Practice areas

Show options
Show options
search

News & Developments

ViewView
Press Releases

TLH Advises CtrlS Datacenters in CAD 1 Billion Strategic Partnership with CPP Investments

22 June 2026   TLH, Advocates & Solicitors advised CtrlS Datacenters Ltd. in its landmark strategic partnership with Canada Pension Plan Investment Board (CPP Investments), one of the world’s largest and renowned fund managers, involving a commitment of up to C$ 1 billion in India’s digital infrastructure sector.   The transaction comprises two components: a C$ 588 million equity investment by CPP Investments for an 8.2% stake in CtrlS Datacenters Ltd., and a C$ 441 million joint venture between CPP Investments and CtrlS to develop and operate data centre campuses across India. The partnership positions CtrlS to accelerate its hyperscale build-out as demand for AI and cloud infrastructure in India continues to grow at pace.   This transaction is a strong signal of global institutional confidence in India’s digital infrastructure story and reflects the increasing appetite of sovereign and pension capital for scaled, income-generating assets in the Indian market.     Firm’s Role   TLH acted as legal counsel to CtrlS Datacenters Ltd., advising across the full spectrum of the transaction, including deal structuring, transaction documentation, and competition law advisory in connection with the investment and joint venture arrangements.   Deal Team   The TLH team was led by Founder & Managing Partner Shailendra Komatreddy and Partner Prateek Batra and comprised Associates Anirudh Krishna and Vanshika Gupta, with competition advisory provided by Mathew George.   About TLH, Advocates & Solicitors   TLH, Advocates & Solicitors is a full-service law firm headquartered in Hyderabad, with offices in Delhi NCR and Vijayawada. The firm advises domestic and international clients on complex transactions, regulatory matters, and disputes across a wide range of sectors. Recognized for its legal excellence and client-centric approach, TLH has been consistently ranked and recommended by leading legal directories, including Chambers and Partners, The Legal 500, and Benchmark Litigation. For media enquiries, please contact: [email protected] Website: www.tlh.law
TLH, Advocates & Solicitors - July 2 2026
Press Releases

KSK Secures Interim Injunction for Andhra Pradesh Deputy Chief Minister Sri Konidala Pawan Kalyan in High-Profile Defamation Suit

Bengaluru, June 17th 2026: In a significant legal victory for Andhra Pradesh Deputy Chief Minister and Jana Sena Party President Sri Konidala Pawan Kalyan, the Bengaluru City Civil Court has granted an interim injunction restraining the publication and circulation of allegedly defamatory content concerning him across various digital and social media platforms. The suit was instituted following the circulation of a series of videos, articles, social media posts, and online publications alleging that Sri Pawan Kalyan had encroached upon public land and water bodies in Telangana. The Plaintiff asserted that the allegations were entirely false, malicious, and designed to tarnish his reputation as a public servant, political leader, and public figure. Recognising the seriousness of the allegations and the potential for irreparable reputational harm, the Court passed an interim order restraining the defendants and all persons acting through them from publishing, republishing, broadcasting, transmitting, uploading, displaying, or otherwise disseminating the impugned content. The Court further directed the concerned social media intermediaries to block access to the allegedly defamatory material pending adjudication of the dispute. In a subsequent hearing, the Court expanded the scope of protection by modifying its earlier order to expressly include additional URLs, videos, and content sources identified by the Plaintiff, ensuring comprehensive interim relief against the continued circulation of the impugned material. The matter assumes particular significance given Sri Pawan Kalyan's stature as the Deputy Chief Minister of Andhra Pradesh and one of India's most prominent political leaders. The order highlights the judiciary's willingness to intervene where digital publications are alleged to cause serious and immediate harm to an individual's reputation, while reaffirming that freedom of expression carries with it corresponding responsibilities. The case also represents an important development in the evolving legal landscape governing online defamation, intermediary liability, and the regulation of digital content in India. Senior Counsel Dr. Aruna Shyam M appeared on behalf of the Plaintiff and successfully advanced the case before the Court. The matter was led and strategically handled by Navod Prasannan, Rahul Mehta, and Atul Menon, Partners at King Stubb & Kasiva, along with Mehak C and Maya B from the firm's Dispute Resolution team. Statement from the Legal Team "This order reinforces a fundamental principle that reputation is an invaluable right deserving of protection, irrespective of the medium through which defamatory content is disseminated. In an era where digital publications can spread instantly and cause far-reaching harm, timely judicial intervention remains critical in safeguarding individuals from the consequences of false and misleading allegations." The matter is presently pending further proceedings before the Bengaluru City Civil Court. Appearances For the Plaintiff: Sri Konidala Pawan Kalyan Dr. Aruna Shyam M, Senior Counsel Navod Prasannan, Partner, King Stubb & Kasiva Rahul Mehta, Partner, King Stubb & Kasiva Atul N. Menon, Partner, King Stubb & Kasiva Mehak Chaichani, Associate, King Stubb and Kasiva Maya B, Associate, King Stubb and Kasiva  
King, Stubb & Kasiva - July 2 2026
Employment

ESOPs in India: 20 Common Legal Mistakes Startups Make and How to Avoid Them

Introduction Employee Stock Option Plans (ESOPs) have emerged as one of the most effective tools for attracting, motivating and retaining talent in India’s increasingly competitive startup ecosystem. As startups seek to conserve cash while competing for skilled employees, equity-based compensation has become a critical component of employee reward structures. From early-stage ventures to unicorns and publicly listed companies, ESOPs are widely used to align employee interests with long-term business growth. However, despite their popularity, many startups fail to appreciate that ESOPs are not merely compensation tools, they are legal instruments governed by corporate, tax, foreign exchange and securities regulations. Improperly structured ESOP schemes can create significant issues during funding rounds, mergers and acquisitions, investor due diligence exercises, employee exits and public listings. Investors routinely scrutinise ESOP compliance, and defects in implementation can delay transactions, increase legal costs and result in unexpected liabilities. This article examines the twenty most common legal mistakes startups make while implementing ESOPs in India and outlines practical measures to mitigate legal and regulatory risks. What Is an ESOP? An Employee Stock Option Plan (ESOP) gives employees the right to acquire shares of a company at a predetermined price after satisfying specified vesting conditions. ESOPs are designed to: Retain key talent; Reward long-term contribution; Align employee and shareholder interests; Promote an ownership culture; and Reduce dependence on cash-heavy compensation structures. For startups, ESOPs often serve as a strategic alternative to higher salaries, particularly during early growth stages. Legal Framework Governing ESOPs in India For private and unlisted companies, ESOPs are primarily governed by: The Companies Act, 2013; The Companies (Share Capital and Debentures) Rules, 2014; Foreign Exchange Management Act (FEMA) regulations, where applicable; Income-tax Act, 1961; and Applicable accounting standards. Listed companies must additionally comply with SEBI regulations governing employee benefit schemes. Understanding these requirements at the outset is essential to avoid compliance failures later. 20 Common ESOP Mistakes Startups Make Creating an ESOP Pool Without Shareholder Approval A common misconception among founders is that a board resolution alone is sufficient to create an ESOP pool. Under the Companies Act, shareholder approval by way of a special resolution is generally required before granting employee stock options. Failure to obtain appropriate approvals may call into question the validity of grants and allotments. Key Takeaway: Ensure that both board and shareholder approvals are obtained before implementing the ESOP scheme. Using Generic ESOP Templates Without Customisation Many startups rely on publicly available ESOP templates that fail to address business-specific requirements. Generic plans often omit provisions relating to: Founder exits; Change of control transactions; Good leaver and bad leaver scenarios; Accelerated vesting; Buyback rights; and Liquidity events. Poor drafting frequently leads to disputes at critical stages of the company’s growth journey. Failing to Clearly Define Vesting Conditions Unclear vesting provisions are among the most common causes of ESOP disputes. Common issues include: Ambiguous performance criteria; Undefined milestones; Contradictory vesting schedules; and Unclear employment continuity requirements. Vesting conditions should be objective, measurable and clearly documented. Ignoring Good Leaver and Bad Leaver Provisions What happens when an employee resigns, retires or is terminated? Many ESOP schemes fail to address these scenarios adequately. A well-drafted ESOP policy should clearly define: Treatment of vested options; Treatment of unvested options; Exercise periods after exit; and Consequences of termination for misconduct. Poor ESOP Pool Planning One of the most common founder mistakes is creating an ESOP pool without understanding its impact on dilution. Improper planning can result in: Excessive founder dilution; Investor concerns; Fundraising complications; and Cap table imbalances. ESOP pool creation should always be integrated into broader capitalisation planning. Granting Options Without Reserving Adequate Shares Some startups grant options without ensuring that sufficient authorised and reserved share capital exists. This becomes problematic when employees seek to exercise vested options and shares are unavailable for allotment. Companies should periodically review authorised capital and ESOP reserves. Failure to Maintain Statutory Records Many startups focus heavily on granting options but neglect compliance documentation. Essential records include: Board resolutions; Shareholder resolutions; ESOP registers; Grant records; and Exercise records. Missing documentation frequently becomes a due diligence issue during fundraising and acquisitions. Inadequate Grant Letters An ESOP scheme alone is insufficient. Each employee grant should be supported by a detailed grant letter specifying: Number of options granted; Exercise price; Vesting schedule; Expiry date; and Applicable conditions. Poor documentation often leads to conflicting interpretations of employee rights. Ignoring ESOP Tax Implications One of the most frequently asked questions is: How are ESOPs taxed in India? Tax implications generally arise at two stages: Exercise Stage: The difference between the fair market value of shares and the exercise price may be taxable as a perquisite. Sale Stage: Subsequent appreciation may be subject to capital gains tax. Employees should be educated about these tax consequences at the time of grant. Misunderstanding Startup ESOP Tax Benefits Certain eligible startups may benefit from deferred taxation provisions relating to ESOPs. However, many companies incorrectly assume automatic eligibility without verifying statutory conditions. Companies should obtain tax advice before relying on such benefits. Overlooking FEMA Compliance Requirements Cross-border ESOP structures require careful legal review. Where employees are granted options in an overseas parent entity, businesses must evaluate: FEMA compliance; Reporting obligations; Pricing considerations; and Remittance requirements. Cross-border employee stock option plans should always be reviewed from a foreign exchange perspective. Ignoring Foreign Employee Requirements As startups expand globally, ESOP plans increasingly cover employees located outside India. Different jurisdictions may impose: Securities law obligations; Employment law restrictions; Tax reporting requirements; and Disclosure obligations. International expansion often requires local law review. Not Defining Post-Exit Exercise Periods What happens to vested ESOPs after an employee resigns? Many startups fail to specify a post-employment exercise window. Clearly defining exercise periods can prevent disputes and employee dissatisfaction. Failing to Address Mergers, Acquisitions and Corporate Restructuring Startups routinely undergo: Funding rounds; Acquisitions; Mergers; Group restructurings; and Holding company transitions. ESOP documents should clearly explain how options will be treated during such events. Ignoring Investor Rights and Funding Round Requirements Investors frequently negotiate specific protections relating to ESOP pools. Common provisions include: Pre-money ESOP pool requirements; Approval rights; Anti-dilution protections; and Governance controls. Failure to align ESOP planning with investment documentation can create transaction delays. Lack of Employee Liquidity Planning Employees value liquidity as much as ownership. Many startups create ESOP programmes without considering: Buyback opportunities; Secondary transactions; Tender offers; and Liquidity events. A well-designed ESOP strategy should address how employees may ultimately monetise their holdings. Inconsistent Allocation of ESOP Grants Inconsistent grant practices may create perceptions of unfairness. Companies should establish transparent criteria based on: Seniority; Role criticality; Performance; and Retention objectives. Consistency promotes trust and programme effectiveness. Poor Employee Communication Many employees do not fully understand: Vesting schedules; Exercise mechanics; Tax implications; Valuation concepts; and Liquidity opportunities. Regular ESOP education sessions can significantly improve employee engagement. Failing to Conduct ESOP Compliance Audits ESOP compliance should be reviewed periodically. Investors and acquirers frequently examine: Shareholder approvals; Grant validity; Cap table consistency; Allotment records; and Regulatory compliance. Periodic internal audits can identify issues before they become transaction obstacles. Treating ESOPs Solely as an HR Tool Perhaps the most significant mistake is viewing ESOPs purely as a compensation mechanism. ESOPs sit at the intersection of: Corporate law; Tax law; Securities law; Employment law; Fundraising strategy; and Corporate governance. Successful ESOP implementation requires coordination between legal, finance, HR and management teams. ESOP Compliance Checklist for Indian Startups Before implementing or reviewing an ESOP programme, companies should confirm: Board approvals obtained Shareholder approvals completed ESOP scheme legally reviewed Grant letters issued Cap table updated Statutory registers maintained Tax implications assessed FEMA implications reviewed Exit provisions documented Change of control provisions included Liquidity strategy considered Employee communications completed Frequently Asked Questions About ESOPs in India Can a Startup Grant ESOPs Without Shareholder Approval? Generally, no. Shareholder approval by special resolution is typically required under the Companies Act framework. What Happens to ESOPs When an Employee Resigns? The answer depends on the ESOP scheme. Most plans distinguish between vested and unvested options and specify a limited post-exit exercise period. How Are ESOPs Taxed in India? Tax generally arises at the exercise stage as a perquisite and again upon sale as capital gains, subject to applicable exemptions and rules. How Large Should an ESOP Pool Be? While there is no universal answer, startup ESOP pools commonly range between 5% and 15%, depending on hiring plans, growth stage and investor expectations. What Do Investors Review During ESOP Due Diligence? Investors typically review approvals, grant documentation, cap tables, dilution impact, vesting provisions and compliance with applicable laws. Conclusion Employee Stock Option Plans remain one of the most powerful tools available to startups seeking to attract and retain talent while building long-term enterprise value. However, the benefits of ESOPs can be significantly undermined by poor legal structuring, inadequate governance and regulatory non-compliance. As investor scrutiny increases and Indian startups mature, businesses must approach ESOP implementation with the same level of diligence applied to fundraising, governance and strategic transactions. A carefully structured ESOP programme not only enhances employee engagement but also improves investor confidence, facilitates smoother transactions and supports sustainable growth. By avoiding the common mistakes discussed above, startups can create ESOP frameworks that are legally robust, commercially effective and aligned with long-term business objectives. By Priyanka Kwatra, Director - Legal https://ksandk.com/people/priyanka-kwatra/
King, Stubb & Kasiva - July 2 2026
TMT

DPDP Act 2023: Director Liability, Board Responsibilities and Data Privacy Compliance for Indian Companies

India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”) represents one of the most significant regulatory developments affecting corporate governance, data privacy compliance and risk management in recent years. While many organisations initially viewed the legislation as a technology or legal compliance issue, the DPDP Act has rapidly emerged as a boardroom concern requiring active involvement from directors, chief executive officers, managing directors and senior management. Can Directors Be Liable Under the DPDP Act? As businesses increasingly rely on digital ecosystems, customer analytics, artificial intelligence, cloud infrastructure and data-driven decision making, the collection and processing of personal data have become central to commercial operations. Consequently, questions relating to DPDP Act compliance, director liability, board responsibilities and data breach management are becoming increasingly important for corporate leadership. One of the most common questions raised by boards and senior executives is whether directors can be held personally liable for violations of the DPDP Act. While the legislation primarily imposes obligations on organisations acting as Data Fiduciaries, directors and senior management cannot afford to treat data privacy compliance as solely an operational issue. The DPDP Act introduces a governance framework where privacy failures, inadequate oversight and weak compliance systems may create significant legal, regulatory, financial and reputational risks for organisations and their leadership. Why the DPDP Act Is a Board-Level Governance Issue Historically, privacy compliance was often delegated to legal, information technology or cybersecurity teams. However, the DPDP Act fundamentally changes the nature of data protection obligations in India. Data privacy is now closely linked with: Enterprise risk management; Corporate governance; Regulatory compliance; Cybersecurity preparedness; Investor confidence; Customer trust; and Business continuity. The legislation empowers regulators to impose substantial penalties for non-compliance. Depending on the nature of the contravention, penalties may extend up to INR 250 crore for certain violations. For large corporations, financial institutions, healthcare providers, technology companies, e-commerce platforms and multinational enterprises processing substantial volumes of personal data, the consequences of non-compliance can be significant. As a result, boards are increasingly expected to exercise oversight over data governance frameworks and privacy risk management programmes. DPDP Act Compliance Requirements for Companies The DPDP Act applies to the processing of digital personal data by entities that determine the purpose and means of such processing. These entities, referred to as “Data Fiduciaries,” are required to comply with several obligations, including: Providing clear and accessible privacy notices; Obtaining valid consent where required; Implementing reasonable security safeguards; Ensuring data accuracy where necessary; Facilitating data principal rights; Establishing grievance redressal mechanisms; Reporting personal data breaches; and Maintaining accountability throughout the data processing lifecycle. For organisations, compliance extends beyond drafting privacy policies. It requires a structured governance framework supported by technology, processes and executive oversight. Can Directors Be Personally Liable for DPDP Act Violations? A critical concern for boards is whether directors, CEOs and managing directors can be personally liable under the DPDP Act. Unlike certain regulatory statutes that expressly impose vicarious liability upon officers in default, the DPDP Act does not generally provide for automatic personal liability of directors for every violation committed by the company. The primary obligations under the Act are imposed upon the Data Fiduciary itself. Accordingly, regulatory penalties are generally expected to be imposed upon the organisation rather than individual directors. However, this should not be interpreted as providing complete insulation from risk. The absence of express statutory liability does not eliminate governance obligations or accountability expectations imposed upon directors under broader corporate law principles. Indirect Risks Facing Directors, CEOs and Managing Directors Although direct personal liability may not arise in every case, directors and senior executives face several forms of indirect exposure when significant privacy failures occur. Fiduciary Duty and Governance Obligations Under the Companies Act, 2013, directors are required to exercise due care, skill, diligence and independent judgment in carrying out their responsibilities. Where a significant privacy incident occurs due to inadequate oversight, regulators, shareholders and stakeholders may question whether the board discharged its governance responsibilities appropriately. In many cases, scrutiny focuses less on the occurrence of the incident itself and more on whether adequate governance mechanisms existed before the incident occurred. Regulatory Investigations A major personal data breach may trigger investigations by multiple regulators depending upon the industry involved. Apart from privacy-related scrutiny, organisations may also face examination from sector-specific regulators, consumer protection authorities, financial regulators and other governmental agencies. Senior management may be required to demonstrate that appropriate privacy compliance frameworks and cybersecurity safeguards were implemented. Shareholder and Investor Concerns Institutional investors increasingly assess cybersecurity and data governance risks when evaluating companies. A significant privacy incident may affect investor confidence, corporate valuation and governance ratings. As environmental, social and governance (ESG) considerations continue to evolve, data privacy is increasingly viewed as an important governance metric. Executive Accountability Globally, major cybersecurity and privacy incidents have often resulted in increased scrutiny of CEOs, CIOs, CISOs and other senior executives. Although liability may not necessarily be personal under the DPDP Act, executive accountability expectations continue to rise. DPDP Act Responsibilities of CEOs, Managing Directors and Senior Management Chief executive officers and managing directors occupy a particularly important position within the DPDP compliance framework. While privacy obligations may be operationally implemented by legal, compliance and technology teams, executive leadership remains responsible for ensuring that sufficient resources, oversight and governance mechanisms are in place. Following a significant data breach, regulators and stakeholders may ask: Was privacy compliance adequately funded? Were known vulnerabilities addressed? Were internal warnings ignored? Were cybersecurity safeguards proportionate to the risk? Was incident response planning effective? Were breach reporting obligations complied with? These questions inevitably place executive decision-making under scrutiny. Accordingly, CEOs and managing directors should treat data privacy as a strategic business risk rather than merely a compliance requirement. Board Responsibilities Under the DPDP Act Effective DPDP Act compliance requires active board engagement. Directors should ensure that privacy and cybersecurity risks form part of the organisation’s enterprise risk management framework. Key governance measures include: Establishing Board-Level Oversight Boards should periodically review: Data protection programmes; Privacy compliance frameworks; Cybersecurity preparedness; Regulatory developments; Vendor risks; and Data breach trends. Many organisations are increasingly assigning responsibility to Audit Committees, Risk Committees or dedicated Technology and Cybersecurity Committees. Implementing Reporting Mechanisms Management should provide periodic updates on: Compliance status; Security incidents; Vendor assessments; Privacy complaints; Regulatory developments; and Emerging technology risks. Meaningful reporting enables directors to make informed governance decisions. Approving Data Governance Policies Boards should ensure that organisations maintain documented policies governing: Personal data protection; Information security; Data retention and deletion; Incident response; Third-party risk management; and Employee awareness and training. Documented governance measures may prove important when responding to regulatory inquiries. Third-Party Vendor Risks Under the DPDP Act Many organisations depend on cloud service providers, payroll processors, software vendors, consultants and outsourcing partners. However, outsourcing a function does not necessarily outsource accountability. A privacy incident involving a third-party service provider may still expose the Data Fiduciary to regulatory scrutiny and reputational damage. Accordingly, organisations should establish robust vendor management frameworks incorporating: Due diligence procedures; Contractual safeguards; Security assessments; Audit rights; and Ongoing monitoring mechanisms. Third-party risk management is likely to become a key area of regulatory focus under India’s evolving privacy regime. Data Breach Response and Incident Management An organisation’s preparedness is often tested during a data breach rather than during routine compliance reviews. Boards should ensure that management maintains: Incident response plans; Escalation procedures; Internal investigation protocols; Regulatory notification mechanisms; Communication strategies; and Business continuity arrangements. The effectiveness of these measures may significantly influence how regulators assess an organisation’s compliance posture following an incident. DPDP Act Compliance Checklist for Boards and Corporate Leadership Boards and executive management should consider the following immediate action points: Conduct a DPDP Act Compliance Assessment Review existing practices relating to: Consent management; Privacy notices; Data retention; Security safeguards; Vendor oversight; and Data subject rights management. Create a Personal Data Inventory Identify: What personal data is collected; Why it is collected; Where it is stored; Who has access; and How long it is retained. Establish Accountability Structures Clearly allocate responsibilities across: Legal; Compliance; Information security; Human resources; Marketing; and Business operations. Strengthen Data Breach Preparedness Conduct tabletop exercises and periodically test incident response procedures. Review Insurance Coverage Evaluate cyber insurance, technology liability coverage and directors and officers insurance policies. Train Directors and Senior Management Privacy governance awareness should extend beyond operational teams and include board members and executive leadership. Frequently Asked Questions on Director Liability Under the DPDP Act Can directors be personally liable under the DPDP Act? The DPDP Act primarily imposes obligations on Data Fiduciaries rather than directors personally. However, directors may still face scrutiny regarding governance failures, oversight responsibilities and fiduciary duties where significant privacy incidents occur. Can a CEO be held responsible for a data breach under the DPDP Act? Although regulatory penalties are generally directed at the organisation, CEOs are expected to ensure that appropriate compliance programmes, cybersecurity safeguards and governance frameworks are implemented. What is the maximum penalty under the DPDP Act? Depending on the nature of the violation, penalties under the DPDP Act may extend up to INR 250 crore for certain contraventions. What are the key board responsibilities under the DPDP Act? Boards should oversee privacy compliance programmes, cybersecurity preparedness, vendor risk management, incident response planning and ongoing regulatory compliance efforts. What should companies do to prepare for DPDP Act compliance? Organisations should conduct privacy assessments, map personal data, strengthen security controls, review vendor arrangements, establish governance frameworks and train employees and management teams. Conclusion The Digital Personal Data Protection Act, 2023 has transformed data privacy from a technical compliance issue into a critical corporate governance priority. While directors, CEOs and managing directors may not automatically incur personal liability for every violation, the DPDP Act creates an environment in which privacy governance failures can generate substantial regulatory, financial and reputational consequences. For boards, the question is no longer whether data privacy deserves attention. The real challenge is demonstrating that appropriate governance structures, compliance frameworks and oversight mechanisms are in place. As enforcement under the DPDP Act evolves, organisations that proactively integrate privacy governance into their broader risk management framework will be better positioned to navigate regulatory scrutiny, maintain stakeholder confidence and build long-term resilience in an increasingly data-driven economy. Authored by Dhruv Kaushal, Partner  https://ksandk.com/people/dhruv-kaushal/ Co-authored by Aniket Ghosh, Partner  https://ksandk.com/people/aniket-ghosh/
King, Stubb & Kasiva - July 2 2026