s that no one made choosing the secure option the default rather than the exception.
E-discovery and litigation-support vendors are processors too
Handing a document set to an e-discovery vendor for review, or to a court-reporting service for transcription, doesn’t move that data outside the firm’s responsibility — it adds a Data Processor the firm needs a real agreement with. These vendors routinely see the same privileged and sensitive material the firm itself handles — sometimes more of it at once, since e-discovery review platforms are built to search across an entire document set. A written agreement covering the vendor’s own security obligations, what happens to the data if the engagement ends, and confirmation the vendor isn’t repurposing anything beyond the specific matter, is the same discipline the firm would expect if it were the client handing data to an outside party — because functionally, that’s exactly what’s happening.
Cross-border litigation: privilege doesn’t travel, the security duty does
Where a matter involves a foreign court, a foreign co-counsel, or evidence that needs to move across a border, attorney-client privilege doesn’t automatically travel with the data the way some firms assume — but the DPDP Act’s security duty does, regardless of where the data ends up. Privilege rules vary by jurisdiction, and a document privileged under Indian law isn’t guaranteed the same protection once it’s in a foreign court’s hands — that’s a separate legal question worth its own advice for any cross-border matter. What doesn’t change is the firm’s own security obligation for the transfer itself: the same encrypted-channel, access-controlled discipline this piece describes applies whether the recipient is down the hall or on another continent, and DPDP’s cross-border transfer rules (a negative list, currently no restricted countries) sit alongside that duty rather than replacing it.
FAQ
Does the legal-claims exemption mean law firms are entirely outside the DPDP Act?
No — it exempts most obligations for processing genuinely tied to enforcing a legal right or claim, but the security-safeguards and breach-notification duties (Section 8(1) and 8(5)) survive and apply regardless.
Is client data covered by attorney-client privilege automatically secure under the DPDP Act?
No — privilege governs compelled disclosure, not storage or transmission security. A firm still needs reasonable technical and organisational safeguards for privileged documents, same as any other personal data it holds.
Does a firm need to report a breach of privileged litigation files?
Yes — the breach-notification duty isn’t exempted by Section 17(1), so a breach involving exempt litigation data still triggers the same reporting obligation as any other breach.
Does the exemption cover all of a law firm’s data, or just litigation-specific processing?
Just the processing genuinely tied to enforcing a legal right or claim, or required by a court. A firm’s general client onboarding, billing and non-litigation advisory data doesn’t automatically fall under the same exemption.
Does an e-discovery vendor need a formal data-processing agreement?
Yes — the vendor is functionally a Data Processor handling the firm’s client data, and needs the same security and return-or-destroy terms any outsourced processing relationship should have.
If a document moves to a foreign court, does the firm’s security duty still apply?
Yes — the DPDP Act’s security obligation doesn’t stop at the border. Privilege protection may vary by jurisdiction (a separate legal question), but the firm’s own duty to handle the transfer securely doesn’t change based on the recipient’s location.