Skip to content
The Legal 500 Main Logo
  • Home
  • Rankings
    • Asia Pacific
    • EMEA
    • Latin America
    • UK Solicitors
    • UK Bar
    • United States
    • Canada
    • Caribbean
    • Deutschland
    • Paris
    • Future Lawyers – the student’s guide to law firms
  • Profiles
    • Law Firm Profiles
    • Set Profiles
    • Hall of Fame
    • International Law Firm Networks
    • Supplier Profiles
    • Interview with…
    • Doing Business In / Focus On
    • Firms in the Spotlight
    • Press Releases
    • Legal Developments
    • Meet the Team
    • Firms to watch
  • Powerlists
    • GC Powerlist
    • The Legal 500 Private Practice Powerlists
  • Publications
    • fivehundred
    • GC Magazine
    • In-House Lawyer
    • Legal Business
  • Special Reports
  • Comparative Guides
  • Events
  • Webinars
  • Data Blog
  • Podcast
  • Global Green Hub
  • About
    • Contact Us
    • FAQs
    • About The Legal 500
    • How it works
    • Meet The Legal 500 Team
    • Marketing
    • Research+
    • Research Calendar
    • Submission information
    • Newsletter

Spice Route Legal > Mumbai, India > Firm Profile

Spice Route Legal Offices

Spice Route Legal company logo
Spice Route Legal
No. 201, 2nd Floor, B Wing Pinnacle Corporate Park, Bandra Kurla Complex, Bandra East
MUMBAI
400051
India
  • Go to...
  • Rankings
  • Firm Profile
  • Main Contacts
  • Additional Tab
  • Legal Developments

Spice Route Legal > The Legal 500 Rankings

India > Data protection Tier 1

Fielding a dedicated team for data protection, privacy and cyber security, Spice Route Legal is a destination of choice for a considerable client list of both multinational and domestic clients in the core TMT industries and beyond. Practice head Mathew Chacko has recently been assisting Microsoft with the structuring of its cloud-based services Azure and Office 360 so as to comply with India’s pending data privacy laws. Assisting on this and the full scope of the team’s work is standout senior associate Aadya Misra, who also has significant recent experience advising European Union clients on financial services data transfers to India after the Schrems II decision.

Leading individuals

Mathew Chacko - Spice Route Legal

Rising stars

Aadya Misra - Spice Route Legal

Practice head(s):

Mathew Chacko

Other key lawyers:

Aadya Misra; Ankita Hariramani; Shambhavi Mishra

Testimonials

‘Spice Route Legal provides very business-friendly advice. We worked with Mathew and this great team for one or our clients in relation to local Indian law advice. The advice was so to the point and the team answered all our questions in timely manner and without follow up questions.’

‘Mathew Chacko is the best DP lawyer in India that I have worked with. I am very confident to refer him to our clients.’

‘Very few lawyers and law firms understand data protection. SpiceRoute is one of them.’

‘We work closely with Mathew Chako, Ankita Hariramani and Aadya Misra who have been of great help to us. Complex regulatory and data related issues are resolved for us by Spice Route with ease.’

‘Aadya Misra continues to put in the legwork, and both her and Mathew Chako have been willing to act as evangelists when it comes to India’s open data standards across current and upcoming public digital goods. We also had a good experience working with Shambhavi Mishra from the data team.’

Key clients

3M

Adobe Inc.

Airtel

Dell

HDFC Bank

Hewlett Packard Enterprises

Hitachi Energy

ICICI Bank

John Lewis & Partners

Microsoft

Zoom

Aveva Group plc

Calypso Technologies

Emptech Inc.

Fiserv

Disney

Gameopedia

Livspace

Moneyview

SHL Group

Srijan Technologies

Stryker Inc.

Talview Inc.

Tanla Platforms Limited

The Trade Desk

Tricog Health

Urban Company

Yext Inc.

Work highlights

  • Advising Microsoft on compliance with India’s upcoming data protection laws.
  • Assisted Urban Company with implementing a global data protection plan – including compliance activities in India, Australia, Singapore, the UAE and Saudi Arabia.
  • Advising John Lewis & Partners on India’s upcoming data protection law, including conducting a gap analysis between the client’s existing data protection practices and the proposed Indian data law.

India > Life sciences and healthcare Tier 1

Spice Route Legal offers a full service to pharma, primary healthcare, medical devices, and biotech companies, encompassing cross-border transactional support for both M&A and private equity investments, regulatory compliance advice, commercial and distribution agreements, and utilising the firm’s intellectual property practice in support with patent filings. The team acts for a wide range of international clients, including major domestic drug producers and healthcare providers, international pharma giants, and investment funds, further benefitting from connections to a strong network of international law firms. Mumbai’s Praveen Raju heads up the team, offering significant expertise in the life sciences space, including advising on cross-border transactions, joint ventures, and commercial agreements, while Bengalaru’s Mathew Chacko is also a key name, leading on M&A and private equity transactions with significant data, IP, and technology elements. Kochi-based senior associate Renuka Abraham has a strong focus on M&A within the sector.

Practice head(s):

Praveen Raju

Other key lawyers:

Mathew Chacko; Adithya Jayaraj; Aadya Misra; Renuka Abraham

Testimonials

‘SRL team is unique in the sense the advice provided by them makes a lot of commercial sense blended with a solid legal structuring that makes it a perfect suite for clients like us.’

‘Praveen is very cooperative and engaging not to mention his excellent legal oversight. For our company he is on the go when it comes to advice and time.’

Key clients

Agilon Health

AIG Direct LLC

Balchem Corporation

Esco Micro Pte. Ltd.

Cardiotrack

Impelsys Inc.

Iosynth Labs

IQVIA

Lignoil Technologies

Prana Inc.

Perrigo Inc.

Saveo Healthcare

Stryker Inc

Season Two Ventures Management LLC

Strand Lifesciences

Tricog Health Pte Ltd.

Vvaan Lifesciences

Zenfold Ventures LLP

Work highlights

  • Advised Esco Micro Pte. Ltd. on a US$200 series A financing.
  • Advising Zenfold Ventures, a healthcare sector-focused investment fund that is an affiliate of Dr. Reddy’s Laboratories, on a range of investments in the life sciences industry.
  • Assisting Iosynth Labs with commercial and intellectual property arrangements, including over contract manufacturing, licensing and distribution agreements.

India > Fintech and financial services regulatory Tier 2

The team at Spice Route Legal makes use of its ‘deep-seated financial services expertise‘ and ‘unparalleled understanding‘ of fintech to assist domestic and international banks, as well as cryptocurrency, fintech and payments companies. Mathew Chacko heads the fintech practice and draws on over 19 years’ experience in advising on blockchain, trade finance platforms, and the structuring of new fintech products. The ‘fantastic‘ Ankita Hariramani was promoted to counsel in July 2022; she focuses on assisting blockchain and fintech clients on the complex regulation surrounding payments, settlements, lending and wealth management. Senior associate Aadya Misra contributes her data expertise and often provides advice on cybersecurity architecture and the structuring of breach responses from a regulatory angle.

Rising Stars

Ankita Hariramani  - Spice Route Legal

Practice head(s):

Mathew Chacko

Other key lawyers:

Ankita Hariramani; Aadya Misra

Testimonials

‘Spice Route Legal has one of the most advanced Fintech and FSR practices I have come across. The team derives its unique position from the deep-seated financial services expertise, coupled with a passion and understanding of the technology behind it. They have the unique ability to predict the regulator’s moves and have earned the RBI’s respect through their keen observations. They have also helped us structure our product, behind which there is an unparalleled understanding.’

‘They’re always available and feels like they are not an external counsel, but rather approach things like in-house teammates!’

‘Business friendly and genuine set of people. They keep themselves updated about regulatory guidelines, well connected with financial startup eco-system to validate that helps a lot when in doubt.’

‘Ankita’s work is fantastic.’

‘Ankita has been able to help us with our queries. Very grateful for the SRL Fintech practice and Ankita, and their willingness to take challenges and help us out.’

‘Mathew Chacko and his team have been our go-to lawyers for the last 6 years. We value the attention our mandates receive from the SRL team. When it comes to Fintech and FSR, Ankita is a key member of the team. Ankita’s understanding of how technology functions in the financial services industry are unparalleled.’

‘The fintech team of Spice Route Legal has an extensive understanding of how financial products work.’

‘Reasonable and genuine set of people.’

Key clients

IBM

Dell

Disney+ Hotstar

IBBIC Pvt. Ltd. (formerly known as Blockchain India Consortium)

HDFC Bank

ICICI Bank

Bank Open

BharatPe

Banque Nationale

DBS Bank

Fennia

Finvu

Fiserv

Indipaisa (formerly known as Nexxo)

Instamojo Inc.

KarbonCard

Milaap Inc.

Moneyview

Mobikwik

RentoMojo

Sahamati

SETU

Slice (formerly known as SlicePay)

Tally Solutions

Yodlee Inc.

Zoop.One

Work highlights

  • Assisting IBBIC with its blockchain-focused trade finance platform.
  • Advising Slice (formerly known as SlicePay) on undertaking a detailed compliance of its Buy Now Pay Later product, Prepaid Card Instrument and multiple digital lending products.
  • Advising two of India’s leading neo-banks (Bank Open and Decentro) on structuring multiple banking products.

India > Projects and energy Tier 2

A core strength of Spice Route Legal‘s projects and energy practice is the range of legal services provided for its diverse list of clients operating in the alternative fuels, fuel technology and renewable sectors. For co-founder and head of the alternative energy, sustainability and e-mobility practice and corporate, M&A and private equity group, Praveen Raju advises international and domestic clients in the solar, electric mobility, infrastructure and energy drone technology, and hydrogen fuel cell technology segments. Raju offers advice on acquisitions and inward investment, in particular matters pertaining to O&M agreements, EPC contracts and land acquisitions for constructing and expanding energy-related tech facilities. Alongside Raju, star senior associate Janhavi Joshi helps clients navigate regulations and advises them on foreign inward investments into their companies through share purchases. The pair deal extensively with contractual and transactional arrangements.

Leading individuals

Praveen Raju – Spice Route Legal

Rising stars

Janhavi Joshi - Spice Route Legal

Practice head(s):

Praveen Raju

Other key lawyers:

Janhavi Joshi

Testimonials

‘Spice Route Legal is a unique gem. They are strategic, business-minded thinkers who are able to provide practical solutions.’

‘The team is flexible and able to incorporate complexities of US-governed entities. They respond at all hours of the day and night and are highly-skilled. They treat me as if I am their only client, when I know they have many.’

‘The partners place a great emphasis on diversity in hiring outstanding women to be part of their team.’

‘Praveen Raju is very smart and business-minded. He is focused on developing outstanding talent and has cultivated an incredible group of attorneys to support him, allowing his team to shine.’

‘Janhavi Joshi is an absolutely outstanding attorney. Janhavi understands what is important from both a legal and business perspective, and is able to focus on resolving issues quickly and efficiently. She also spends a lot of time training her team. She is highly responsive. She is an absolute rock-star.’

‘They can handhold you through the entire transaction, almost like they are part of the internal team. They are approachable and easy to deal and interact with. Great support for lean in-house legal teams.’

‘Praveen Raju – competent, always available, good negotiator, reliable and trustworthy, especially for M&A matters. His practical advice is highly valued within the company.’

Key clients

SunEdison Infrastructure

Indian Power Corporation Limited (IPCL)

Aerem Solutions

Gro Solar Energy RA

Hitachi India Energy Ltd

Lighthaus B.V.

Mytrah Mobility

Orxa Energies

Sistema Bio

SenseHawk Technologies Private Limited

South Lake One LLC

Fenice Investments

Ohmium International

MLR Auto

Shareholder of ANI Technologies (OLA Cabs)

Work highlights

  • Advised IPCL (Indian Power Corporation Limited) as consortium leader on its bid in response to the Indian government’s request for proposals to scale up ACC battery cell manufacturing.
  • Assisted US-based company Ohmium International in general corporate advisory such as shareholder, employment and non-disclosure agreements, and O&M mandates.
  • Assisting SunEdison Infrastructure on strategic tasks such as the demerger of multiple solar businesses and a report on 25 solar projects.

India > TMT Tier 2

Spice Route Legal provides a sizeable, growing team that serves a diverse portfolio of clients across the technology and media sectors. Bangalore-stationed co-founder, Mathew Chacko, heads the practice, serving many of the most prominent hardware and software companies, telecom players and banks in the context of fintech, as well as leading tech sector unicorns. Chacko is routinely supported by Aadya Misra, a specialist in data management and protection, privacy policies, licensing and regulatory matters. Additional support comes from Ankita Hariramani, a fintech specialist.

Leading individuals

Mathew Chacko - Spice Route Legal

Practice head(s):

Mathew Chacko

Other key lawyers:

Aadiya Misra; Ankita Hariramani

Testimonials

‘The team at Spice Route are very practical in their approach, their ability to explain complex regulations in clear language helps us understand the in-depth aspects and make better decisions.’

‘Ankita and Harshda are always hands-on and dependable, they understand the operational concerns and provide a better solution which has always given us a major advantage.’

Key clients

Microsoft

Meta Inc.

Adobe Inc.

Airtel

Disney and Disney+ Hotstar

Hewlett Packard

3M

BharatPe

Byjus

Calypso Technologies

Equinix

Orange

Fiserv

Fireblocks Inc.

Gameopedia

Gamestream

HDFC Bank

IBBIC

ICICI Bank

Liftoff Games

Milaap

Sahamati

Savex Technologies

Srijan Technologies

Stryker Inc.

Tricog Health

Tanla Platforms Limited

Urban Company

WeWork

Xandr (part of AT&T)

Work highlights

  • Advising Microsoft, the world’s largest cloud service provider, on structuring its cloud service products.
  • Advising Savex Technologies Pvt. Ltd on acquiring a majority stake in Inflow Technologies.
  • Assisting Disney+ Hotstar with structuring arrangements with technology service providers to measure the success of advertisements made available through ad-measurement tools.

India > Corporate and M&A Tier 3

The ‘collaborative‘ and ‘responsive‘ team at Spice Route Legal has continued to expand its presence in the M&A space, increasingly active on upper mid-market transactions and complex cross-border deals and restructuring arrangements for clients in its focus areas of life sciences, TMT, and sustainable energy and beyond. The team regularly collaborates with international firms in work for multijurisdictional clients as well as Indian companies investing and establishing operations abroad, and is led by Mumbai-based Praveen Raju, a specialist in cross-border M&A, and technology and media-focused Mathew Chacko, based in Bengalaru. At senior associate level, Kochi’s Renuka Abraham is noted for her life sciences expertise, Bengalaru-based Nikhil Joseph specialises in advising US companies investing in India, and Mumbai’s Janhavi Joshi focuses on deals involving new and alternative forms of energy.

Practice head(s):

Praveen Raju; Mathew Chacko

Other key lawyers:

Renuka Abraham; Nikhil Joseph; Janhavi Joshi

Testimonials

‘Mathew Chacko, Nikhil Joseph- excellent lawyers, well versed with Indian laws, commercial issues, practical advice and anticipate issues, able to provide solutions where legally available’

‘Mathew Chacko- outstanding , experienced and handles wide range of legal areas- has depth of knowledge and practical advice Nikhil Joseph- pro-active, sharp , hardworking and enthusiastic. understands the issues and provided practical solutions’

‘Very responsive team. Collaborative and good to work with.’

‘Praveen Rajiv and Matthew Chacko are great operators. They have good teams and provide very responsive advice to clients. Our experience is that they have particularly good experience and expertise in the technology sector.’

‘Knowledge, appropriate staffing and discipline – some of the key virtues.. to ensure quality service they have ended up refusing mandates when there are bandwidth issues; giving full justice to the work assigned and fighting hard to protect client interest (this includes fighting with the client as well.’

‘Dedicated focus and attention. partners have been spending ample time and leading the negotiations from the front.’

‘Praveen has been our go-to person for all legal matters.’

‘Spice Route Legal is a unique gem. They are strategic, business-minded thinkers who are able to provide practical solutions. They are flexible and able to incorporate complexities of US-governed entities. They respond at all hours of the day and night and are highly-skilled. They treat me as if I am their only client, when I know they have many. The partners also place a great emphasis on diversity in hiring outstanding women to be part of their team.’

Key clients

Brandenburg India Private Limited

ESCO Lifesciences

Indian Power Corporation Limited (IPCL)

MLR Auto

Ohmium International Inc.

Savex Technologies Pvt Ltd

Shareholder of ANI Technologies (OLA Cabs)

StudyIQ

SunEdison Infrastructure (Restructuring advisory)

SunEdison Infrastructure (Investments + SEBI advisory)

Work highlights

  • Assisted Savex Technologies, a $2 billion corporation with acquiring a stake in Inflow Technologies.
  • Advising Indian Power Corporation Limited on its US$176 million bid in response to the Indian government’s request for proposals to scale up ACC battery cell manufacturing in India.
  • Advising SunEdison Infrastructure on a complex restructuring, involving the hive-off of several businesses and re-domiciling to the UK.

Intellectual property Tier 4

Spice Route Legal is an up-and-coming firm in the broad technology space and its offering in intellectual property law is characterised by expertise in transactional IP and IP disputes. On the contentious side, a standout matter sees practice head Mathew Chacko leading advice to crowdfunding platform Milaap on a dispute with Google alleging trademark infringement relating to Google’s AdWords service. In November 2021 the firm strengthened its offering with the addition of senior associate Adithya Jayaraj.

Practice head(s):

Mathew Chacko

Other key lawyers:

Adithya Jayaraj

Testimonials

‘Quick, easily accessible, practical, very supportive and mostly have a good understanding of our business.’

‘We recommend Adithya Jayaraj and Matthew Chacko.’

‘SRL is different and we are very happy with them as a whole.’

‘I find the team up to date with the latest law on the subject. The team regularly updates its clients in respect of the law, writes and analyses various judgments pronounced by various courts from time to time in India and abroad. They provide complete support in the matter starting from drafting the pleadings, and providing case laws on the points raised. In prosecution matters, guides the clients about the registrability of any intellectual property.’

‘They are able to answer all queries. Instructions provided are very clear and always in the best interest of the client. Always discuss the best case and worst case for the clients. Able to handle matters and work extensively with foreign law firms which gives them an understanding of the foreign law on the aspect.’

Key clients

Meta Inc.

Disney+ Hotstar

Lenovo

Airtel

HDFC Bank

SunEdison

Pernod Ricard

Milaap (client for 5 years)

Agilon Health

ASM

Cardiotrack

EnRecover

IBBIC

IdeaForge

Iosynth Labs

LetsDaily India Private Limited (trading as Daily Basket)

Neogen Chemicals

Ohmium International Inc.

OkCredit

Saveo

Strand Lifesciences

Tricog

Urban Company

Work highlights

  • Representing Milaap in a dispute with Google and Impact Guru over contributory trademark infringement involving Google Adwords.
  • Advising OkCredit on over 30 trademark filings.
  • Assisting Meta with content licensing both nationally and internationally, including more than 3,000 pieces of content across Asia Pacific.

India > Private equity and investment funds Tier 4

The team at Spice Route Legal dispenses advice on exits, Series A to Series C investment deals, and regulatory issues for both investee and investor clients. Praveen Raju heads the practice from Mumbai, alongside Mathew Chacko, who leads from Bangalore. Raju directs his focus towards advising on investment transactions in the healthcare, life sciences, and alternative energy sectors, whilst Chacko handles matters relating to the technology and media sectors.

Practice head(s):

Praveen Raju; Mathew Chacko

Testimonials

‘SRL team is unique as along with providing the legal support, they think about the commercial or holistic aspects of the clauses while supporting on transaction documents.’

‘The team is very approachable and always give their best.’

Key clients

Bizmo Technologies Pte. Ltd.

Butterfly Innovations Private Limited (CollPoll)

Esco Micro Pte. Ltd.

Finarkein Analytics Private Limited

Foundamental GmBH

India Filings (Verve Financial Services Private Limited)

Jambox Games Pte.

Java Capital

LetsKrypto

McLaren Fund

MoneyView

Nimai Trade Fintech

Prana Health Inc.

Pillow Fund

Sequoia Capital

Season2 Ventures

Shareholders of ANI Technologies (OLA Cabs)

SILRES Energy Solutions

WeGot Utilities

Ninjakart

Work highlights

  • Advised Esco Micro Pte. Ltd. on successfully raising a Series A investment from a club of investors consisting of Novo Holdings, Vivo Capital, EDBI, and China Investment Corp. It is the largest private fundraising round by an Asia-based life sciences tools company.
  • Acted on the exit of shareholders of ANI Technologies, after its buyout by private equity funds managed by Warburg Pincus LLC.
  • Advised MoneyView on a Series C fund infusion, then on venture debt funding from Alteria Capital India Fund and Stride Ventures Debt Fund II.

Spice Route Legal > Firm Profile

Spice Route Legal is a law firm that is recognised as a leader in the provision of border- agnostic legal services in India. The firm is often retained (i) to negotiate and close complicated multi-jurisdictional deals, (ii) to advise on issues at the intersection of technology, business, and law, (iii) to accurately evaluate and mitigate regulatory and legal risks; and (iv) to assist on complicated disputes.

With market-leading practices in mergers and acquisitions, private equity, technology, media and telecommunications, data and fintech, energy and renewables, healthcare, pharmaceuticals, and life sciences, intellectual property and disputes, the firm regularly advises clients on some of the most complex cross border mandates that involve India.

For more details, please see www.spiceroutelegal.com.

Main practice areas
Corporate and M&A: The firm advises on a full spectrum of corporate transactions in today’s increasingly global marketplace. In addition to mainstream M&A, the firm has been involved in some of the most challenging private equity, venture capital, take privates, spin offs and corporate restructurings that involve India. Today, Spice Route Legal is the ‘go to’ firm for Indian companies with global M&A or investment ambitions and for non-Indian companies investing in India.

Private equity and venture capital: Our private equity and venture capital practice is widely applauded for our cutting-edge, cross-jurisdictional work involving investments in technology, fintech, big data, energy and healthcare. The firm has a 360-degree approach to fund structuring – advising PE funds on investments, deal structuring, tax and regulatory approvals, and IPOs and distressed acquisitions, and has advised some of the most prolific investors in the region.

Technology, media and telecommunications: Spice Route Legal has, over the last six years, established itself as India’s largest and most sophisticated TMT practice. The practice is hyperspecialised with lawyers focusing on Artificial Intelligence, Big Data, Licensing, Ad-Tech, HR-Tech, Aviation Tech, E-commerce, SAAS, Ed-tech, Digital Media, Gaming, Sports, Social Media, Telecommunications, Cleantech and Proptech.

Data protection, privacy and cybersecurity: The firm’s data protection, privacy and cybersecurity team combines strong technical and legal credentials, an appreciation of the global nature of data and a network of the best technology, data and information lawyers in the world, to advise on increasingly global data, privacy and cybersecurity mandates. As South Asia’s largest data practice, the firm regularly advises on international data flows, cybersecurity and data risk, privacy concerns, disputes involving data, incident reporting, localisation strategies, employment and health data issues and structuring whistleblowing hotlines and ethics investigations.

Fintech and financial sector regulatory: Spice Route Legal regularly advises and assists most of the prominent names in the financial services sector in India. With the ability to structure products, identify and mitigate technology, intellectual property, data and financial sector regulatory risks, the team straddles multiple practice areas to seamlessly advise banks, financial institutions, startups, credit rating agencies, investors and ‘brick & mortar’ companies.

Intellectual property: Spice Route Legal’s expertise in advising on complex questions of IP is widely recognised, having advised on some of the most contentious disputes and assisted on some of the most complex transactions that involve intellectual property. In 2021, the firm has been at the forefront of the evolving contributory infringement jurisprudence in India, of the recognition of the doctrine of prosecution history estoppel, of some of the largest IP disposals and of defending multiple actions by patent trolls. The firm’s uniquely integrated IP team offers corporations the ability to rely on it for advice on the protection, monetisation, licensing and sale of IP and for disputes involving IP.

Energy, renewables and sustainability: Since formation, Spice Route Legal has been a trusted advisor to energy clients. The firm’s practice focuses on the future of energy, i.e. new and alternate sources of energy. The firm has worked with multiple companies within the clean and renewable energy space, and is well regarded as a market leader in alternative energy, renewables and sustainability.

In addition to complex restructuring and investment advisory for its Energy clients, the firm has also assisted clients with several project development and project finance mandates, in the solar, wind, and hydrogen fuel technology sub-sectors. A recent specialisation and interest in electric mobility mandates has broadened the firm’s expertise within the energy space to include this most exciting and nascent sector, as well.

Healthcare, pharmaceuticals and life sciences: As a hyper industry focused firm that combines the M&A, regulatory, data and IP expertise of its founders, lifesciences is a natural sector specialisation. Over the last few years, the practice has grown exponentially into a 360-degree life sciences and health-tech focused practice, encompassing a range of practice areas including corporate/M&A, regulatory, IP, commercial agreements, and data practices.

The firm’s portfolio of clients boasts of companies and their investors across the life sciences industry, including in the pharmaceuticals, biotech, veterinary, diagnostics, medical devices, and health-tech sectors. The practice comprises of a team of five lawyers primarily focusing on the corporate M&A and PE-VC transactions in the life sciences space and a team of six lawyers who focus on regulatory, data, technology, IP and commercial contracts.

Litigation, arbitration and dispute resolution: Our disputes practice is uniquely structured to function as a part of our industry practice groups. As such, the team tends to focus on disputes involves tech, media or telecom companies, corporate governance, shareholder disputes, intellectual property, financial services regulatory issues, competition law or data privacy.

Sports and entertainment: Spice Route Legal advises some of the world’s leading sportspeople, teams, agencies and regulatory bodies on a host of contentious and non-contentious matters. Relying on traditional strengths in licensing, governance, disputes, intellectual property and privacy, we offer a one-stop legal solution for all entities involved in sports.

International work: Spice Route Legal’s “border agnostic” model of providing seamless solutions for cross border legal issues by relying on a wide network of friends is acknowledged as a market first. Relying on this network, the firm has:

  • Assisted India’s largest telecom conglomerate on a global transaction involving over 40 countries;
  • Assisted India’s leading rice manufacturer with conducting a purchase of assets in 60 countries;
  • Assisted a German investment fund focused in the Industrials, Chemicals and Logistics sector on investments in eight countries in the Asia-Pacific;
  • Assisted a leading Indian mobility player with conducting a 23-country regulatory, technology and risk analysis;
  • Assisted some of India’s leading technology companies with entering markets in Asia, Europe, Africa and the Americas;
  • Assisted in designing and implementing global data protection and compliance strategies;
  • Assisted in global intellectual property portfolio management;
  • Led multiple cross border venture capital and private equity deals.

Main Contacts

DepartmentNameEmailTelephone
Head of TMT, Data Protection and Privacy and Fintech Mathew Chackomathew@spiceroutelegal.com
Head of Corporate, M&A and PE-VC, Energy, Renewables & Sustainability, Healthcare, Pharmaceuticals & Life Sciences Praveen Rajupraveen@spiceroutelegal.com
Fintech & Financial Sector Regulatory Ankita Hariramaniankita.hariramani@spiceroutelegal.com
Data Protection, Privacy & Cybersecurity Aadya Misraaadya.misra@spiceroutelegal.com
Corporate, M&A and PE-VC Renuka Abrahamrenuka.abraham@spiceroutelegal.com
Corporate, M&A and PE-VC Nikhil Josephnikhil.joseph@spiceroutelegal.com
Projects and Energy Janhavi Joshijanhavi.joshi@spiceroutelegal.com

Languages

English
Hindi
Tamil
Telugu
Kannada
Malayalam
Spanish
French
Marathi
Bengali
Gujarati

Memberships

International Bar Association
IAPP
ITechLaw

Diversity


Spice Route Legal is an equal opportunity employer, encouraging the growth of all stakeholders, regardless of gender, sexual orientation, marital status, disability, age, religion, caste, race, region, or ethnicity.

As of December 2020, the firm comprises of (i) more people who identify themselves as female than any other gender, (ii) a not insignificant group of stakeholders who do not conform to traditional notions of hetero-normativity, (iii) people who identify as atheists, as well as believers in 7 distinct religions, and (iv) people from 12 different Indian states, spanning most corners of the country.

 

Legal Developments

A GUIDE TO THE DATA PROTECTION BILL, 2021

11th January 2022 India’s proposed data protection law has been a long time in the making. In 2018, a committee of experts constituted by the Indian government issued a first draft of a proposed law on data protection. In late 2019, a revised version of the draft, titled the Personal Data Protection Bill, 2019 (the “PDPB”), was introduced in the Indian Parliament. The PDPB was dogged by controversies, especially on exemptions that were afforded to government agencies, the treatment of anonymised data, data localisation requirements, and regulated cross-border transfers. For a deeper examination of the proposed law, the draft was referred to a Joint Parliamentary Committee that comprised of members of both Houses of the Parliament (“Committee”). 

WHAT ARE GREEN BONDS?

4th January 2022 A Green Bond is a fixed-income debt instrument, like a regular bond, which is specifically earmarked for financing ‘green’ projects such as renewable energy projects, clean transportation projects, water management projects etc. It encourages sustainability and has numerous goals - from climate change mitigation to energy efficiency, and the prevention of pollution etc.[1].

Cybersecurity Laws in India: Is It Time for a Regime Change?

4th August 2021
  1. Introduction
Given the expansive range of India’s software infrastructure, India is also prone to the highest number of cybersecurity incidents. In 2021 alone, these incidents ranged from the unauthorised access and dissemination of the personal data of about 4.5 million customers of a top Indian airline company[1] to the leakage of approximately 180 million users’ personal data from a renowned food chain’s database[2]. A recent report by Check Point Research (“CPR”) identifies India as the most impacted country in terms of cyber-attacks – organisations in India witness approximately 213 weekly ransomware attacks, on average[3]. As per the findings of The State of Ransomware 2021 survey by a cybersecurity firm Sophos, about 68% of the affected Indian organisations whose data was hacked in the year 2020-21 resorted to the payment of ransom to recover their data.[4]Despite the clear urgency and importance of promoting stringent cybersecurity and data protection practices in India, the Indian government has been unable to effectively legislate on the issues of comprehensive data protection, privacy, and cybersecurity law. India’s legal regime continues to follow a fragmented and piecemeal approach towards both cybersecurity and data privacy. The laws governing such issues include but are not limited to -
  • The Indian Penal Code, 1860 (“IPC”),
  • The Information Technology Act, 2000 (“IT Act”), and
  • various sectoral regulations, discussed in detail below.
The Supreme Court of India has, in a recent special leave petition filed in the case of Jagjit Singh v. State of Punjab[5], held that the offence of hacking and data theft would not only be an offence under the provisions of the IT Act, but would also constitute criminal misappropriation under the IPC.  The application of a criminal statute that is over a century and a half old merely muddies the waters – and therefore, this note focuses on the more modern regulations, the IT Act and the various sectoral regulations.
  1. The Information Technology Act, 2000
    • Reasonable Security Practices and Procedures
Under Section 43A of the IT Act, companies are required to implement “reasonable security practices and procedures” to protect information from unauthorised access, damage, use, modification, disclosure, or impairment. In accordance with the said provision, the Indian government issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”). These rules are significant as they set out the country’s existing data protection regime.As per the  SPDI Rules, a body corporate is said to have complied with “reasonable security practices and procedures” if it has implemented policies that contain managerial, technical, operational, and physical security control measures that are proportionate to the information assets it seeks to protect. In furtherance to this, these entities are also required to enforce a comprehensive documented information security practice and policy.The SPDI Rules have identified IS/ISO/IEC 27001, as specific international standards which may be implemented by body corporates to fulfil the “reasonable security practices” requirement under existing laws. This is, of course, not mandatory.
    • Offences
Companies that cause wrongful loss to any person, due to their negligence in the implementation of reasonable security practices and procedures, are liable to pay compensation  up to INR 5,00,00,000. The compensation award is adjudicated upon by an officer appointed by the Central Government, after the officer has conducted an inquiry into the claim.If a claim exceeds the prescribed amount above, the dispute is heard by the competent court that has monetary jurisdiction over the claim. Appeals against the orders of an adjudicating officer are heard by the Telecom Disputes Settlement and Appellate Tribunal (“TDSAT”), a body that was initially set up to adjudicate disputes within the telecom sector. Appeals against decisions of the TDSAT are heard before the High Courts of the respective states in the country.Further, the IT Act also penalises body corporates for other cybersecurity-related offences such as unauthorised access, extraction, damage, disruption, or denial of services in respect of computers and computer networks, the intentional tampering of source codes that are required to be maintained by law, identity thefts, and the dishonest receipt of stolen computer resources or communication devices. Each of these offences is separately punishable with both imprisonment (which may extend up to 3 years) and/or a fine ranging from INR 100,000 to 500,000, depending on the nature of the offence.
    • Computer Emergency Response Team (CERT-In)
The Indian Government requires entities to notify authorities about cybersecurity incidents, including personal data breaches, through the rules governing its Computer Emergency Response Team (“CERT-In”). The CERT-In is an agency established under the IT Act, and acts as the nodal authority for cybersecurity related matters in India. CERT-In’s primary functions include responding to cybersecurity incidents, predicting and preventing cybersecurity incidents, undertaking analysis and forensics of cybersecurity incidents, and also issuing emergency measures and advisory guidances to tackle such incidents. The scope of CERT-In’s support varies on a case-to-case basis, and depends on factors such as the type and severity of the incident, the affected entity or individuals, and CERT-In’s available resources at the time of occurrence of the incident.Unlike other jurisdictions which have adopted a harm-based approach to determine whether a security incident should be reported to the relevant authorities, the IT Act and the rules issued thereunder instead make it mandatory to report certain types of security incidents to CERT-In, within a reasonable period of time. These include –
  1. the targeted scanning or probing of critical networks or systems;
  2. a compromise of critical systems or information;
  3. the unauthorised access of information technology systems or data;
  4. the defacement of or intrusions into websites, and unauthorised changes to websites;
  5. malicious code attacks and attacks on servers;
  6. identity thefts, spoofing, and phishing attacks;
  7. the denial of service and distributed denial of service attacks;
  8. attacks on critical infrastructure, supervisory control and data acquisition (SCADA) systems, and wireless networks; and
  9. attacks on applications like e-governance and e-commerce.
The law prescribes a penalty for non-compliance with the reporting requirement mentioned above. Additionally, if a service provider, intermediary, data centre, company or any person fails to provide the information required by CERT-In, or fails to comply with any direction issued by CERT-In, they shall be liable for imprisonment up to one year, or a fine or both.The CERT-In has started to play a more active role in ensuring that organisations affected by specific cybersecurity incidents comply with the mandatory incident notification requirements. In January 2021, CERT-In issued an advisory guidance to organisations on the management of data breaches and security incidents, and recommended the best practices to be complied with, in this regard.
    • Protected Systems
The IT Act provides a legal framework for critical information infrastructure in India – which comprises of computer resources that have a significant impact on national security, economy, public health, or safety. Consequently, the government may – (i) classify systems that impact critical information infrastructure as protected systems, (ii) selectively authorise the individuals who may access such protected systems, and (iii) prescribe additional information security practices and procedures for these protected systems.Currently, protected systems in India are limited to those that relate to government functions. All protected systems must follow the 2015 guidelines published by the National Critical Information Infrastructure Protection Centre (“NCIIPC”), which is the nodal agency for the protection of critical information infrastructure.
    • Intermediaries
Intermediaries such as internet, network, and telecom service providers, web hosting service providers, search engines, payment sites, online market places and other digital players are further required to follow additional cybersecurity obligations under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. For instance, they are required to contractually impose obligations on the users to prevent them from using the intermediaries’ services in a manner that affects functionality through the introduction of viruses, or any other malicious file, code, or program.Further, these intermediaries are bound to cooperate with the government and its various governmental agencies on the investigation, detection, and prevention of cybersecurity offences or incidents. Some intermediary obligations in the face of such incidents include (i) the sharing of information under their control or possession, (ii) assisting such agencies, upon a request for information, within 72 hours of communication of the request, and finally, (iii) diligently reporting cybersecurity incidents to CERT-In.Intermediaries are usually provided with a certain level of protection known as the “safe harbour” principle to avoid any liability that could arise from the misuse of their resources by third party users of their platform. However, upon their failure to comply with the government’s instructions in respect of users’ offences, an intermediary may lose its safe harbour protection.
  1. Sectoral Regulations
Sectoral regulations on cybersecurity are common in India. Regulations have been issued in respect of the following sectors: (a) financial services, (b) health services, (c) telecommunications, (d) insurance, and (e) securities law. With the exception of the financial services sector, these regulations continue to be fairly “light touch”, as far as cybersecurity and data protection are concerned. An overview of the relevant regulations are set out below.
    • Financial Services
The Reserve Bank of India (“RBI”) has introduced a comprehensive cybersecurity framework for banks and payment system operators that include mandatory breach notifications, regular audits and threat assessments, and the implementation of anti-phishing technology. Banks are required to formulate a comprehensive board-approved information security policy and cyber crisis management plan outlining their preparedness indicators for potential cyber-attacks. They must also report all cybersecurity incidents to RBI, within 2-6 hours of discovering the breach. The RBI has been at the forefront of multiple enforcement actions, including by way of imposing fines on banks and on alternative financing institutions due to their non-compliance in this regard.
    • Health
The government has prescribed Electronic Health Records Standards under the Clinical Establishment (Regulation and Registration) Act, 2010, based on global information security standards such as ISO/HL 7, ISO/IEC 27002, and ISO/TS 14441:2013. Further, in the year 2020, it also launched the National Digital Health Mission, whose aim was to create an efficient healthcare eco-system based on the integration of digital health data and infrastructure. This policy initiative mandates the adoption of ISO/TS 17975:2015 for consent management and the International Standard on Fast Healthcare Interoperability Resources (FHIR) - R4 Specification for the electronic exchange of healthcare information.
    • Securities Market
Given the crucial part played by digital information in the stock market’s day to day dealings, entities in the sector are held to high standards as far as cybersecurity and data protection is concerned. Comprehensive cybersecurity policies are required to be implemented by stock exchanges, depository participants, asset management companies, and mutual fund companies. Such policies need to be modelled on the NCIIPC’s principles. Regulated entities must also set up information technology committees, designate senior officials to oversee the compliance of the policies, and implement technical measures to protect their assets and infrastructure.
    • Telecom Sector
The Telecom Regulatory Authority of India regulates telephone operators and service providers and prescribes the security and infrastructure requirements that need to be fulfilled as a condition for their continued operation. Licensed telecom service providers have to comply with the ISO/IEC 15408, ISO 27000, 3GPP, and 3GPP2 security standards, among others. The certification for the same can only be issued by authorised agencies in India unless specifically approved by the Department of Telecommunication. Further, organisations must undertake regular audits and implement security management policies and practices. In order to operate, these service providers are also required to contractually impose their information security requirements on all vendors and suppliers that they work with.
    • Insurance Sector
The Insurance Regulatory and Development Authority (“IRDAI”) regulates the insurance sector in India. In 2017, it issued guidelines on information security and cybersecurity for insurers, to emphasise the need to maintain the confidentiality and integrity of data in a robust manner. In furtherance of this objective, the IRDAI requires insurers to appoint a chief information security officer, to form an information security committee, to put together a cyber crisis management plan, formulate information and cybersecurity assurance programmes, undertake adequate security safeguards to protect data, and implement adequate processes to identify and mitigate risks, etc.
  1. Enforcement Trends Across Sectors
In recent years, the TDSAT has actively awarded damages to aggrieved individuals, for cybersecurity lapses within the telecommunications sector. In this regard, most cases have arisen within the financial services space, due to the negligence of financial institutions in implementing reasonable security standards and safeguards. Generally, the damages awarded have not exceeded the actual loss (together with interest).In the financial sector, the RBI has diligently imposed penalties of up to INR 1,00,00,000 on financial institutions, for their non-compliance with the RBI’s cybersecurity requirements. It is pertinent to note that the imposition of a penalty by the RBI on a banking company precludes the initiation of legal proceedings against the said company before courts of law.Of late, the CERT-In has also started to play an active role in the enforcement of breach notification obligations, and has called upon organisations that are affected by cybersecurity incidents to furnish information pertaining to the incidents in question.Additionally, the government has launched the National Cyber Crime Reporting Portal in 2020-21, that enables citizens to report cybercrimes online. This reporting is then followed up with an investigation by the appropriate law enforcement agencies.
  1. Conclusion
The fragmented regulatory landscape of cybersecurity in India has resulted in much confusion, with cybercrimes being prosecuted under either ambiguous or archaic statutes. The often confusing tapestry of regulations results in ineffective implementation, and more often than not, entities are unable to derive normative guidance from these regulations due to their ambiguous nature.A comprehensive and instructive cybersecurity law, aided by specialist regulation on an as-needed basis, is crucial for the development of the cybersecurity regime in India. Otherwise, the courts, enforcement agencies, and regulators will continue to attempt to mould old regulations in unintended ways, and struggle to address many of the constantly evolving cybersecurity issues.
ABOUT THE AUTHORS:MATHEW CHACKOMathew is the Head of the Technology, Media & Telecommunications practice group at Spice Route Legal, and is recognised as a leading Indian lawyer by several national and international directories. With close to two decades of experience, he advises on a variety of cross-border corporate and commercial transactions, including in relation to investments, fund-formation, technology laws, data privacy, intellectual property, commercial and regulatory compliance, tech law disputes, and risk mitigation strategy.AADYA MISRAAadya is a senior associate with the firm’s Technology, Media and Telecommunications practice group, with a special focus on, and extensive experience in, handling data protection, cybersecurity and privacy mandates. Recognised as a Rising Star by The Legal500 in 2020, Aadya regularly works with domestic and international market leaders in industries, ranging from financial services, and blockchain, to telecommunications, consumer retail, and emerging technologies.SAMYUKTA RAMASWAMY Samyukta is an associate with the firm’s Data Protection, Privacy and Cybersecurity practice, within the broader TMT Practice Group, with a focus on cloud services and cybersecurity mandates. She assists clients with structuring their data protection practices, procedures and policies to demonstrate compliance with applicable laws, and advises them on a range of issues including international data transfers, data breach response and management, and risk mitigation.
[1]https://www.bloomberg.com/news/articles/2021-05-22/cyber-attack-on-air-india-led-to-data-leak-of-4-5-million-fliers[2]https://www.hindustantimes.com/india-news/dominos-pizza-data-breach-company-says-financial-information-safe-as-data-of-180-million-users-compromised-101621855567340.html[3] https://tech.hindustantimes.com/tech/news/india-saw-the-highest-number-of-ransomware-attacks-in-2021-report-71621331517413.html.[4] https://www.livemint.com/news/india/67-of-indian-organizations-paid-a-ransom-to-get-their-data-back-sophos-survey-11622526811992.html[5] Jagjit Singh v. The State of Punjab, Special Leave Petition Criminal No(s). 3583/2021.

FASTER ADOPTION AND MANUFACTURING OF (HYBRID &) ELECTRIC VEHICLES IN INDIA (FAME) – WHAT’S NEW

5th July 2021

INTRODUCTION

The turn of the decade marks the beginning of a new era for the Indian automotive industry. With increasing pressure from environmental lobbyists for the reduction of carbon emissions, and the push for adoption of electric vehicles (EVs) by Central and State Governments, the Indian automobile industry is all set for a dynamic shift from Internal Combustion Engines (ICE) to Battery Operated Vehicles (BOVs). According to an independent study conducted by the Council on Energy, Environment and Water (CEEW), India’s EV market could be worth USD 206 billion by 2030.1 The Indian Government has taken various initiatives to ease the transition into the upcoming EV market. One such major initiative was the Faster Adoption and Manufacturing of (Hybrid &) Electric Vehicles in India (FAME) scheme. In this article we have highlighted some important initiatives taken under India’s FAME-I and FAME-II policies and its recent amendments by the Government for the promotion of the EV industry in India.

Data Protection, Privacy, and Cybersecurity: An Update

28th June 2021

May 2021

The past few months have seen the data, privacy, and cybersecurity space in India bustling with activity. While a final draft of the much-awaited data protection bill remains to be seen, there have nonetheless been significant developments initiated by various sectoral regulators.

    Top Tier Firm Rankings

  • Data protection
  • Life sciences and healthcare

    Firm Rankings

  • Fintech and financial services regulatory
  • Projects and energy
  • TMT
  • Corporate and M&A
  • Intellectual property
  • Private equity and investment funds
  • Twitter
  • Email
  • YouTube
  • Facebook
  • LinkedIn
© 2023 Legalease Ltd. All rights reserved
Registered company in England & Wales No. 2427356 VAT 321572722
Registered address: 188 Fleet Street, London, EC4A 2AG
  • Data Protection policies
  • |
  • Cookies Policy
  • |
  • FAQs
  • |
  • Contact Us
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settings ACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
__RequestVerificationTokensessionThis cookie is set by web application built in ASP.NET MVC Technologies. This is an anti-forgery cookie used for preventing cross site request forgery attacks.
ep20130 minutesThis cookie is set by Wufoo for load balancing, site traffic and preventing site abuse.
PHPSESSIDsessionThis cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
uc_sessionsessionThis cookie is set by Dropbox and is used for the 'save to Dropbox' functionality. This cookie stores user session IDs.
viewed_cookie_policy1 yearThe cookie is set by the GDPR Cookie Consent plugin to store whether or not the user has consented to the use of cookies. It does not store any personal data.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
CookieDurationDescription
__gpi1 year 24 daysGoogle Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.
ANONCHK10 minutesThe ANONCHK cookie, set by Bing, is used to store a user's session ID and also verify the clicks from ads on the Bing search engine. The cookie helps in reporting and personalization as well.
IDE1 year 24 daysGoogle DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
MUID1 year 24 daysBing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
SRM_B1 year 24 daysUsed by Microsoft Advertising as a unique ID for visitors.
test_cookie15 minutesThe test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE5 months 27 daysA cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSCsessionYSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devicesneverYouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-idneverYouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
CookieDurationDescription
hidsessionNo description available.
tableau_localesessionNo description available.
tableau_public_negotiated_localesessionNo description available.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
CookieDurationDescription
__gads1 year 24 daysThe __gads cookie, set by Google, is stored under DoubleClick domain and tracks the number of times users see an advert, measures the success of the campaign and calculates its revenue. This cookie can only be read from the domain they are set on and will not track any data while browsing through other sites.
_ga1 year 1 month 4 daysThe _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_*1 year 1 month 4 daysGoogle Analytics sets this cookie to store and count page views.
_gat_UA-*1 minuteGoogle Analytics sets this cookie for user behaviour tracking.
_gid1 dayInstalled by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT2 yearsYouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
MR7 daysThis cookie, set by Bing, is used to collect user information for analytics purposes.
SMsessionMicrosoft Clarity cookie set this cookie for synchronizing the MUID across Microsoft domains.
Save & Accept