Data protection in India

Ikigai Law

Ikigai Law is headed by Anirudh Rastogi , Nehaa Chaudhari and Aparajita Srivastava who is well rated for her ‘high degree of understanding of the data economy’. Based in New Delhi, the team is considered ‘young’ and ‘razor sharp’ when advising on any aspects of data governance and the ever-changing regulatory landscape. It keeps clients abreast of EU GDPR, APAC and other global regimes and advises clients from tech startups to the largest e-commerce companies, technology, global cloud service providers and venture capital firms. It also advises a number of industry bodies. Of late, its work spans, data handling including international data transfers, localization requirements, healthcare apps, digital payment systems and data breaches. Principal associate, Sreenidhi Srinivasan advises on data governance and cyber security and Aman Taneja assists clients with IP as well as issues relating to online content regulation and data breaches.

Other key lawyers:

Sreenidhi Srinivasan; Aman Taneja

Testimonials

‘The team has a strong ‘data’ practice with a culture of looking data policies over a good period of time. They are able to respond on time and execute well both of which are necessary in the sector. The team is able to combine legal knowledge and policy awareness in their service offerings.’

‘The individual team members are young, competent, hungry and humble. I would rate Sreenidhi highly in the team who works with dedication and commitment. ’

‘The team at Ikigai Law is highly competent when it comes to data governance laws. Our experience with Nehaa Chaudhari and her team has been remarkably good for both personal data privacy regulations as well as India’s draft non personal data governance framework. The team has very high levels of understanding in regards to data-oriented businesses and data laws across jurisdictions. We have engaged the data protection team of Ikigai Law many a times in past for conducting orientation sessions and detailed training programs on GDPR and Indian PDP Bill and they team could bring in a lot of value on the table. The data protection team at Ikigai Law is razor sharp and well versed with the relevant data laws around EU, Asia Pacific, and India.’

‘We have worked with Nehaa Chaudhari and her team. We found them extremely competent in assessing the business impact of some of these newly drafted data privacy and protection laws around the world. Nehaa is highly professional in her commitments and brings on board perspectives which people often tend to overlook but may be extremely fatal for businesses. She is very articulative and has a high degree of understanding of data economy. She is also extremely good in her communication and can bring out her case without much persuasion. ’

Key clients

Mobile Premier League

Cutting Chai Content

NASSCOM

Data Security Council of India

Sequoia Capital

MedoPlus

Shaip.AI

1Tab

Aviyel

Work highlights

  • Advising MPL, one of India’s largest digital gaming platforms, on its data-handling practices, in anticipation of India’s upcoming data protection law and global best practices.
  • Advised CCC, a content production company, creating a first-of-its-kind mobile app to collect video-based consent for data collection.
  • Advising DCSI on providing recommendations for a well-balanced encryption policy.

IndusLaw

A dedicated team at IndusLaw is in demand for advice not only relating to Indian data protection laws but is also well versed on many of the international regimes including those of the EU and California. It is therefore well placed to advise on cross-border data processing and transfers. Its client base is made up of  domestic and global corporations and clients are referred to the team by well known, global law firms. It also participates in government legislation proposals; it has been involved in the consultation processes for the Personal Data Protection Bill. Based in Delhi and Bengaluru, Avimukt Darr, Srinivas Katta, Suneeth Katarki, Namita Viswanath and Shreya Suri lead the practice. In addition to data transfers, data sharing and privacy matters, it assists clients on security breaches, blockchain technology and a range of disputes. Its clients include those in financial services, health care and logistics and telecoms.

Practice head(s):

Avimukt Darr; Srinivas Katta; Suneeth Katarki; Namita Viswanath; Shreya Suri

Testimonials

They are responsive and knowledgeable,  Kartik Ganapathy has provided some invaluable help for our clients in India.’

Key clients

Google

RKSV Securities

reMarkable

1MG

Moody’s Corporation

Mobikwik

Airmeet

Ecom Express

Innovative Retail Concepts Private Limited

Swasth Digital Health Foundation

Work highlights

  • Advised Airmeet on compliance with EU-GDPR and CCPA in the context of a globally accessible platform for virtual summits
  • Advised Moody’s on data privacy regulations in India in the context of undertaking business in the country.
  • Advised Innovative Retail Technologies Private Limited (BigBasket) on dealing with a data security incident, including regulatory compliance, reporting obligations and revising data security policies.

Khaitan & Co.

Supratim Chakraborty in Kolkata, and ‘go-to’ advisor Harsh Walia in New Delhi head a top-flight practice at Khaitan & Co. In addition to advising on all aspects of data protection, complex cross-border data transfers and cyber security/data breaches, it is called upon by government departments to advise on policy matters and proposed legislation. It also advises global and domestic clients on unchartered matters such as IoT services where, for example the transfer of data to and from machines and also areas such as the effects of the EU’s Schrems II ruling. This substantial practice draws on its skills in its corporate, competition, technology and telecom practices; Abhinav Chandan (NG) skills combines TMT, regulatory and corporate with data protection; Anisha Chand (Ms)’s practice straddles competition/antitrust law and data protection. The team of associates includes Shobhit Chandra and Sumantra Bose whose experience is across telecom, IT and data privacy.

Practice head(s):

Supratim Chakraborty; Harsh Walia

Other key lawyers:

Shobhit Chandra; Sumantra Bosenk; Abhinav Chandan; Anisha Chand

Testimonials

‘Harsh Walia is a key member of Khaitan’s TMT practice and my go-to lawyer for anything TMT and data related in India. ’

‘Harsh Walia is very easy to work with, and reliable in terms of delivering on work products that are aligned with my and our clients’ expectations. ’

Key clients

Jio Platforms Limited

BT Global Communications India Private Limited

Accenture Solutions Private Limited

Softbank (SB Investment Advisers (UK) Limited)

BMW India Private Limited

Microsoft Corporation India Private Limited

Youzu (Singapore) Private Limited

Extension for Community Healthcare Outcomes (ECHO) India

Komori Corporation

Deutsche Welthungerhilfe e.V

Asiainno Network (India) Private Limited

Work highlights

  • Advised BMW India Private Limited on data privacy and protection aspects in an absolutely unchartered territory of IoT services where machines will be transferring data to machines and traditional concepts related to consent were not applicable.
  • Advised BT Global Communications India Private Limited in view of Schrems-II ruling of the Court of European Union. Since BT has large outsourcing units in India an assessment of the laws relating to surveillance was necessary to examine whether the flow of data is legally permitted or not.
  • Advised Softbank (SB Investment Advisers (UK) Limited) on data privacy and protection aspects for its investment by way of subscription to primary securities aggregating to USD 150 million in Sorting Hat Technologies Private Limited which operates a leading education technology platform called Unacademy.

Spice Route Legal

Based in Bengaluru, Mathew Chacko, co-founder of Spice Route Legal, has decades of experience of data protection as part of his wider TMT expertise. In addition to assisting clients on the full range of data privacy/security, transfers and data compliance, it also advises on blockchain, Fintech services and products, and various uses of AI. Clients range from global tech companies, other corporates and financial services companies. ‘Stand out‘ senior associate Aadya Misra is in demand for advice on the implications of the Schrems-II decision regarding GDPR, managing security incidences/post breach security and the RBI’s localisation requirements.

Practice head(s):

Mathew Chacko

Other key lawyers:

Aadya Misra

Testimonials

‘Very business orientated, follows deadlines, answers are to the point.’

‘Aadya Misra was very approachable and delivered under tight deadlines.’

‘The data team at SRL is very well versed with the India data regime and their international exposure gives them the ability to take a view on its potential evolution. While working with them on a company wide data gap analysis it is evident that there are very few scenarios that they have not thought of or have not advised on. As in house counsel this sort of industry understanding is invaluable. And as always, SRL is able advise keeping in mind the challenges of a tech company and its unique business.’

‘Mathew and Aadya stand out as the team members who take point on data advisory and actioning. As the requirements of the company are cross jurisdictional, it is a significant differentiator that they are able to run India, have a preliminary view on international positions and effectively coordinate with international counsels. It’s excellent to be able to rely on Mathew and Aadya to run a project globally, at competitive rates but unquestionably high quality standards; both their own and the counsels they partner with.’

Key clients

Disney + Hotstar

IBBIC Pvt Ltd (formerly known as Blockchain India Consortium)

Airtel

Trade Desk

Urban Company

Adobe Inc.

Quintype

Milaap

Sahamati

VeriSign

Instamojo Inc.

Moët Hennessy

Miner’s Inc.

Impelsys Inc.

ICICI Bank

Strand Lifesciences

Cathay Pacific

Locus

Farmify

Super Unlimited

Talview

yBanq

Emptech

Work highlights

  • Advising Fiserv, a fintech company in the Fortune 500, on various issues, including: the Reserve Bank of India’s data localisation requirements; the deployment of an employee monitoring software to gauge employee satisfaction; and the data implications of setting up employee-directed initiatives in the wake of India’s second wave COVID-19 crisis.
  • Advising longstanding client ideaForge – India’s leading drone manufacturer – on complicated issues concerning supply of data, the use of AI/machine learning (ML) tools on biometric data, and data ownership in connection with the deployment of AI-powered drones to measure social distancing norms in public spaces in India after initial Covid-19 lockdown restrictions were eased in the summer of 2020.
  • Assisting Instamojo with structuring its operations in light of the Payment Aggregator Guidelines by implementing suitable processes and procedures, particularly concerning its IT governance policy, cybersecurity policy, and compliance with the IT recommendation prescribed by the RBI.

Trilegal

From their base in Bengaluru, Rahul Matthan, Nikhil Narendran and Jyotsna Jayaram lead the TMT/data protection practice at Trilegal. Thanks to its deep expertise, some of the world’s and India’s largest TMT companies go to the firm for guidance on the various regulatory regimes, and proposed changes to areas including data transfers across FinTech, HealthTech and satellite communications and e-commerce generally. It is also involved in consultations regarding proposed new legislation, for example the Personal Data Protection Bill, and the report by the Committee of Experts on Non-Personal Data Governance Framework. It also assists clients on a range of IT-related disputes.

Other key lawyers:

Deepthi Rajeev

Key clients

Nets Denmark A/S

LVMH Moët Hennessy Louis Vuitton (LVMH)

Thales Group

Jubilant Foodworks Limited

Work highlights

  • Advised on the impact of Indian data protection laws on Accenture’s practices and policies and its equivalence under EU laws.
  • Carried out a comparative analysis of the proposed Personal Data Protection Bill, 2019 against the EU GDPR.
  • Assisted with advising on the roll-out of COVID-19 protocols in light of India data protection laws.

Kochhar & Co.

Stephen Mathias is the driving force at Kochhar & Co.  Aside from his deep experience, he has ‘a feel for the commercial risks of a course of action’. Global law firms such as Bird & Bird, Hogan Lovells and Ashurst routinely refer their clients to the firm on cross-border and India data privacy issues, the various sector regulations and cyber security in areas including banking and finance payment systems, insurance and telecoms matters. Data localization and offshore access to personal data are some of the key areas of advice sought. Associates Naqeeb Ahmed Kazia and Arun Babu are fully focused on this area; the latter is also a qualified as an electronics and communications engineer and is especially experienced in cyber security.

Practice head(s):

Stephen Mathias

Other key lawyers:

Naqeeb Ahmed Kazia; Arun Babu

Testimonials

‘Depth of knowledge across the practice of data protection, not just in India but internationally, so a good choice of firm if you are a foreign company doing business with or in India.’

‘Stephen Matthias has a real depth of knowledge of data protection and a feel for the commercial risks of a course of action.’

Key clients

Bird & Bird

Hogan Lovells

Littler Mendelson

Mayer Brown

Shakespeare Martineau

Optum

Orrick

Cisco

Wilson Sonsini

Ashurst

Samvad Partners

With a ‘real can-do‘ attitude, Samvad Partners has a highly experienced team dealing with data security, cyber thefts, privacy and data handling generally. Its work spans both advisory (good policies/best practices) and contentious issues including investigations and IP infringements. Rohan George in Chennai and Neela Badami and Nivedita Nivargi in Bengaluru lead a practice which uses the data governance app, Aapti.in, which provides clients with a range of information on how legal processes are being affected by COVID. The firm has also partnered with the Centre for Social and Behaviour Change Communication in order to provide its staff with a range of wellness sessions. The team has also been advising clients on areas such as the implications of the GDPR on Indian companies, and the Indian Personal Data Protection Bill. The team combines this with corporate/commercial advice, for example, assisting technology companies on funding. Savani Gupte (partner) joined the team from Khaitan & Co. in March 2021.

Practice head(s):

Mr. Rohan K George; Ms. Neela Badami; Ms. Nivedita Nivargi

Other key lawyers:

Kevin Robin; Savani Gupte

Testimonials

‘Samvad have a real “can do” attitude, coupled to a commitment to provide practical and commercial advice. They are extremely accessible and down to earth: very easy to get along with and always seem to go the extra mile for you.’

‘Rohan George: super bright, practical and efficient, he knows the market well and is always up to date and current in his advice Neela Badami: very switched on, very client friendly and very good at what she does.’

Key clients

ADReS

Altlifelab Solutions Private Limited

Dhiway Networks Private Limited

GILDEMEISTER Beteiligungen GmbH (DMG Mori AG)

Hevo Technologies India Private Limited

FA Consulting

Joveo Inc

Mahua Moitra

Moveinsync Technology Solutions Private Limited

Socion Advisors

Vyng Inc.

Work highlights

  • Advised VenusGeo Solutions LLC in an all-encompassing role in terms of advising this client on the regulatory/legislative limitations that may emerge with the introduction of its operations in India.
  • Advised DHIway Networks Pvt Ltd. on its role as an intermediary and relevant data protection compliances under the current and future data protection regime in India.

AZB & Partners

Although there is not a specific, dedicated data protection team at AZB & Partners, it is home to a number of lawyers who are highly experienced in the area of data protection and TMT more broadly. Rachit Bahl in Delhi advises a range of corporates on fintech and telecoms matters including regulatory regimes and online pharmacy and healthcare businesses. Based in Mumbai, Nandan Pendsey‘s expertise is a blend of data protection, IP and IT. Anind Thomas in Bangalore assists multinationals and Indian companies and financial institutions on data privacy and information security policies in India, cross-border transfers of personal data and potential data breaches in the context of corporate investigations or mergers and acquisitions. The practice includes partner Rohan Bagai (in Delhi) who has extensive experience in the fintech space including cryptocurrencies and blockchain, and senior associate Gautam Rego (Bangalore) whose team is praised as ‘one of the best in the telecom data sector‘.

DSK Legal

In concert with a well-established TMT practice, DSK Legal provides a range of data protections expertise across regulatory compliance, investigations, and disputes. It assists clients with implementing data privacy and protection policies, including dealing with international transfers as they relate to Indian laws. Data mapping and audits are carried out to review clients’ practices and it advises on security breaches and notifications to regulatory authorities. Its clients include a strong roster of telecoms and electronics companies, logistics, healthcare and social media companies. Rishi Anand, who has established technology and corporate practices, heads the team and associate partner, Nakul Batra (also a qualified computer science engineer) combines corporate/commercial skills with technology transfers, blockchain, and virtual reality/online gaming advice. Principal associate, Jitendra Soni advises technology clients on corporate/commercial matters along with subjects including e-commerce, bioinformatics and general protection of data.

Practice head(s):

Rishi Anand

Other key lawyers:

Nakul Batra; Jitendra Soni

Testimonials

DSK’s team is responsible, proficient, and highly motivated. They helped us complete a deal spanning over 5 months – completely online. And we never felt that their physical absence was detrimental.

Nakul Batra worked on our case. We found in his work and his demeanour to be excellent. We couldn’t have hoped for better. The team has a strong ‘data’ practice with a culture of looking at data policies over a good period of time. They are able to respond on time and execute well both of which are necessary in the sector. The team is able to combine legal knowledge and policy awareness in their service offerings.’

Key clients

Amazon Digital Services Private Limited

Blue Dart Express Limited

Guangdong OPPO Mobile Telecommunications Corp., Ltd., China

HDFC Securities Limited

Herbalife International Inc., USA and Herbalife International India Private Limited

House of Masaba Lifestyle Private Limited

Mohalla Tech Private Limited

MoneyClub Technologies Private Limited

Moody’s Shared Services UK Limited

OnePlus Technology (Shenzhen) Co. Ltd.

Promoters of Competent Synergies Private Limited

Reliance Retail Limited

Shenzhen TCL Digital Technology Ltd., China

Shenzhen Transsion Holdings Co., Ltd., China

STT Global Data Centres India Private Limited

Voestalpine AG

Wingtech Technology Co., Ltd. and Wingtech Mobile Communications India Private Limited

Lakshmikumaran & Sridharan

Lakshmikumaran & Sridharan‘s data protection/TMT practice serves corporates, public sector bodies and not-for-profit organizations on all areas of data protection, governance, regulatory and data breaches, combined with IP protection and dispute resolution. Based in New Delhi, Charanya Lakshmikumaran heads the regulatory and appellate litigation practice and Prashant Phillips advises on all areas of data protection and data privacy – this combined with expertise in IP protection, especially patents and industrial designs.

Key clients

Amazon

Cashgrail Private Limited

Predible Health

Carrier Midea India

Poker Sports League

Hike Messenger

Dream 11

Work highlights

  • Advised Amazon Payments on a range of matters including comparative analysis of issues and application of law under GDPR and the proposed Personal Data Protection Bill and impact on IP rights; contract tracing apps and impact of  the P2B Regulations issued by the European Parliament.      
  • Advised Cashgrail Private Limited on privacy policies for use for  gaming platforms and compliance requirements for hosting cash and non- cash based games on the Google Play Store.
  • Advised Predible Health on the treatment of health data in India for the purposes of drafting research agreements and under the Personal Data Protection Bill for cross border transfer of health data and related IP issues.

Majmudar & Partners

Well known for its broad TMT expertise, especially big tech transactions, Majmudar & Partners combines such work with data handling within a range of regulatory systems. In the course of M&A deals, licensing and outsourcing mandates, it assists Silicon Valley and global tech/social media companies on the complex rules around the collection or transfer of personal data. Its expertise also encompasses areas such as AI and advice on data security. Akil Hirani and Neerav Merchant in Mumbai and N. Raja Sujith in Bangalore, lead the practice which is appreciated for its ‘realistic approach’. It is also praised on the client service front for ‘transparent billing’ and attitude to ‘business ethics’.

Testimonials

Excellent collaboration with the client. Transparent billing. Easy to approach.’

‘Realistic approach, good interaction, and business ethics.’

Key clients

Charles Schwab US

ChargePoint, Inc.

Advanced Micro Devices, Inc.

Abbott Laboratories

Gallagher Service Centre LLP

TikTok/Bytedance

Maven Silicon Softech Pvt Ltd.

Work highlights

  • Advised ChargePoint, Inc. a leading US-based electric vehicle infrastructure company based in Campbell, California, in connection with protection of personal data as well as the government’s powers to intercept and monitor information.
  • Advised Gallagher Service Centre LLP on implications of data privacy law on remote working applications which collect employee data.
  • Advised Advanced Micro Devices, Inc. (NASDAQ: AMD), a US-based multinational semiconductor company based in Santa Clara, California, on Indian data protection compliances pertaining to collection of personal data of employees of third-party business partners.