What we learned from the first set of DPB orders.

The Data Protection Board of India began processing individual complaints in early 2026. As of early May, a working pattern is visible in the Board's decisions. Three observations stand out.

Mediation comes first.

The Board has, in every individual-erasure case we have tracked through to disposition, attempted mediation before formal proceedings. The mediation usually takes the form of a written demand from the Board secretariat to the named Fiduciary, asking the Fiduciary to act within a defined timeline (typically fourteen to thirty days) and to file a compliance report.

In about seventy percent of the cases we have observed, the Fiduciary complied during the mediation window. The remaining thirty percent either took the matter to formal hearing or filed for an extension. The extensions were granted sparingly and never beyond thirty additional days.

Refusal grounds have narrowed.

Fiduciaries are testing what counts as a valid refusal under Section 12. The Board has so far accepted only two grounds: a clear statutory retention obligation (KYC under banking regulations, GST records under tax law, regulated medical records), and a genuine identity-verification failure (where the data subject could not be reliably matched to the data held).

Several creative grounds have been rejected: "we need it for analytics", "we might want it for product improvement", "we have a legitimate interest in keeping it". Each was tried at least once in early hearings and each was rebuffed. The Act's text is restrictive and the Board has read it that way.

Hashed evidence is treated more seriously.

In two early hearings, the Board distinguished between evidence captured as a bare screenshot and evidence captured with a chain-of-custody log including SHA-256 hashes. The latter was treated as substantially more credible, particularly when the Fiduciary tried to argue that the exposure either never existed or had been removed before the complaint was filed.

This is operational gold for us. We capture every exposure with a SHA-256 hash of the rendered screenshot and the raw HTML, plus a chain-of-custody log entry showing the timestamp in IST, the worker version, the proxy IP geo-region, and the user agent. Every evidence pack we file is built to this standard.

The takeaway for anyone filing under DPDP: hashed evidence is not just nice-to-have. The Board reads it as such.