Spice Route Legal > Firm Profile

Spice Route Legal is recognised as a leader in the provision of ‘border- agnostic’ legal services in India. The firm is often retained (i) to negotiate and close complicated multijurisdictional deals, (ii) to advise on regulatory, licensing and IP issues at the intersection of technology, financial services, business, and law, (iii) to accurately evaluate and mitigate regulatory and legal risks; and (iv) to assist on complicated dispute resolution.

With market-leading practices in mergers and acquisitions, private equity, venture capital, technology, media and telecommunications, data, fintech, sports, pharmaceuticals, lifesciences and healthcare, intellectual property and disputes, the firm regularly advises on some of the most complicated cross border matters that involve India.

For more details, please see www.spiceroutelegal.com

Main practice areas
Corporate and M&A: The firm advises on a full spectrum of corporate transactions in today’s increasingly global marketplace. In addition to mainstream M&A, the firm has been involved in some of the most challenging private equity, venture capital, going private, spin offs and corporate restructurings that involve India. Today, we are the ‘go to’ firm for Indian companies with global M&A or investment ambitions and for non-Indian companies investing in India.

Private equity: Our private equity and venture capital practice is widely applauded for our cutting-edge, cross-jurisdictional work involving investments in technology, fintech, big data, energy and healthcare. The firm has a 360-degree expertise from fund structuring to advising PE funds on acquisitions, deal structuring, tax, regulatory approvals, IPOs and distressed acquisitions and advises some of the most prolific investors in the region.

Technology, media and telecommunications: Spice Route Legal’s TMT practice is the largest in India and brings with it a keen appreciation of all matters of technology, media, telecommunications, convergence, data, regulatory and intellectual property. The practice assists close to one-third of the global technology companies with operations in India and close to half of India’s emerging technology and media behemoths.  Our TMT practice is increasingly regional in nature with the ability to rely on some of the best TMT lawyers across the world to structure innovative cross-jurisdictional solutions to some of the vexing problems that haunt these industries.

Data protection, privacy and cybersecurity: Our data protection, privacy and cybersecurity team combine strong technical and legal credentials, an appreciation of the global nature of data and a network of the best technology, data and information lawyers in the world, to advise on increasingly global data, privacy and cybersecurity mandates. As South Asia’s largest data practice, we regularly advice on international data flows, cybersecurity and data risk, privacy concerns, disputes involving data, incidence reporting, localization strategies, employment and health data issues and structuring whistleblowing hotlines and ethics investigations.

Fintech: Spice Route Legal regularly advises and assists most of the prominent names in fintech in India. With the ability to structure products, identify and mitigate technology, intellectual property, data and financial sector regulatory risks, our fintech team straddles multiple practice areas to seamlessly advise banks, financial institutions, startups, credit rating agencies, investors and ‘brick and mortar’ companies as they grapple with the challenge of disrupting the market for financial services.

Intellectual property: Spice Route Legal’s expertise in advising on complex questions of IP is widely recognized, having lead some of the most contentious disputes and assisted on some of the most complex transactions that involve intellectual property. In 2020, we have been at the forefront of the development of contributory infringement of IP, of the recognition of the doctrine of prosecution history estoppel, of some of the largest IP disposals and of defending multiple actions by patent trolls. The firm’s uniquely integrated IP team offers corporations the ability to rely on it for advice on the protection, monetisation, licensing and sale of IP and for disputes involving IP.

Energy and sustainability: Spice Route Legal’s energy and sustainability group focuses on clients at the forefront of the transition to a low carbon economy. Our expertise ranges from M&A, regulatory issues, to setting up wind and solar farms, setting up (or participating in) a carbon trading ecosystem, electric vehicles and batteries and evolving innovative financing solutions for the rapidly evolving ecosystem in India.

Sports: Spice Route Legal advises some of the world’s leading sportspeople, teams, agencies and regulatory bodies on a host of contentious and non-contentious matters. Relying on traditional strengths in licensing, governance, disputes, intellectual property and privacy, we offer a one-stop legal solution for all entities involved in sports.

Healthcare, pharmaceuticals and lifesciences: Spice Route Legal has a well-established pharmaceuticals, lifesciences and healthcare practice.  The team regularly advises manufacturers of pharmaceuticals, intermediaries and chemicals, biotech companies, manufacturers of medical devices and other players in the lifesciences industry on wide range of matters including financings, M&A, corporate structuring, litigation, data privacy, intellectual property, licensing, regulatory issues and competition law.

Disputes: Our disputes practice is uniquely structured as a part of our industry practice groups. As such, the team tends to focus on disputes involves tech, media or telecom companies, corporate governance, shareholder disputes, intellectual property, financial services regulatory issues, competition law or data privacy.

International work
Spice Route Legal’s “border agnostic” model of providing seamless solutions for cross border legal issues by relying on a wide network of friends is acknowledged as a market first. Relying on this network, the firm has:

• Assisted India’s largest telecom conglomerate on a global transaction involving over 40 countries.
• Assisted India’s leading rice manufacturer conduct a purchase of assets in 60 countries;
• Assisted a German investment fund focused in the Industrials, Chemicals and Logistics sector on investments in six countries in the Asia-Pacific;
• Assisted a leading Indian mobility player conduct a 23-country regulatory, technology and risk analysis;
• Assisted some of India’s leading technology companies enter markets in Asia, Europe, Africa and the Americas; and
• Assisted multiple companies on venture capital and private equity fund raises in the US, Singapore, and the UK.

Legal Developments

Cybersecurity Laws in India: Is It Time for a Regime Change?

4th August 2021

1. Introduction

Given the expansive range of India’s software infrastructure, India is also prone to the highest number of cybersecurity incidents. In 2021 alone, these incidents ranged from the unauthorised access and dissemination of the personal data of about 4.5 million customers of a top Indian airline company[1] to the leakage of approximately 180 million users’ personal data from a renowned food chain’s database[2]. A recent report by Check Point Research (“CPR”) identifies India as the most impacted country in terms of cyber-attacks – organisations in India witness approximately 213 weekly ransomware attacks, on average[3]. As per the findings of The State of Ransomware 2021 survey by a cybersecurity firm Sophos, about 68% of the affected Indian organisations whose data was hacked in the year 2020-21 resorted to the payment of ransom to recover their data.[4] Despite the clear urgency and importance of promoting stringent cybersecurity and data protection practices in India, the Indian government has been unable to effectively legislate on the issues of comprehensive data protection, privacy, and cybersecurity law. India’s legal regime continues to follow a fragmented and piecemeal approach towards both cybersecurity and data privacy. The laws governing such issues include but are not limited to -

• The Indian Penal Code, 1860 (“IPC”),
• The Information Technology Act, 2000 (“IT Act”), and
• various sectoral regulations, discussed in detail below.

The Supreme Court of India has, in a recent special leave petition filed in the case of Jagjit Singh v. State of Punjab[5], held that the offence of hacking and data theft would not only be an offence under the provisions of the IT Act, but would also constitute criminal misappropriation under the IPC.  The application of a criminal statute that is over a century and a half old merely muddies the waters – and therefore, this note focuses on the more modern regulations, the IT Act and the various sectoral regulations.

2. The Information Technology Act, 2000

• • Reasonable Security Practices and Procedures

Under Section 43A of the IT Act, companies are required to implement “reasonable security practices and procedures” to protect information from unauthorised access, damage, use, modification, disclosure, or impairment. In accordance with the said provision, the Indian government issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”). These rules are significant as they set out the country’s existing data protection regime. As per the  SPDI Rules, a body corporate is said to have complied with “reasonable security practices and procedures” if it has implemented policies that contain managerial, technical, operational, and physical security control measures that are proportionate to the information assets it seeks to protect. In furtherance to this, these entities are also required to enforce a comprehensive documented information security practice and policy. The SPDI Rules have identified IS/ISO/IEC 27001, as specific international standards which may be implemented by body corporates to fulfil the “reasonable security practices” requirement under existing laws. This is, of course, not mandatory.

• • Offences

Companies that cause wrongful loss to any person, due to their negligence in the implementation of reasonable security practices and procedures, are liable to pay compensation  up to INR 5,00,00,000. The compensation award is adjudicated upon by an officer appointed by the Central Government, after the officer has conducted an inquiry into the claim. If a claim exceeds the prescribed amount above, the dispute is heard by the competent court that has monetary jurisdiction over the claim. Appeals against the orders of an adjudicating officer are heard by the Telecom Disputes Settlement and Appellate Tribunal (“TDSAT”), a body that was initially set up to adjudicate disputes within the telecom sector. Appeals against decisions of the TDSAT are heard before the High Courts of the respective states in the country. Further, the IT Act also penalises body corporates for other cybersecurity-related offences such as unauthorised access, extraction, damage, disruption, or denial of services in respect of computers and computer networks, the intentional tampering of source codes that are required to be maintained by law, identity thefts, and the dishonest receipt of stolen computer resources or communication devices. Each of these offences is separately punishable with both imprisonment (which may extend up to 3 years) and/or a fine ranging from INR 100,000 to 500,000, depending on the nature of the offence.

• • Computer Emergency Response Team (CERT-In)

The Indian Government requires entities to notify authorities about cybersecurity incidents, including personal data breaches, through the rules governing its Computer Emergency Response Team (“CERT-In”). The CERT-In is an agency established under the IT Act, and acts as the nodal authority for cybersecurity related matters in India. CERT-In’s primary functions include responding to cybersecurity incidents, predicting and preventing cybersecurity incidents, undertaking analysis and forensics of cybersecurity incidents, and also issuing emergency measures and advisory guidances to tackle such incidents. The scope of CERT-In’s support varies on a case-to-case basis, and depends on factors such as the type and severity of the incident, the affected entity or individuals, and CERT-In’s available resources at the time of occurrence of the incident. Unlike other jurisdictions which have adopted a harm-based approach to determine whether a security incident should be reported to the relevant authorities, the IT Act and the rules issued thereunder instead make it mandatory to report certain types of security incidents to CERT-In, within a reasonable period of time. These include –

1. the targeted scanning or probing of critical networks or systems;
2. a compromise of critical systems or information;
3. the unauthorised access of information technology systems or data;
4. the defacement of or intrusions into websites, and unauthorised changes to websites;
5. malicious code attacks and attacks on servers;
6. identity thefts, spoofing, and phishing attacks;
7. the denial of service and distributed denial of service attacks;
8. attacks on critical infrastructure, supervisory control and data acquisition (SCADA) systems, and wireless networks; and
9. attacks on applications like e-governance and e-commerce.

The law prescribes a penalty for non-compliance with the reporting requirement mentioned above. Additionally, if a service provider, intermediary, data centre, company or any person fails to provide the information required by CERT-In, or fails to comply with any direction issued by CERT-In, they shall be liable for imprisonment up to one year, or a fine or both. The CERT-In has started to play a more active role in ensuring that organisations affected by specific cybersecurity incidents comply with the mandatory incident notification requirements. In January 2021, CERT-In issued an advisory guidance to organisations on the management of data breaches and security incidents, and recommended the best practices to be complied with, in this regard.

• • Protected Systems

The IT Act provides a legal framework for critical information infrastructure in India – which comprises of computer resources that have a significant impact on national security, economy, public health, or safety. Consequently, the government may – (i) classify systems that impact critical information infrastructure as protected systems, (ii) selectively authorise the individuals who may access such protected systems, and (iii) prescribe additional information security practices and procedures for these protected systems. Currently, protected systems in India are limited to those that relate to government functions. All protected systems must follow the 2015 guidelines published by the National Critical Information Infrastructure Protection Centre (“NCIIPC”), which is the nodal agency for the protection of critical information infrastructure.

• • Intermediaries

Intermediaries such as internet, network, and telecom service providers, web hosting service providers, search engines, payment sites, online market places and other digital players are further required to follow additional cybersecurity obligations under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. For instance, they are required to contractually impose obligations on the users to prevent them from using the intermediaries’ services in a manner that affects functionality through the introduction of viruses, or any other malicious file, code, or program. Further, these intermediaries are bound to cooperate with the government and its various governmental agencies on the investigation, detection, and prevention of cybersecurity offences or incidents. Some intermediary obligations in the face of such incidents include (i) the sharing of information under their control or possession, (ii) assisting such agencies, upon a request for information, within 72 hours of communication of the request, and finally, (iii) diligently reporting cybersecurity incidents to CERT-In. Intermediaries are usually provided with a certain level of protection known as the “safe harbour” principle to avoid any liability that could arise from the misuse of their resources by third party users of their platform. However, upon their failure to comply with the government’s instructions in respect of users’ offences, an intermediary may lose its safe harbour protection.

3. Sectoral Regulations

Sectoral regulations on cybersecurity are common in India. Regulations have been issued in respect of the following sectors: (a) financial services, (b) health services, (c) telecommunications, (d) insurance, and (e) securities law. With the exception of the financial services sector, these regulations continue to be fairly “light touch”, as far as cybersecurity and data protection are concerned. An overview of the relevant regulations are set out below.

• • Financial Services

The Reserve Bank of India (“RBI”) has introduced a comprehensive cybersecurity framework for banks and payment system operators that include mandatory breach notifications, regular audits and threat assessments, and the implementation of anti-phishing technology. Banks are required to formulate a comprehensive board-approved information security policy and cyber crisis management plan outlining their preparedness indicators for potential cyber-attacks. They must also report all cybersecurity incidents to RBI, within 2-6 hours of discovering the breach. The RBI has been at the forefront of multiple enforcement actions, including by way of imposing fines on banks and on alternative financing institutions due to their non-compliance in this regard.

• • Health

The government has prescribed Electronic Health Records Standards under the Clinical Establishment (Regulation and Registration) Act, 2010, based on global information security standards such as ISO/HL 7, ISO/IEC 27002, and ISO/TS 14441:2013. Further, in the year 2020, it also launched the National Digital Health Mission, whose aim was to create an efficient healthcare eco-system based on the integration of digital health data and infrastructure. This policy initiative mandates the adoption of ISO/TS 17975:2015 for consent management and the International Standard on Fast Healthcare Interoperability Resources (FHIR) - R4 Specification for the electronic exchange of healthcare information.

• • Securities Market

Given the crucial part played by digital information in the stock market’s day to day dealings, entities in the sector are held to high standards as far as cybersecurity and data protection is concerned. Comprehensive cybersecurity policies are required to be implemented by stock exchanges, depository participants, asset management companies, and mutual fund companies. Such policies need to be modelled on the NCIIPC’s principles. Regulated entities must also set up information technology committees, designate senior officials to oversee the compliance of the policies, and implement technical measures to protect their assets and infrastructure.

• • Telecom Sector

The Telecom Regulatory Authority of India regulates telephone operators and service providers and prescribes the security and infrastructure requirements that need to be fulfilled as a condition for their continued operation. Licensed telecom service providers have to comply with the ISO/IEC 15408, ISO 27000, 3GPP, and 3GPP2 security standards, among others. The certification for the same can only be issued by authorised agencies in India unless specifically approved by the Department of Telecommunication. Further, organisations must undertake regular audits and implement security management policies and practices. In order to operate, these service providers are also required to contractually impose their information security requirements on all vendors and suppliers that they work with.

• • Insurance Sector

The Insurance Regulatory and Development Authority (“IRDAI”) regulates the insurance sector in India. In 2017, it issued guidelines on information security and cybersecurity for insurers, to emphasise the need to maintain the confidentiality and integrity of data in a robust manner. In furtherance of this objective, the IRDAI requires insurers to appoint a chief information security officer, to form an information security committee, to put together a cyber crisis management plan, formulate information and cybersecurity assurance programmes, undertake adequate security safeguards to protect data, and implement adequate processes to identify and mitigate risks, etc.

4. Enforcement Trends Across Sectors

In recent years, the TDSAT has actively awarded damages to aggrieved individuals, for cybersecurity lapses within the telecommunications sector. In this regard, most cases have arisen within the financial services space, due to the negligence of financial institutions in implementing reasonable security standards and safeguards. Generally, the damages awarded have not exceeded the actual loss (together with interest). In the financial sector, the RBI has diligently imposed penalties of up to INR 1,00,00,000 on financial institutions, for their non-compliance with the RBI’s cybersecurity requirements. It is pertinent to note that the imposition of a penalty by the RBI on a banking company precludes the initiation of legal proceedings against the said company before courts of law. Of late, the CERT-In has also started to play an active role in the enforcement of breach notification obligations, and has called upon organisations that are affected by cybersecurity incidents to furnish information pertaining to the incidents in question. Additionally, the government has launched the National Cyber Crime Reporting Portal in 2020-21, that enables citizens to report cybercrimes online. This reporting is then followed up with an investigation by the appropriate law enforcement agencies.

5. Conclusion

The fragmented regulatory landscape of cybersecurity in India has resulted in much confusion, with cybercrimes being prosecuted under either ambiguous or archaic statutes. The often confusing tapestry of regulations results in ineffective implementation, and more often than not, entities are unable to derive normative guidance from these regulations due to their ambiguous nature. A comprehensive and instructive cybersecurity law, aided by specialist regulation on an as-needed basis, is crucial for the development of the cybersecurity regime in India. Otherwise, the courts, enforcement agencies, and regulators will continue to attempt to mould old regulations in unintended ways, and struggle to address many of the constantly evolving cybersecurity issues.

---

ABOUT THE AUTHORS: MATHEW CHACKO Mathew is the Head of the Technology, Media & Telecommunications practice group at Spice Route Legal, and is recognised as a leading Indian lawyer by several national and international directories. With close to two decades of experience, he advises on a variety of cross-border corporate and commercial transactions, including in relation to investments, fund-formation, technology laws, data privacy, intellectual property, commercial and regulatory compliance, tech law disputes, and risk mitigation strategy. AADYA MISRA Aadya is a senior associate with the firm’s Technology, Media and Telecommunications practice group, with a special focus on, and extensive experience in, handling data protection, cybersecurity and privacy mandates. Recognised as a Rising Star by The Legal500 in 2020, Aadya regularly works with domestic and international market leaders in industries, ranging from financial services, and blockchain, to telecommunications, consumer retail, and emerging technologies. SAMYUKTA RAMASWAMY Samyukta is an associate with the firm’s Data Protection, Privacy and Cybersecurity practice, within the broader TMT Practice Group, with a focus on cloud services and cybersecurity mandates. She assists clients with structuring their data protection practices, procedures and policies to demonstrate compliance with applicable laws, and advises them on a range of issues including international data transfers, data breach response and management, and risk mitigation.

---

[1]https://www.bloomberg.com/news/articles/2021-05-22/cyber-attack-on-air-india-led-to-data-leak-of-4-5-million-fliers [2]https://www.hindustantimes.com/india-news/dominos-pizza-data-breach-company-says-financial-information-safe-as-data-of-180-million-users-compromised-101621855567340.html [3] https://tech.hindustantimes.com/tech/news/india-saw-the-highest-number-of-ransomware-attacks-in-2021-report-71621331517413.html. [4] https://www.livemint.com/news/india/67-of-indian-organizations-paid-a-ransom-to-get-their-data-back-sophos-survey-11622526811992.html [5] Jagjit Singh v. The State of Punjab, Special Leave Petition Criminal No(s). 3583/2021.

FASTER ADOPTION AND MANUFACTURING OF (HYBRID &) ELECTRIC VEHICLES IN INDIA (FAME) – WHAT’S NEW

5th July 2021

INTRODUCTION

The turn of the decade marks the beginning of a new era for the Indian automotive industry. With increasing pressure from environmental lobbyists for the reduction of carbon emissions, and the push for adoption of electric vehicles (EVs) by Central and State Governments, the Indian automobile industry is all set for a dynamic shift from Internal Combustion Engines (ICE) to Battery Operated Vehicles (BOVs). According to an independent study conducted by the Council on Energy, Environment and Water (CEEW), India’s EV market could be worth USD 206 billion by 2030.¹ The Indian Government has taken various initiatives to ease the transition into the upcoming EV market. One such major initiative was the Faster Adoption and Manufacturing of (Hybrid &) Electric Vehicles in India (FAME) scheme. In this article we have highlighted some important initiatives taken under India’s FAME-I and FAME-II policies and its recent amendments by the Government for the promotion of the EV industry in India.

Data Protection, Privacy, and Cybersecurity: An Update

28th June 2021

May 2021

The past few months have seen the data, privacy, and cybersecurity space in India bustling with activity. While a final draft of the much-awaited data protection bill remains to be seen, there have nonetheless been significant developments initiated by various sectoral regulators.