Editorial
The Data Protection Board's first 90 days: rulings, gaps, and the cases to watch
The Board is finding its voice slowly. Three preliminary rulings, a flurry of complaints, and a quiet conversation about what 'significant data fiduciary' will actually mean in practice.
The Data Protection Board of India began hearing matters earlier this quarter, and the first ninety days of activity offer a useful preview of how it intends to work. Three preliminary rulings have been issued, all on procedural points. Two complaints have been heard on merits — both involving allegedly excessive data collection by ed-tech platforms. Nineteen complaints remain pending.
What the early rulings tell us
The Board has signalled, in two of its three rulings, that it intends to take a strict view of notice quality. A notice that merely lists categories of data without explaining the purpose for which each is collected has been flagged as non-compliant. A notice that is given only in English and Hindi, without other scheduled languages, has been flagged as insufficient where the platform operates across linguistic regions.
Both points are unsurprising on a plain reading of the Act, but the speed with which the Board has moved on them is notable. The early signal is that procedural compliance — was the notice properly given, in the right language, with the right specificity — will be the Board's opening lever before it moves to substantive questions about consent design or breach response.
The Significant Data Fiduciary question
The most-watched open question is who the Central Government will notify as Significant Data Fiduciaries. The Act allows the SDF designation based on volume, sensitivity, risk to electoral democracy, and impact on sovereignty. Industry expectation has settled on a list that will include the largest social platforms, the top-tier banks, and the major credit bureaus. The Board has indicated, informally, that it expects the first notifications by the next quarter.
SDF designation triggers DPO appointment within 30 days.
Annual data audits become mandatory.
Algorithmic risk assessments must be filed for any automated decisioning that uses personal data.
Cases worth watching
Three pending complaints will probably define the doctrine in the next ninety days. The first involves a ride-hailing app's location retention policy; the second, an insurer's use of health data shared during a quote flow; the third, a lender's onward sharing of credit scores with a credit bureau. Each will force the Board to make doctrinal choices about purpose limitation that the Act leaves to the regulator.
The Brief · the newsletter
Short legal explainers in your inbox.
