Skip to content
The Legal 500 Main Logo
  • Home
  • Rankings
    • Asia Pacific
    • EMEA
    • Latin America
    • UK Solicitors
    • UK Bar
    • United States
    • Canada
    • Caribbean
    • Deutschland
    • Paris
    • The Lex 100 – student guide to law firms
  • Profiles
    • Law Firm Profiles
    • Set Profiles
    • Hall of Fame
    • International Law Firm Networks
    • Supplier Profiles
    • Interview with…
    • Doing Business In / Focus On
    • Firms in the Spotlight
    • Press Releases
    • Legal Developments
    • Meet the Team
    • Firms to watch
  • Powerlists
    • GC Powerlist
    • The Legal 500 Private Practice Powerlists
  • Publications
    • fivehundred
    • GC Magazine
    • In-House Lawyer
    • Legal Business
  • Special Reports
  • Comparative Guides
  • Events
  • Webinars
  • Data Blog
  • Podcast
  • Global Green Hub
  • About
    • Contact Us
    • FAQs
    • About The Legal 500
    • How it works
    • Meet The Legal 500 Team
    • Marketing
    • Research+
    • Research Calendar
    • Submission information
    • Newsletter

Spice Route Legal > Mumbai, India > Firm Profile

Spice Route Legal Offices

Spice Route Legal company logo
Spice Route Legal
No. 201, 2nd Floor, B Wing Pinnacle Corporate Park, Bandra Kurla Complex, Bandra East
MUMBAI
400051
India
  • Go to...
  • Rankings
  • Firm Profile
  • Main Contacts
  • Diversity
  • Legal Developments

Spice Route Legal > The Legal 500 Rankings

India > Data protection Tier 1

Based in Bengaluru, Mathew Chacko, co-founder of Spice Route Legal, has decades of experience of data protection as part of his wider TMT expertise. In addition to assisting clients on the full range of data privacy/security, transfers and data compliance, it also advises on blockchain, Fintech services and products, and various uses of AI. Clients range from global tech companies, other corporates and financial services companies. ‘Stand out‘ senior associate Aadya Misra is in demand for advice on the implications of the Schrems-II decision regarding GDPR, managing security incidences/post breach security and the RBI’s localisation requirements.

Leading individuals

Mathew Chacko - Spice Route Legal

Rising stars

Aadya Misra - Spice Route Legal

Practice head(s):

Mathew Chacko

Other key lawyers:

Aadya Misra

Testimonials

‘Very business orientated, follows deadlines, answers are to the point.’

‘Aadya Misra was very approachable and delivered under tight deadlines.’

‘The data team at SRL is very well versed with the India data regime and their international exposure gives them the ability to take a view on its potential evolution. While working with them on a company wide data gap analysis it is evident that there are very few scenarios that they have not thought of or have not advised on. As in house counsel this sort of industry understanding is invaluable. And as always, SRL is able advise keeping in mind the challenges of a tech company and its unique business.’

‘Mathew and Aadya stand out as the team members who take point on data advisory and actioning. As the requirements of the company are cross jurisdictional, it is a significant differentiator that they are able to run India, have a preliminary view on international positions and effectively coordinate with international counsels. It’s excellent to be able to rely on Mathew and Aadya to run a project globally, at competitive rates but unquestionably high quality standards; both their own and the counsels they partner with.’

Key clients

Disney + Hotstar

IBBIC Pvt Ltd (formerly known as Blockchain India Consortium)

Airtel

Trade Desk

Urban Company

Adobe Inc.

Quintype

Milaap

Sahamati

VeriSign

Instamojo Inc.

Moët Hennessy

Miner’s Inc.

Impelsys Inc.

ICICI Bank

Strand Lifesciences

Cathay Pacific

Locus

Farmify

Super Unlimited

Talview

yBanq

Emptech

Work highlights

  • Advising Fiserv, a fintech company in the Fortune 500, on various issues, including: the Reserve Bank of India’s data localisation requirements; the deployment of an employee monitoring software to gauge employee satisfaction; and the data implications of setting up employee-directed initiatives in the wake of India’s second wave COVID-19 crisis.
  • Advising longstanding client ideaForge – India’s leading drone manufacturer – on complicated issues concerning supply of data, the use of AI/machine learning (ML) tools on biometric data, and data ownership in connection with the deployment of AI-powered drones to measure social distancing norms in public spaces in India after initial Covid-19 lockdown restrictions were eased in the summer of 2020.
  • Assisting Instamojo with structuring its operations in light of the Payment Aggregator Guidelines by implementing suitable processes and procedures, particularly concerning its IT governance policy, cybersecurity policy, and compliance with the IT recommendation prescribed by the RBI.

India > Financial services regulatory Tier 2

Spice Route Legal is valued by clients as its ‘holistic approach is very reassuring in the evolving financial landscape‘. The firm’s client roster has been growing from a core of technology clients to include global and domestic banks, and non-banking, often new, financial services companies, involving digital lending or payment gateways. With ‘great insights on the industry‘, Mathew Chacko heads a smaller, focused team that includes the highly-rated senior associate Ankita Hariramani who is praised by clients for her ‘incomparable understanding of financial regulations‘. The team assists clients with navigating novel challenges regarding SEBI regulations, licencing and digital lending issues generally, often with cross-border elements.

Rising Stars

Ankita Hariramani  - Spice Route Legal

Practice head(s):

Mathew Chacko

Other key lawyers:

Ankita Hariramani; Aadya Misra; Priyanka Chaudhuri

Testimonials

‘Very few legal firms focus and specialize with data. While some firms “add” a one-two member team for data, Spice fully focuses on data. For the account aggregator ecosystem, we need a lot of clarifications related to regulatory matters. Spice has very good knowledge regarding regulators.’

‘I have worked with Mathew, Aadya, Ankita, Priyanka – very professional. Always ready to give time and give a very detailed response to our queries.’

‘The team has an excellent understanding of the market for financial technology services in India, and helps us structure our products in line with existing laws. Spice Route also has a strong relationship with the regulator, which helps us in pre-empting any regulatory challenges to our financial products that may arise, from the RBI. The team analyses new potential products and services from both legal and commercial perspectives and is an invaluable resource within the fintech space.’

‘Ankita Hariramani, the senior associate leading this team, has an incomparable understanding of financial regulations, the market for financial services, and the laws governing technology in India. Her interdisciplinary expertise extends to advising us on cutting edge fintech innovations in the financial services sector, and she is a delight to work with!’

‘The Spice Route team has a very hands-on approach and provides very practical advice that helps the client achieve its targets.’

‘Mathew Chacko – Always available for a chat, has great insights on the industry and is always equipped to take on challenges. Ankita Hariramani – You can always expect Ankita’s advice to be extremely reliable and practical, backed by thorough research and reasoning.’

‘The team combines a keen understanding of technology with the ability to to rely on its knowledge of the mind of the regulators – from the RBI to the securities regulator and the competition commission. Given that the fintech space is fairly nascent in India, it is excellent to be advised by a team that is able to grasp the nuances of a company’s money flow who can tie it back to the tech used and marry it with the regulator’s long term vision. This holistic approach is very reassuring in the evolving financial landscape.’

‘The two main players are Mathew and Ankita. Mathew brings to the table his expertise with technology regulation which is layered with his understanding of the financial sector. At the same time Ankita combines her financial sector strengths with the evolving tech advancements. Together they make a formidable team that can not only provide a birds eye view to a company’s processes but are also able to advise on the granular aspects of implementation.’

Key clients

IBBIC Pvt. Ltd. (formerly known as Blockchain India Consortium)

NoICICI Bank

Moneyview

Milaap Inc.

VeriSign

TradeLens

Fiserv

Fennia Insurance

Nexxo

OKCredit

Sahamati

Instamojo

Decentro

Bank Open

Cashfree

HDFC Bank

Yodlee Inc

Finarkein (Flux)

Cookiejar Technologies (FinVu)

YesZoop

 

Work highlights

  • Advising IBBIC (a joint venture of 14 leading commercial banks in India, which control 95% of India’s trade finance business) on the implementation of an award-winning blockchain focused trade finance platform, including assistance with all banking regulations pertaining to trade finance
  • Representing Cashfree in a multimillion-dollar enforcement action on the first-of-its-kind question of a payment gateway’s role in an online gambling racket, its compliance with the Prevention of Money Laundering Act 2002, and KYC obligations as a Payment Aggregator in regard to the racket.
  • Advising SETU on its application to the RBI to be a consent broker for financial sector data, which was one of 7 NBFC-AA license applications the team handled in 2020.

India > TMT Tier 2

Underscored by the opening of a new dedicated tech and fintech office in Pune, Spice Route Legal has continued to cement its position as one of the fastest growing TMT practices in the market. In recent months, the team has acted for some of the world’s foremost tech companies on content licensing and acquisition mandates, enforcement actions, and trademark disputes. Bangalore-based practice head Mathew Chacko is noted for his wide-ranging experience in tech M&A, blockchain and data legislation. Ankita Hariramani leads on the full gamut of fintech work from the firm’s Pune office. Aadya Misra is recommended for global data privacy and regulatory advisory issues.

Next Generation Partners

Mathew Chacko - Spice Route Legal

Practice head(s):

Mathew Chacko

Other key lawyers:

Ankita Hariramani; Aadya Misra

Testimonials

‘We are pleased with the services provided by Aadya Misra and Mathew Chacko.’

‘Spice Route Legal has been our only and go-to legal adviser for all Asia Pacific deals since our first deal in the region. Flexible, timely, and effective.’

‘Spice Route Legal is small enough for me to receive the right amount of attention from the team and large enough that they can cover various aspects of my needs. They very quickly became my one-stop shop for all things legal in India. The team is a pleasure to work with.’

‘The team has also been very helpful in providing practical advise on telecoms regulations. The business-focused view SRL is able to provide is crisp, to the point and carries advice on how it can be implemented.’

‘TMT is SRL’s core strength, with brilliant levels of specialisation. In addition, they bring to the table excellence in related fields like IP, data and regulatory aspects surrounding that landscape. As an e-commerce client, our needs are varied and touch upon various legal regimes. The ability to have those nuances answered in depth at SRL makes them a uniquely placed one-stop shop. SRL has the deep talent pool to also advise on the related aspects specific to our business.’

‘Mathew and the TMT team at SRL are leading players in the account aggregator and open finance space in India. They know the latest happenings and represent many of the stakeholders.’

‘Aadya is an absolutely joy to work with on the technology and IP side. She is very professional and courteous but robust.’

Key clients

Microsoft

Facebook Inc.

Disney+ Hotstar

IBBIC Pvt. Ltd. (formerly known as Blockchain India Consortium)

ICICI Bank

Airtel

Adobe Inc.

AT&T / Warner Media (Xandr)

LinkedIn

Quintype

Foundamental GmbH

IdeaForge

Impelsys Inc.

Instamojo Inc.

Locus

Milaap Inc.

ShopX

SETU

Srijan Technologies

Bank Open

Yodlee Inc.

VeriSign

Gamestream SAS

Machaao, Inc.

Urban Company

Telia

Freespee

Smartly.io

Fiserv

Talview

Work highlights

  • Assisted Super Unlimited with the acquisition of Bharat Browser.
  • Represented Cashfree in a multimillion-dollar enforcement action on the first-of-its-kind question of a payment gateway’s role in an online gambling racket.
  • Assisted IBBIC (a joint venture of 14 leading commercial banks controlling 95% of India’s trade finance business) on incorporation, licensing and the implementation of a blockchain-focused trade finance platform.

India > Corporate and M&A Tier 3

With a strong sector approach that focuses on TMT, energy and life sciences, Spice Route Legal‘s practice handles the breath of corporate advisory, M&A and private equity work. Practice head Praveen Raju recently advised on numerous acquisitions in the renewable and alternative energy sectors. Highlights include corporate restructurings of major solar energy projects. Bangalore-based Mathew Chacko leads on hi-tech M&A for corporate sponsors and increasingly for multinational acquisitive entities.

Practice head(s):

Praveen Raju

Other key lawyers:

Mathew Chacko

Testimonials

‘Very approachable, excellent communication, practical advice.’

‘Spice Route Legal are a young, dynamic and innovative corporate boutique. They have a very commercial, client-centric model which is appreciated in the market and evidenced by their successful growth in recent years.’

‘Consistently responsive, commercial and pragmatic. Praveen Raju and Matthew Chacko are the key leaders.’

‘Spice Route Legal has been our only and go-to legal advisor for all Asia-Pacific deals since our first deal in the region in March 2019. We like the firm because the team brings well-rounded legal expertise and local empathy for various geographies including India, Singapore, Vietnam, Indonesia & Australia.’

Key clients

COVID India Initiative

Minority shareholders of CPS Oil and Gas Equipment

ESCO Lifesciences

Sequoia Capital

Foundamental GmbH

GritFirst

IBBIC Pvt. Ltd. (formerly known as Blockchain India Consortium)

Instamojo

Moneyview

Mozev (Mytrah Mobility)

Neogen Chemicals

SenseHawk Technologies Private Limited

SILRES Energy Solutions

Strand Lifesciences

SunEdison Infrastructure (client since 2018)

Test & Verification Solutions

Savex

Ideaforge

Season2 Ventures

Helix Investments

Esperor Onco Nutrition

Ohmium International

Iosynth

Zenfold Ventures LLP

Work highlights

  • Advising SunEdison Infrastructure on various crucial matters, including a complex cross-border corporate restructuring, an analysis of 25 solar projects, and the financing and development of a 68MW solar energy farm.
  • Assisting Savex with the purchase of a stake in Inflow Technologies a company in the enterprise tech distribution space, with the option of advancing to a future 100% acquisition through an earn-out structure.
  • Assisting IBBIC (a joint venture of 14 leading commercial banks controlling 95% of India’s trade finance business) on an award-winning incorporation, licensing and implementation of a trade finance platform, powered by blockchain.

India > Projects and energy Tier 3

Core skills provided at Spice Route Legal’s alternative and new practice group include construction and project development, project finance, corporate transactions and regulatory assistance. Praveen Raju heads the practice with a focus on the solar, electric vehicles, hydrogens and alternative fuels industries.

Practice head(s):

Praveen Raju

Key clients

SunEdison Infrastructure (client since 2018)

CPS Oil and Gas Equipment

22Motors

Aerem Solutions

Gro Solar Energy RA

Lighthaus B.V.

Mytrah Mobility

Sistema Bio

SenseHawk Technologies Private Limited

South Lake One LLC

Fenice Investments

Ohmium International

MLR Auto

Work highlights

  • Advising SunEdison Infrastructure on various crucial matters, including corporate restructuring, an analysis of 25 solar projects, and the finance and development of a 68MW solar energy farm.
  • Advising minority shareholders of CPS Oil and Gas Equipment on the sale of its 30% shareholding in CPS Oil and Gas Equipment to an American company, SAZ Oilfield Equipment Inc.
  • Advising Mozev (Mytrah Mobility) on the manufacture of a fleet of 48 electric vehicle buses for a first-of-its-kind green transport project.

Intellectual property Tier 4

Spice Route Legal is a relatively new firm with an initial focus on corporate and technology law but with an increasingly strong practice relating to IP transactions and disputes expertise. It also works with two external patent consultants (engineers). Its work typically relates to licensing, acquisitions and sponsorship deals and protecting brand names; it has undertaken high-profile cases concerning the misuse of IP assets online – acting for a number of leading social media platforms and technology corporates, work that includes disputes regarding adwords. It also has expertise in areas such as healthcare and advanced tech/fintech, for example the use of drones and AI. Mathew Chacko is the highly rated head of the practice.

Practice head(s):

Mathew Chacko

Key clients

Facebook Inc.

Adobe Inc.

Innerfit

OKCredit

Quintype (client for 3 years)

Sistema Bio

Srijan Technologies

Testing & Verification Solutions

xQ Capital

Mindtree

Disney

Milaap Inc. (client for 4 years)

Neogen Chemicals (client for 4 years)

IBBIC Pvt. Ltd. (formerly known as Blockchain India Consortium)

Miner’s Inc. (client for 3 years)

EID Parry

ASM Technologies

Aum Hum

Impelsys Inc. (client for 4 years)

Work highlights

  • Representing Milaap Inc. in a landmark dispute with Google over trade mark infringement via Google Adwords.
  • Acting for India-based Neogen Chemicals in a cross-border trade mark dispute with US-based Neogen Corporation over the ownership of the Neogen name.
  • Navigating a complex advisory between Ad-tech and intellectual property, the team recently advised Disney+ Hotstar on the licensing and effective platform structuring for the use of Ad-tech tools.

India > Private equity and investment funds Tier 4

An expanding roster of investor and investee clients instructs Spice Route Legal on a high volume of private equity buyouts, fundraisings and venture capital deals. Through a team spearheaded by Praveen Raju, the firm completes deals across the sectors of energy, fintech, financial services and life sciences, while Mathew Chacko acts for start-ups and investors operating in the TMT sector. Berlin-based proptech and logistics investor is engaging the practice on a spate of Series A to Series C deals.

Practice head(s):

Praveen Raju

Other key lawyers:

Mathew Chacko

Testimonials

‘Mathew Chacko and team are exceptional. Will continue to go with them for our future rounds as well.’

‘The team brings well-rounded legal expertise and local empathy for various geographies including India, Singapore, Vietnam, Indonesia & Australia, while also being able to advise us on firms from the region that flip to alternative holding structures, for example in the United States. We also greatly appreciate the flexibility of the firm to be nimble in responding to bespoke requests in a timely and effective manner‘.

Key clients

Foundamental GmbH

SILRES Energy Solutions

Brigade Real Estate Accelerator Programme

Farrallon Capital

Fenice Investments

South Lake One LLC

SETU

Zenfold Ventures LLP

Ambee

OKCredit

Helix Investments

SenseHawk Inc.

Ronin Wines Private Limited

Instamojo

Moneyview

xQ Capital

SeasonTwo Ventures

Sequoia Capital India

Blue Lotus Capital

Java Capital

IdeaForge

Esco Biosciences

Work highlights

  • Advising SILRES Energy Solutions (SunEdison Infrastructure) on receiving an investment of around USD25 million.
  • Advising Foundamental GmbH on 14 investments across Asia, including its a Series C USD100 million club investment deal, alongside new co-investor, Tiger Global, into Hella Infra Market.
  • Acting for prominent fintech start-up SETU on drafting, negotiating, and completing an investment from an investor club including Falcon Edge, LightSpeed Ventures, and Bharat Fund.

Spice Route Legal > Firm Profile

Spice Route Legal is a law firm that is recognised as a leader in the provision of border- agnostic legal services in India. The firm is often retained (i) to negotiate and close complicated multi-jurisdictional deals, (ii) to advise on issues at the intersection of technology, business, and law, (iii) to accurately evaluate and mitigate regulatory and legal risks; and (iv) to assist on complicated disputes.

With market-leading practices in mergers and acquisitions, private equity, technology, media and telecommunications, data and fintech, energy and renewables, healthcare, pharmaceuticals, and life sciences, intellectual property and disputes, the firm regularly advises clients on some of the most complex cross border mandates that involve India.

For more details, please see www.spiceroutelegal.com.

Main practice areas
Corporate and M&A: The firm advises on a full spectrum of corporate transactions in today’s increasingly global marketplace. In addition to mainstream M&A, the firm has been involved in some of the most challenging private equity, venture capital, take privates, spin offs and corporate restructurings that involve India. Today, Spice Route Legal is the ‘go to’ firm for Indian companies with global M&A or investment ambitions and for non-Indian companies investing in India.

Private equity and venture capital: Our private equity and venture capital practice is widely applauded for our cutting-edge, cross-jurisdictional work involving investments in technology, fintech, big data, energy and healthcare. The firm has a 360-degree approach to fund structuring – advising PE funds on investments, deal structuring, tax and regulatory approvals, and IPOs and distressed acquisitions, and has advised some of the most prolific investors in the region.

Technology, media and telecommunications: Spice Route Legal has, over the last six years, established itself as India’s largest and most sophisticated TMT practice. The practice is hyperspecialised with lawyers focusing on Artificial Intelligence, Big Data, Licensing, Ad-Tech, HR-Tech, Aviation Tech, E-commerce, SAAS, Ed-tech, Digital Media, Gaming, Sports, Social Media, Telecommunications, Cleantech and Proptech.

Data protection, privacy and cybersecurity: The firm’s data protection, privacy and cybersecurity team combines strong technical and legal credentials, an appreciation of the global nature of data and a network of the best technology, data and information lawyers in the world, to advise on increasingly global data, privacy and cybersecurity mandates. As South Asia’s largest data practice, the firm regularly advises on international data flows, cybersecurity and data risk, privacy concerns, disputes involving data, incident reporting, localisation strategies, employment and health data issues and structuring whistleblowing hotlines and ethics investigations.

Fintech and financial sector regulatory: Spice Route Legal regularly advises and assists most of the prominent names in the financial services sector in India. With the ability to structure products, identify and mitigate technology, intellectual property, data and financial sector regulatory risks, the team straddles multiple practice areas to seamlessly advise banks, financial institutions, startups, credit rating agencies, investors and ‘brick & mortar’ companies.

Intellectual property: Spice Route Legal’s expertise in advising on complex questions of IP is widely recognised, having advised on some of the most contentious disputes and assisted on some of the most complex transactions that involve intellectual property. In 2021, the firm has been at the forefront of the evolving contributory infringement jurisprudence in India, of the recognition of the doctrine of prosecution history estoppel, of some of the largest IP disposals and of defending multiple actions by patent trolls. The firm’s uniquely integrated IP team offers corporations the ability to rely on it for advice on the protection, monetisation, licensing and sale of IP and for disputes involving IP.

Energy, renewables and sustainability: Since formation, Spice Route Legal has been a trusted advisor to energy clients. The firm’s practice focuses on the future of energy, i.e. new and alternate sources of energy. The firm has worked with multiple companies within the clean and renewable energy space, and is well regarded as a market leader in alternative energy, renewables and sustainability.

In addition to complex restructuring and investment advisory for its Energy clients, the firm has also assisted clients with several project development and project finance mandates, in the solar, wind, and hydrogen fuel technology sub-sectors. A recent specialisation and interest in electric mobility mandates has broadened the firm’s expertise within the energy space to include this most exciting and nascent sector, as well.

Healthcare, pharmaceuticals and life sciences: As a hyper industry focused firm that combines the M&A, regulatory, data and IP expertise of its founders, lifesciences is a natural sector specialisation. Over the last few years, the practice has grown exponentially into a 360-degree life sciences and health-tech focused practice, encompassing a range of practice areas including corporate/M&A, regulatory, IP, commercial agreements, and data practices.

The firm’s portfolio of clients boasts of companies and their investors across the life sciences industry, including in the pharmaceuticals, biotech, veterinary, diagnostics, medical devices, and health-tech sectors. The practice comprises of a team of five lawyers primarily focusing on the corporate M&A and PE-VC transactions in the life sciences space and a team of six lawyers who focus on regulatory, data, technology, IP and commercial contracts.

Litigation, arbitration and dispute resolution: Our disputes practice is uniquely structured to function as a part of our industry practice groups. As such, the team tends to focus on disputes involves tech, media or telecom companies, corporate governance, shareholder disputes, intellectual property, financial services regulatory issues, competition law or data privacy.

Sports and entertainment: Spice Route Legal advises some of the world’s leading sportspeople, teams, agencies and regulatory bodies on a host of contentious and non-contentious matters. Relying on traditional strengths in licensing, governance, disputes, intellectual property and privacy, we offer a one-stop legal solution for all entities involved in sports.

International work: Spice Route Legal’s “border agnostic” model of providing seamless solutions for cross border legal issues by relying on a wide network of friends is acknowledged as a market first. Relying on this network, the firm has:

  • Assisted India’s largest telecom conglomerate on a global transaction involving over 40 countries;
  • Assisted India’s leading rice manufacturer with conducting a purchase of assets in 60 countries;
  • Assisted a German investment fund focused in the Industrials, Chemicals and Logistics sector on investments in eight countries in the Asia-Pacific;
  • Assisted a leading Indian mobility player with conducting a 23-country regulatory, technology and risk analysis;
  • Assisted some of India’s leading technology companies with entering markets in Asia, Europe, Africa and the Americas;
  • Assisted in designing and implementing global data protection and compliance strategies;
  • Assisted in global intellectual property portfolio management;
  • Led multiple cross border venture capital and private equity deals.

Main Contacts

DepartmentNameEmailTelephone
Head of TMT, Data Protection and Privacy and Fintech Mathew Chackomathew@spiceroutelegal.com
Head of Corporate, M&A and PE-VC, Energy, Renewables & Sustainability, Healthcare, Pharmaceuticals & Life Sciences Praveen Rajupraveen@spiceroutelegal.com
Fintech & Financial Sector Regulatory Ankita Hariramaniankita.hariramani@spiceroutelegal.com
Data Protection, Privacy & Cybersecurity Aadya Misraaadya.misra@spiceroutelegal.com
Corporate, M&A and PE-VC Renuka Abrahamrenuka.abraham@spiceroutelegal.com
Corporate, M&A and PE-VC Nikhil Josephnikhil.joseph@spiceroutelegal.com
Intellectual Property, and Dispute Resolution Adithya Jayarajadithya.jayaraj@spiceroutelegal.com

Languages

English
Hindi
Tamil
Telugu
Kannada
Malayalam
Spanish
French
Marathi
Bengali
Gujarati

Memberships

International Bar Association
IAPP
ITechLaw

Diversity


Spice Route Legal is an equal opportunity employer, encouraging the growth of all stakeholders, regardless of gender, sexual orientation, marital status, disability, age, religion, caste, race, region, or ethnicity.

As of December 2020, the firm comprises of (i) more people who identify themselves as female than any other gender, (ii) a not insignificant group of stakeholders who do not conform to traditional notions of hetero-normativity, (iii) people who identify as atheists, as well as believers in 7 distinct religions, and (iv) people from 12 different Indian states, spanning most corners of the country.

 

Legal Developments

A GUIDE TO THE DATA PROTECTION BILL, 2021

11th January 2022 India’s proposed data protection law has been a long time in the making. In 2018, a committee of experts constituted by the Indian government issued a first draft of a proposed law on data protection. In late 2019, a revised version of the draft, titled the Personal Data Protection Bill, 2019 (the “PDPB”), was introduced in the Indian Parliament. The PDPB was dogged by controversies, especially on exemptions that were afforded to government agencies, the treatment of anonymised data, data localisation requirements, and regulated cross-border transfers. For a deeper examination of the proposed law, the draft was referred to a Joint Parliamentary Committee that comprised of members of both Houses of the Parliament (“Committee”). 

WHAT ARE GREEN BONDS?

4th January 2022 A Green Bond is a fixed-income debt instrument, like a regular bond, which is specifically earmarked for financing ‘green’ projects such as renewable energy projects, clean transportation projects, water management projects etc. It encourages sustainability and has numerous goals - from climate change mitigation to energy efficiency, and the prevention of pollution etc.[1].

Cybersecurity Laws in India: Is It Time for a Regime Change?

4th August 2021
  1. Introduction
Given the expansive range of India’s software infrastructure, India is also prone to the highest number of cybersecurity incidents. In 2021 alone, these incidents ranged from the unauthorised access and dissemination of the personal data of about 4.5 million customers of a top Indian airline company[1] to the leakage of approximately 180 million users’ personal data from a renowned food chain’s database[2]. A recent report by Check Point Research (“CPR”) identifies India as the most impacted country in terms of cyber-attacks – organisations in India witness approximately 213 weekly ransomware attacks, on average[3]. As per the findings of The State of Ransomware 2021 survey by a cybersecurity firm Sophos, about 68% of the affected Indian organisations whose data was hacked in the year 2020-21 resorted to the payment of ransom to recover their data.[4]Despite the clear urgency and importance of promoting stringent cybersecurity and data protection practices in India, the Indian government has been unable to effectively legislate on the issues of comprehensive data protection, privacy, and cybersecurity law. India’s legal regime continues to follow a fragmented and piecemeal approach towards both cybersecurity and data privacy. The laws governing such issues include but are not limited to -
  • The Indian Penal Code, 1860 (“IPC”),
  • The Information Technology Act, 2000 (“IT Act”), and
  • various sectoral regulations, discussed in detail below.
The Supreme Court of India has, in a recent special leave petition filed in the case of Jagjit Singh v. State of Punjab[5], held that the offence of hacking and data theft would not only be an offence under the provisions of the IT Act, but would also constitute criminal misappropriation under the IPC.  The application of a criminal statute that is over a century and a half old merely muddies the waters – and therefore, this note focuses on the more modern regulations, the IT Act and the various sectoral regulations.
  1. The Information Technology Act, 2000
    • Reasonable Security Practices and Procedures
Under Section 43A of the IT Act, companies are required to implement “reasonable security practices and procedures” to protect information from unauthorised access, damage, use, modification, disclosure, or impairment. In accordance with the said provision, the Indian government issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”). These rules are significant as they set out the country’s existing data protection regime.As per the  SPDI Rules, a body corporate is said to have complied with “reasonable security practices and procedures” if it has implemented policies that contain managerial, technical, operational, and physical security control measures that are proportionate to the information assets it seeks to protect. In furtherance to this, these entities are also required to enforce a comprehensive documented information security practice and policy.The SPDI Rules have identified IS/ISO/IEC 27001, as specific international standards which may be implemented by body corporates to fulfil the “reasonable security practices” requirement under existing laws. This is, of course, not mandatory.
    • Offences
Companies that cause wrongful loss to any person, due to their negligence in the implementation of reasonable security practices and procedures, are liable to pay compensation  up to INR 5,00,00,000. The compensation award is adjudicated upon by an officer appointed by the Central Government, after the officer has conducted an inquiry into the claim.If a claim exceeds the prescribed amount above, the dispute is heard by the competent court that has monetary jurisdiction over the claim. Appeals against the orders of an adjudicating officer are heard by the Telecom Disputes Settlement and Appellate Tribunal (“TDSAT”), a body that was initially set up to adjudicate disputes within the telecom sector. Appeals against decisions of the TDSAT are heard before the High Courts of the respective states in the country.Further, the IT Act also penalises body corporates for other cybersecurity-related offences such as unauthorised access, extraction, damage, disruption, or denial of services in respect of computers and computer networks, the intentional tampering of source codes that are required to be maintained by law, identity thefts, and the dishonest receipt of stolen computer resources or communication devices. Each of these offences is separately punishable with both imprisonment (which may extend up to 3 years) and/or a fine ranging from INR 100,000 to 500,000, depending on the nature of the offence.
    • Computer Emergency Response Team (CERT-In)
The Indian Government requires entities to notify authorities about cybersecurity incidents, including personal data breaches, through the rules governing its Computer Emergency Response Team (“CERT-In”). The CERT-In is an agency established under the IT Act, and acts as the nodal authority for cybersecurity related matters in India. CERT-In’s primary functions include responding to cybersecurity incidents, predicting and preventing cybersecurity incidents, undertaking analysis and forensics of cybersecurity incidents, and also issuing emergency measures and advisory guidances to tackle such incidents. The scope of CERT-In’s support varies on a case-to-case basis, and depends on factors such as the type and severity of the incident, the affected entity or individuals, and CERT-In’s available resources at the time of occurrence of the incident.Unlike other jurisdictions which have adopted a harm-based approach to determine whether a security incident should be reported to the relevant authorities, the IT Act and the rules issued thereunder instead make it mandatory to report certain types of security incidents to CERT-In, within a reasonable period of time. These include –
  1. the targeted scanning or probing of critical networks or systems;
  2. a compromise of critical systems or information;
  3. the unauthorised access of information technology systems or data;
  4. the defacement of or intrusions into websites, and unauthorised changes to websites;
  5. malicious code attacks and attacks on servers;
  6. identity thefts, spoofing, and phishing attacks;
  7. the denial of service and distributed denial of service attacks;
  8. attacks on critical infrastructure, supervisory control and data acquisition (SCADA) systems, and wireless networks; and
  9. attacks on applications like e-governance and e-commerce.
The law prescribes a penalty for non-compliance with the reporting requirement mentioned above. Additionally, if a service provider, intermediary, data centre, company or any person fails to provide the information required by CERT-In, or fails to comply with any direction issued by CERT-In, they shall be liable for imprisonment up to one year, or a fine or both.The CERT-In has started to play a more active role in ensuring that organisations affected by specific cybersecurity incidents comply with the mandatory incident notification requirements. In January 2021, CERT-In issued an advisory guidance to organisations on the management of data breaches and security incidents, and recommended the best practices to be complied with, in this regard.
    • Protected Systems
The IT Act provides a legal framework for critical information infrastructure in India – which comprises of computer resources that have a significant impact on national security, economy, public health, or safety. Consequently, the government may – (i) classify systems that impact critical information infrastructure as protected systems, (ii) selectively authorise the individuals who may access such protected systems, and (iii) prescribe additional information security practices and procedures for these protected systems.Currently, protected systems in India are limited to those that relate to government functions. All protected systems must follow the 2015 guidelines published by the National Critical Information Infrastructure Protection Centre (“NCIIPC”), which is the nodal agency for the protection of critical information infrastructure.
    • Intermediaries
Intermediaries such as internet, network, and telecom service providers, web hosting service providers, search engines, payment sites, online market places and other digital players are further required to follow additional cybersecurity obligations under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. For instance, they are required to contractually impose obligations on the users to prevent them from using the intermediaries’ services in a manner that affects functionality through the introduction of viruses, or any other malicious file, code, or program.Further, these intermediaries are bound to cooperate with the government and its various governmental agencies on the investigation, detection, and prevention of cybersecurity offences or incidents. Some intermediary obligations in the face of such incidents include (i) the sharing of information under their control or possession, (ii) assisting such agencies, upon a request for information, within 72 hours of communication of the request, and finally, (iii) diligently reporting cybersecurity incidents to CERT-In.Intermediaries are usually provided with a certain level of protection known as the “safe harbour” principle to avoid any liability that could arise from the misuse of their resources by third party users of their platform. However, upon their failure to comply with the government’s instructions in respect of users’ offences, an intermediary may lose its safe harbour protection.
  1. Sectoral Regulations
Sectoral regulations on cybersecurity are common in India. Regulations have been issued in respect of the following sectors: (a) financial services, (b) health services, (c) telecommunications, (d) insurance, and (e) securities law. With the exception of the financial services sector, these regulations continue to be fairly “light touch”, as far as cybersecurity and data protection are concerned. An overview of the relevant regulations are set out below.
    • Financial Services
The Reserve Bank of India (“RBI”) has introduced a comprehensive cybersecurity framework for banks and payment system operators that include mandatory breach notifications, regular audits and threat assessments, and the implementation of anti-phishing technology. Banks are required to formulate a comprehensive board-approved information security policy and cyber crisis management plan outlining their preparedness indicators for potential cyber-attacks. They must also report all cybersecurity incidents to RBI, within 2-6 hours of discovering the breach. The RBI has been at the forefront of multiple enforcement actions, including by way of imposing fines on banks and on alternative financing institutions due to their non-compliance in this regard.
    • Health
The government has prescribed Electronic Health Records Standards under the Clinical Establishment (Regulation and Registration) Act, 2010, based on global information security standards such as ISO/HL 7, ISO/IEC 27002, and ISO/TS 14441:2013. Further, in the year 2020, it also launched the National Digital Health Mission, whose aim was to create an efficient healthcare eco-system based on the integration of digital health data and infrastructure. This policy initiative mandates the adoption of ISO/TS 17975:2015 for consent management and the International Standard on Fast Healthcare Interoperability Resources (FHIR) - R4 Specification for the electronic exchange of healthcare information.
    • Securities Market
Given the crucial part played by digital information in the stock market’s day to day dealings, entities in the sector are held to high standards as far as cybersecurity and data protection is concerned. Comprehensive cybersecurity policies are required to be implemented by stock exchanges, depository participants, asset management companies, and mutual fund companies. Such policies need to be modelled on the NCIIPC’s principles. Regulated entities must also set up information technology committees, designate senior officials to oversee the compliance of the policies, and implement technical measures to protect their assets and infrastructure.
    • Telecom Sector
The Telecom Regulatory Authority of India regulates telephone operators and service providers and prescribes the security and infrastructure requirements that need to be fulfilled as a condition for their continued operation. Licensed telecom service providers have to comply with the ISO/IEC 15408, ISO 27000, 3GPP, and 3GPP2 security standards, among others. The certification for the same can only be issued by authorised agencies in India unless specifically approved by the Department of Telecommunication. Further, organisations must undertake regular audits and implement security management policies and practices. In order to operate, these service providers are also required to contractually impose their information security requirements on all vendors and suppliers that they work with.
    • Insurance Sector
The Insurance Regulatory and Development Authority (“IRDAI”) regulates the insurance sector in India. In 2017, it issued guidelines on information security and cybersecurity for insurers, to emphasise the need to maintain the confidentiality and integrity of data in a robust manner. In furtherance of this objective, the IRDAI requires insurers to appoint a chief information security officer, to form an information security committee, to put together a cyber crisis management plan, formulate information and cybersecurity assurance programmes, undertake adequate security safeguards to protect data, and implement adequate processes to identify and mitigate risks, etc.
  1. Enforcement Trends Across Sectors
In recent years, the TDSAT has actively awarded damages to aggrieved individuals, for cybersecurity lapses within the telecommunications sector. In this regard, most cases have arisen within the financial services space, due to the negligence of financial institutions in implementing reasonable security standards and safeguards. Generally, the damages awarded have not exceeded the actual loss (together with interest).In the financial sector, the RBI has diligently imposed penalties of up to INR 1,00,00,000 on financial institutions, for their non-compliance with the RBI’s cybersecurity requirements. It is pertinent to note that the imposition of a penalty by the RBI on a banking company precludes the initiation of legal proceedings against the said company before courts of law.Of late, the CERT-In has also started to play an active role in the enforcement of breach notification obligations, and has called upon organisations that are affected by cybersecurity incidents to furnish information pertaining to the incidents in question.Additionally, the government has launched the National Cyber Crime Reporting Portal in 2020-21, that enables citizens to report cybercrimes online. This reporting is then followed up with an investigation by the appropriate law enforcement agencies.
  1. Conclusion
The fragmented regulatory landscape of cybersecurity in India has resulted in much confusion, with cybercrimes being prosecuted under either ambiguous or archaic statutes. The often confusing tapestry of regulations results in ineffective implementation, and more often than not, entities are unable to derive normative guidance from these regulations due to their ambiguous nature.A comprehensive and instructive cybersecurity law, aided by specialist regulation on an as-needed basis, is crucial for the development of the cybersecurity regime in India. Otherwise, the courts, enforcement agencies, and regulators will continue to attempt to mould old regulations in unintended ways, and struggle to address many of the constantly evolving cybersecurity issues.
ABOUT THE AUTHORS:MATHEW CHACKOMathew is the Head of the Technology, Media & Telecommunications practice group at Spice Route Legal, and is recognised as a leading Indian lawyer by several national and international directories. With close to two decades of experience, he advises on a variety of cross-border corporate and commercial transactions, including in relation to investments, fund-formation, technology laws, data privacy, intellectual property, commercial and regulatory compliance, tech law disputes, and risk mitigation strategy.AADYA MISRAAadya is a senior associate with the firm’s Technology, Media and Telecommunications practice group, with a special focus on, and extensive experience in, handling data protection, cybersecurity and privacy mandates. Recognised as a Rising Star by The Legal500 in 2020, Aadya regularly works with domestic and international market leaders in industries, ranging from financial services, and blockchain, to telecommunications, consumer retail, and emerging technologies.SAMYUKTA RAMASWAMY Samyukta is an associate with the firm’s Data Protection, Privacy and Cybersecurity practice, within the broader TMT Practice Group, with a focus on cloud services and cybersecurity mandates. She assists clients with structuring their data protection practices, procedures and policies to demonstrate compliance with applicable laws, and advises them on a range of issues including international data transfers, data breach response and management, and risk mitigation.
[1]https://www.bloomberg.com/news/articles/2021-05-22/cyber-attack-on-air-india-led-to-data-leak-of-4-5-million-fliers[2]https://www.hindustantimes.com/india-news/dominos-pizza-data-breach-company-says-financial-information-safe-as-data-of-180-million-users-compromised-101621855567340.html[3] https://tech.hindustantimes.com/tech/news/india-saw-the-highest-number-of-ransomware-attacks-in-2021-report-71621331517413.html.[4] https://www.livemint.com/news/india/67-of-indian-organizations-paid-a-ransom-to-get-their-data-back-sophos-survey-11622526811992.html[5] Jagjit Singh v. The State of Punjab, Special Leave Petition Criminal No(s). 3583/2021.

FASTER ADOPTION AND MANUFACTURING OF (HYBRID &) ELECTRIC VEHICLES IN INDIA (FAME) – WHAT’S NEW

5th July 2021

INTRODUCTION

The turn of the decade marks the beginning of a new era for the Indian automotive industry. With increasing pressure from environmental lobbyists for the reduction of carbon emissions, and the push for adoption of electric vehicles (EVs) by Central and State Governments, the Indian automobile industry is all set for a dynamic shift from Internal Combustion Engines (ICE) to Battery Operated Vehicles (BOVs). According to an independent study conducted by the Council on Energy, Environment and Water (CEEW), India’s EV market could be worth USD 206 billion by 2030.1 The Indian Government has taken various initiatives to ease the transition into the upcoming EV market. One such major initiative was the Faster Adoption and Manufacturing of (Hybrid &) Electric Vehicles in India (FAME) scheme. In this article we have highlighted some important initiatives taken under India’s FAME-I and FAME-II policies and its recent amendments by the Government for the promotion of the EV industry in India.

Data Protection, Privacy, and Cybersecurity: An Update

28th June 2021

May 2021

The past few months have seen the data, privacy, and cybersecurity space in India bustling with activity. While a final draft of the much-awaited data protection bill remains to be seen, there have nonetheless been significant developments initiated by various sectoral regulators.

    Top Tier Firm Rankings

  • Data protection

    Firm Rankings

  • Financial services regulatory
  • TMT
  • Corporate and M&A
  • Projects and energy
  • Intellectual property
  • Private equity and investment funds
  • Twitter
  • Email
  • YouTube
  • Facebook
  • LinkedIn
© 2022 Legalease Ltd. All rights reserved
Registered company in England & Wales No. 2427356 VAT 321572722
Registered address: 188 Fleet Street, London, EC4A 2AG
  • Data Protection policies
  • |
  • Cookies Policy
  • |
  • FAQs
  • |
  • Contact Us
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Save & Accept