India: Closed consultation on Digital Personal Data Protection Act including data protection authority governance

On 2 January 2023, the public consultation on the Digital Personal Data Protection (DPDP) Act, which includes rules expanding data protection authority governance, closed. The Ministry of Electronics and Information Technology (MeitY) extended the deadline for submitting comments from 17 December 2022 to 2 January 2023. The Act would amend the Information Technology Act of 2000 and the Right to Information Act of 2005 and would apply to data collected online and data collected offline then digitized within Indian territory, as well as data collected outside the country if they show correlations with Indian individuals. The Act would require the government to create the Data Protection Board of India, which would have enforcement jurisdiction over the provisions of the Act. This jurisdiction would include the power to make determinations of non-compliance, take appropriate measures, and issue fines. The Act also establishes a list of maximum penalties for various types of non-compliance, with a maximum penalty of INR 250 crore (2.5 billion) for failure to take appropriate cybersecurity measures.