Author Archives: novojuris

The vulnerability of Medical Devices and Medical Institutions in the age of IoT and Connected Networks

Medical devices have taken quantum leaps in terms of their functionality, intelligence and precision in the last decade or so. Improved design, better and cheaper production materials, and the inclusion of more sophisticated software have all contributed to this improvement and have made medical devices more adaptable and user-friendly. However, perhaps the most significant development that has greatly enhanced the capabilities of medical devices is the use of connected networks by these medical devices to accomplish machine-to-machine communication.

The modern age medical devices do not function in isolation anymore; they function as integrated medical devices, where the medical device, networks, software, operating systems, and other various technologies are integrated to serve the ever-changing needs of the healthcare industry. An unintended consequence of this interconnectivity is the increased susceptibility of the devices/networks to cyber-attacks as any weak point in the network may be exploited by cyber offenders, leaving all the devices in the network vulnerable.

This freely downloadable handbook identifies the problem of cyber vulnerability of the medical and healthcare industry and analyses regulatory approaches undertaken by United States of America (USA), European Union (EU) and India to lower the susceptibility to cyber-attacks. Further, the handbook assesses the impact of each regulatory framework implemented by the legal jurisdictions mentioned above.

Download Here: Vulnerability of Medical Devices and Medical Institutions_NovoJuris


Externalization: Flipping the holding company outside of India

We have seen a steady increase in the number of companies, especially tech and tech-enabled companies set up their entities outside of India. More often than not, the reasons are better valuations, ability to raise larger investments, large customer base etc. We are also seeing a few companies (so, cannot call it a trend) internalizing and flipping their holding company into India. Strangely, for the same reasons.

Here’s an exclusive interview with Mr. Shailesh Ghorpade, Managing Partner and CIO at Exfinity Venture Partners. Exfinity provides innovation capital and with established connects and ecosystem across India and US, Exfinity focuses on pioneering start-ups that are ready to scale across the global stage. It was nearly an hour-long candid discussion on all things startups, scaling-up, cross border, hiring, issues typically faced by founders while expanding etc. The lucid thinking during the conversation was delightful to witness.

picture Shailesh-Exfinity.jpg

Good morning and thanks Shailesh for taking the time to talk to us on your experiences of working with early-stage founders and their journey of expanding beyond India.

Sharda: You have seen BTB businesses very closely and I have heard you say before that many these entities should be outside of India. Why and what are those factors that a founder should think through before structuring themselves up outside India.

Shailesh: In India, we have given more attention to BTC where the markets, consumers, sellers are in India. However, you would have noticed that in many cases, these companies are not domiciled in India. There are many investors who like the “India story” but there is some anxiety on India domiciled companies. The comfort would be to have a stable tax regime, stable regulatory regime, certainty of repatriating the proceeds during an exit are some of those.

There is a perception that it is difficult to do business in India because of the unpredictable regulatory structure and since business models are evolving faster than regulations, investors are cagey of onerous regulations being promulgated and we do have a reputation for being an over-regulated economy whether we like it or not. That is one part of it. Take the other part of the BTB businesses themselves.

Enterprise businesses don’t get as much attention as they should, though they are working on cutting-edge IP, solving a real problem, capital efficient. There are Indian large corporates who need these products. Unlike a BTC, it is not “a winner takes it all approach”. BTC will need high capital infusion, if it is the distribution game that we see India being attractive for.

However, BTB business find it hard to sell and make money in the Indian market. Indian enterprises don’t value IP or software product as much as they should and they drum-down the prices drastically. It is not about how easy or difficult to sell, but it is about ROI and price points at which the products can be sold elsewhere, especially USA.

Sharda: If it is just about customers, then the startup could have subsidiaries set up in those jurisdictions. But investors do mandate companies to set their holding companies outside of India. You did speak about “not-so-easy-do-do-business-in-India”

Shailesh: There is a greater possibility of getting a Series B, with say more than USD10 million and above, in the USA. Let me explain.

In early stage, the investor is looking at product build, its scalability more than customer revenue. This is where Exfinity and other investors in India invest the early cheque. But these companies have to scale. The larger, deeper organizations which “pay” for these products are based in the USA. So do the Series B investors who can cut a larger cheque. These Series B investors would want to invest in companies domiciled in their country since they understand the compliances, entity structures better. They also have the comfort of the other regulatory issues that I mentioned including certainty of getting the proceeds at exit.

The exit options for BTB companies is primarily trade-sale / M &A for the products. These acquirers are also based in the USA. It is so imperative that the young companies be domiciled in USA.

Sharda: Legal is certainly an issue that the founders would face. Flipping the entity or structuring them outside of India is so nuanced. The easiest part is the entity set up in the USA but the regulatory compliances from the India side is complex and nuanced (In fact, we wrote about it). Apart from the legal aspects, what are the other top 2 issues that you would highlight?

Shailesh: Hiring and Sales. They are inter-related. Let me explain. We have top notch talent in India. Indian entrepreneurs many a time are defining technology. BTB sales is about selling the technology. However, a local sales person, who knows the terrain is highly helpful. Infact, I would recommend a local sales person who can do the same “speak”, perhaps local ethnicity could play a role too in closing the sale. You might be interested to know, that sometimes the conversations veer towards India, while the discussion should be towards the product and sales itself. Hiring local sales person helps in that case.

Indian subsidiary would continue to have the product development, customer support etc.

Sharda: If there is one point you would like to tell the Indian regulators what would that be?

Shailesh: “Keep things simple”

The Government is trying its bit with Startup Fund, reducing the cost of filing IP and the like. But issues such as Angel tax, numerous compliances under Companies Act and so many other legislations are bogging the startup down. I would ask, if the legislations can help the regulator as well as the startups by keeping things simple, therefore the companies can be compliant.

Ecommerce in India: The Saga Continues

India, for many centuries, has been known for trading, establishing the Silk-route, Spice-route. With tech advancement, e-commerce (ecom) has created a new world order, “Ecom route”. Ask any FMCG company, behemoth or small, on Amazon’s disruption on their sales. Ecom, in India also finds a prominent positioning in the politician’s election mandate. The rules of the game are changing and how!

It is estimated that India’s ecommerce industry is expected to jump threefold to $84 billion by 2021. Mobile phone adoption, cheaper mobile-data plans, internet penetration are some of the driving factors.

Regulations, specifically Foreign Direct Investment norms, created certain specific ways the business and entities are structured such as ‘market Place model’, ‘inventory based model’, direct online retail.

In this Guidance note for an entrepreneur to start her ecom business, we are discussing FDI barriers, top legislations applicable to ecom, the proposed policy changes. We had earlier written a brief overview about the ecom policy, which was released on 23 Feb 2019. You can read some excerpts here.

FDI barriers and regulations in entering the e-commerce sector

India has multiple restrictions and conditions on foreign investments (under the FDI Policy) into the e-commerce sector placed by the erstwhile Department of Industrial Policy and Promotion (DIPP) and now Department for Promotion of Industry and Internal Trade (DPIIT). These restrictions are applicable to all entities who receive any FDI.

Under the FDI Policy, ‘e-commerce’ encompasses not just products traded on digital and electronic networks but includes digital products and services, as well.

An ‘e-commerce entity’ is treated differently from other kinds of entities such as manufacturers, wholesale traders, single-brand retailers, etc. In a B2C market, an e-commerce entity is only allowed to engage in a marketplace model of e-commerce, where the e-commerce entity will only act as a facilitator between the buyer and seller and will have no control over the inventory of goods and services. If the e-commerce entity starts owning the products that are being sold on the platform, they are deemed to be an ‘Inventory’ based model of e-commerce which has been restricted in India in a B2C market, whereas inventory based model of e-commerce is allowed in a B2B market.

In case an e-commerce entity is operating an ‘online marketplace’ then it is subject to further restrictions under the FDI Policy (the new changes brought in by Press Note 2 of 2018) which are summarized as follows:

  • An entity having equity participation by e-commerce marketplace entity or its group companies, or having control of its inventory by e-commerce marketplace entity or its group companies, will not be permitted to sell its products on the platform run by such marketplace entity.
  • The inventory of a vendor will be deemed to be controlled by the e-commerce marketplace entity if more than 25% of purchases of such vendor are from the marketplace entity or its group companies, thus rendering the marketplace an inventory-based of e-commerce.
  • Market place entity can provide services such as logistics, warehousing, advertisement/marketing, payments, financing etc. could be provided by e-commerce marketplace entity or other entities in which e-commerce marketplace entity has direct or indirect equity participation or common control, to vendors on the platform at arm’s length and in a fair and non-discriminatory manner. Provision of services to any vendor, on such terms which are not made available to other vendors in similar circumstances, will be deemed unfair and discriminatory.
  • An e-commerce marketplace entity cannot mandate any seller to sell any product exclusively on its platform only.
  • Cash-back provided by group companies of marketplace entity to buyers shall be fair and non-discriminatory.
  • The entity must not directly or indirectly influence the sale prices of the goods and services and shall maintain level playing field.
  • The entity will be required to furnish a certificate along with a report of statutory auditor to the Reserve Bank of India, confirming compliances of the guidelines under Para of the FDI Policy, 2017, by September 30th of every year for the preceding financial year.

Another classification one should take care of is, whether the entity is dealing directly with final consumers (Business-to-Customer, B2C) or is simply dealing only with other business entities (Business-to-Business, B2B). The following table summarizes the different kinds of business entities having FDI that may take their businesses online and the major factors to be taken care of are:

Type of Entity Permitted Activities Can Keep Inventory? Permitted FDI/Route
E-commerce entity Marketplace Model (for goods and services:

B2C e-commerce)

No 100% Automatic
Manufacturer B2B and B2C e-commerce

(Selling its products manufactured in India, through wholesale and/or retail through e-commerce)

Yes 100% Automatic
Cash & Carry Wholesale Trader B2B e-commerce

(sells goods to retailers, industrial, commercial, institutional or other professional business users or to other wholesalers and related subordinated service providers)

Yes 100% Automatic
Single Brand Retail Trader B2C e-commerce (at least 30% Indian sourcing of products, and must be operating through at least one brick and mortar store) Yes 100% Automatic
Food Product Retail Trader B2C e-commerce (retail trading of food products manufactured and/or produced in India) Yes 100% Government Approval
Services (Subject to respective conditions and applicable laws) sale of services through e-commerce (Relevant Sectoral Cap) Automatic

Other laws and regulations to be considered while operating an e-commerce business

Irrespective of the fact that whether the entity doing the e-commerce business has FDI or not, these are the legal aspects of the business which are needed to be taken care of by any e-commerce business running entity.

Sl. No. Law / Regulation / Legal Aspect Relevance to e-commerce
1. Indian Contracts Act, 1872 read with Information Technology Act, 2000 Validity of contracts formed through electronic means. Rules as to communication and acceptance of proposals, revocation, and contract formation between customers, sellers, and the marketplace provider. Terms of Service, Privacy Policy and return policies of any online platform are to be laid out such that they are legally binding agreements.
2. Information Technology Act, 2000 (IT Act) and General Data Protection Regulations (GDPR).
  • Compliances under Information Technology (Reasonable security practices  and procedures and sensitive personal data or information) Rules, 2011
  • Intermediary Rules 2011 under the IT Act stipulates the regulations relating to the content displayed on the intermediary website especially pertaining to defamation and obscenity.
  • Under section 79 of the IT Act certain safe-harbours are available to e-commerce entities functioning as ‘Intermediaries’.
  • Regulations applicable to ‘Intermediaries’ relating to the content displayed on the portal, especially pertaining to defamation and obscenity.
  • If the end consumers happen to be an EU resident, GDPR compliance becomes mandatory.
  • Issues related to data protection standards and data security. If the end consumers happen to be EU residents, GDPR compliance may also ensue.
3. Intellectual Property Issues
  • The entity must secure all trademarks and copyrights intended to be used by it, one must also be mindful to not infringe the trademarks and copyrights of other businesses as well.
  • Selling of counterfeit goods and misuse of trademark rights by sellers listed on platform is a significant challenge, and must be dealt with by the platform operator to avoid prosecution.
  • In the age of such wide use of internet e-commerce entities shall be aware of various intellectual property infringements that may happen online such as cybersquatting, identity theft, copyright infringement, caching, derivative works, domain name protection and etc.
  • There are some added steps that the ecom entity has to take, as per the Draft Policy (read below)
4. Payment and Settlements Systems Act, 2007 and other RBI regulations on payment mechanisms Under the law “payment system” means a system that enables payment to be effected between a payer and a beneficiary, involving clearing, payment or settlement service or all of them, but does not include a stock exchange. An e-commerce entity has to make sure if it qualifies as a payment system and shall comply accordingly.

As per the RBI notification DPSS.CO.PD.No.1102 /02.14.08/ 2009-10 dated 24 November 2009, it is mandatory for an intermediary which is receiving payments through electronic modes to have a Nodal Account in operation for settling the payments of the merchants on its online e-commerce platform.

Further depending on the envisaged arrangements for payments for the transactions on the portal, the entity must comply with the relevant rules relating to online payments made by the Reserve Bank of India (RBI).

5. Labelling and Packaging An e-commerce entity as per the products listed on its platform must conform to the labelling and packaging norms set by the regulations made under relevant laws and the rules therein such as:

  1. Legal Metrology Act, 2009;
  2. Food Safety and Standards Act, 2006;
  3. Drugs and Cosmetics Act, 1940, etc.
6. Legal Metrology Act, 2009 read with Legal Metrology (Packaged Commodity) Rules, 2011 The web-platform must display requisite information about the goods displayed on sale, such as, units, dimensions, weight, etc. on product page itself.
7. Sales, Shipping, Refunds and Returns The entity must have in place an adequate policy dealing with sales and shipping of the products, the default provisions relating to the legal incidence of transfer of property in goods, and other aspects of sales such as warranties and conditions, etc. are covered under the Sale of Goods Act, 1930.

The entity must also have in place, in clear words, a returns and refunds policy to be adhered by the sellers and buyers.

8. Consumer Protection/ Dispute Resolution As a provider of goods or services under the Consumer Protection Act, 1986, the entity must have in place adequate policies to address consumer complaints. Moreover, it is advisable for the e-commerce platforms to have mediation and arbitration mechanisms in place as well.
9. Competition Issues Fixation of prices by arrangements between sellers listed on the platform and the entity, exclusive sales agreements, and other practices under the scope of Sections 3 and 4 of the Competition Act, 2002 can be brought under the scrutiny of the Competition Commission of India. The entity must be mindful of these factors while entering into any arrangements which may leverage its existing dominance in the market, or work towards the creation of foreclosure or entry barriers in the relevant market.
10. GST Applicability Irrespective of whether the annual turnover of the entity is lower than the prescribed threshold, e-commerce operators are not eligible for composition levy scheme under the GST laws of India. Moreover, it is mandatory for all e-commerce operators and sellers/distributors/suppliers who sell through e-commerce to get GST registration in all States where they purport to sell their goods/services.
11. Other Local laws and Sector Specific Laws The premises from which the business is run, and the manufacturing, warehousing, and other aspects of the business will be continued to governed by sector specific laws and local laws as applicable. Due adherence to such laws must also be ensured.

Here’s an old post that we had written on licenses and registrations for warehouses.

The future of e-commerce in India

Keeping ‘data’ central to the idea of governing the e-Commerce industry in India the DPIIT on February 23, 2019 published the ‘Draft e-Commerce Policy’ (“Draft Policy”).

The Draft Policy focuses on data protection, the State’s paternalistic attitude towards the use of the citizen’s data and cross border transactions. The Draft Policy intends to regulate some things beyond e-commerce i.e. it proposes to regulate technologies like AI, IoT, Cloud computing and Cloud-as-a-Service etc. On a holistic level it is understood that these technologies empower e-commerce industry currently and are integral to its growth and therefore the Government intends to bring these technologies under the purview of the Draft Policy. The Draft Policy is a mix of visionary thought process, advanced technological solutions, putting in place digital infrastructure to support India’s digital economy.

Following is a summary of some of the significant features of the Draft Policy.

Changes in Customs regulations and export promotion through e-commerce

The Draft Policy proposes a customs electronic data interchange (EDI) platform, aggregating various government department concerned with import and export of goods in India, such as the Indian Post Department, DGFT, RBI, and other departments for facilitation of online customs clearance through the EDI platform. In addition, provision will be made to source Export Data Processing and Monitoring System (EDPMS) data from RBI for confirmation of payments, instead of Bank Realization Certificate.

KYC will be mandatory for all the shipping companies and individual sailors. The KYC will be mandated to identify exporters and importers and track suspicious activities. The Draft Policy also intends to include e-commerce in the National Integrated Logistics Plan with focus on faster delivery with emphasis on lower costs.

To promote exports through e-commerce the Draft Policy has suggested to include e-commerce sector in the proposed National Integrated Logistics Policy, where it will increase the existing regulation exemption of INR 25,000 for consignments through courier mode, it will simplify the requirement of documentation for exports, the EDI will be put in place at the earliest, transaction costs for MSMEs and start-ups shall be reduced who are undertaking any exports, the Government will set up Air Freight Stations (AFS) in all the leading airports across India so as to facilitate cargo processing at the airports and simultaneously the Government will try to negotiate lower costs of exports with international freight carriers through Indian Post department.

The Government intends to continue charging custom tariffs on any digital goods being traded electronically (imposing custom duties on electronic transmissions). Whereas the Government is strict on its stance of not accepting the permanent moratorium on custom tariffs for goods (including digital goods) traded electronically as proposed by the WTO. 

Sale of Counterfeit and prohibited goods

A major emphasis has been given on curbing sales of counterfeit products through e-commerce in India. The Draft Policy emphasises on no trade mark infringement and that customers at large shall not be deceived by using deceptively similar trademarks. In case an e-Commerce entity receives a complaint about a counterfeit/fake product then the entity shall convey such misuse of the trademark within 12 hours from receiving the complaint to the trade mark owner. Whereas in case any prohibited goods/products have been sold on any e-commerce platform the entity operating such e-Commerce platform shall delist such products within 24 hours from receiving such complaint. This is pretty onerous and while the ecom entity is supposedly an intermediary, there are many obligations imposed on it. We had earlier written about intermediary liabilities which you can read here.

Further, all the e-commerce platforms/websites will have to display a list of all the prohibited products in India. In case a prohibited product is found to be sold on the platform or is found to be listed on the e-commerce platform the same has to be removed immediately and the seller listing such prohibited products shall be blacklisted and shall not be allowed to sell other products on the e-commerce platform. In some sense, the ecom entity should do some heavy policing.

Consumer Protection: The Draft Policy suggests a number of measures:

  • All e-Commerce sites/apps available to Indian consumers shall display prices in INR and must have MRPs on all packaged products, physical products and invoices generated.
  • Details of sellers shall be available for all the products sold online. Sellers shall provide undertaking regarding the genuineness of any product sold online.
  • In case of a counterfeit product is sold to a consumer, the primary onus to resolve such an issue will be of the seller, but the intermediaries shall return the money paid to them by the customer and the marketplace shall seize to host such products on their platforms.
  • The intermediaries shall curtail piracy on their platforms.
  • Further to curb piracy a body of industry stakeholders will be created that shall identify ‘rogue websites’. These rogue websites will be added to ‘Infringing Website List’ (IWL). IWL will enable the ISPs to remove or disable these websites. It will also enable payment gateways to curtail the flow of payments to or from such rogue websites. Search engines will be able to efficiently remove such rogue websites identified in the IWL.

Mandatory Registrations in India

As per the Draft Policy, all the e-commerce entities including intermediaries and developers of mobile application which are available for download in India shall mandatorily be registered as importer on record or as a local entity through which the commerce is facilitated in India and also provisions regarding the appointment of a local representative has been introduced.

Provisions regarding the import of gifts

In the view of misuse of ‘gifting’ route, where foreign merchants use to sell cheap products to Indian customers as gifts to circumvent the customs and import duties, as an interim measure, all such parcels shall be banned, with exception of life-saving drugs.

Ease Of Regulation

Given the interdisciplinary nature of e-commerce, it is important for the Government to tackle various regulatory challenges. The Draft Policy suggests formulating a Standing Group of Secretaries on e-Commerce (SGoS), which shall be an important body for tackling various legal issues emerging from various statutes such and Information Technology Act, 2000 and rules thereunder, the Competition Act, 2002 and the Consumer Protection Act, 1986.

Additionally, the Draft Policy states that “All e-Commerce websites and application available for downloading in India must have a registered business entity in India as the importer on record or the entity through which all sales in India are transacted”.

The Government intends to establish technology wings in each Government department.

Data Infrastructure development

The Draft Policy takes forward the digital India initiative and intends put in place secure and digital infrastructure and encourage the development of data –storage facilities/ infrastructure including data centres, server farms, towers, tower stations, equipment, optical wires, signal transceivers, antenna etc.

The Government will add the above mentioned infrastructure facilities in the ‘Harmonized Master List’. This will enable regulation of the listed infrastructure in a more streamlined manner. Whereas the infrastructure will be put in place by various implementing agencies, while financing agencies may identify these as infrastructure that they may intend to support.

This will facilitate achieving last mile connectivity across urban and rural India. The Government by developing such data/digital infrastructure wishes to support India’s fast-growing digital economy and create employment.

Data and cross-border transfer of data

The Draft Policy recognises the rights of an individual over its data by stating that “An Individual owns the right to his data” and therefore the use of an individual’s personal data shall be made only upon seeking his/her express consent. It further states that the data of a group is a collective data and therefore a collective property of that particular group; it extends this rationale to state that “Thus, the data that is generated in India belongs to Indians, as do the derivatives there from”. But the Draft Policy ends up categorising data of Indians as a collective resource and therefore a “national resource”.

The Draft Policy states that “All such data stored abroad shall not be made available to other business entities outside India, for any purpose, even with the customer’s consent”, what follows this point in the Draft Policy, restricts sharing of data with any third party in a foreign country even if the individual has consented to such sharing of the data except where in the following cases:

  • When data which us being shared has not been collected in India.
  • Where sharing of data has happened as per a commercial contract between the business entities.
  • Software and cloud computing services involving technology-related data flows, which have no personal or community implications; and
  • MNCs moving data across borders, which is largely internal to the company and its ecosystem, and does not contain data that has been generated by users in India from various sources, including e-commerce platforms, social media activities, search engines etc.

The intent behind such restriction is that currently India lacks stringent laws regarding cross-border flow of data. If there are no strict restrictions on cross-border flow of data Indian stakeholders will merely be engaged in back end processing of data for the EU / US based ecommerce entities without having the ability to create any high-value digital products.

To leave some thoughts with you

Ecom is an industry and is growing rapidly. The Government is bringing in so many regulatory changes to harness the potential of the e-commerce industry and make India one of the key markets for the e-commerce stakeholders across the world. Government also intends to boost the local and home-grown e-Commerce business entities and wants to provide a level playing field for MSMEs. We are seeing a growing tension between these two ideologies – FDI in ecom and local capital in ecom.

Further the changes that have been brought to the Legal Metrology Act, 2009, Food Safety and Standards Act, 2006, Drugs and Cosmetics Act, 1940 and the regulatory changes proposed in the Draft Policy in regards to consumer protection such curbing sale of counterfeit products, mandatory local registration etc. are clear indication that in the age of e-commerce purchasing goods and services is no more the same and therefore new and modern laws are required to address consumer protection.

It will be interesting to witness the implementation of these proposed regulations and whether at all it will help in accelerating the ecom growth in India.

Territorial Applicability of GDPR

In July, 2018 and then subsequently on 24th October, 2018 the Information Commissioner’s Office, United Kingdom (“ICO”) took its first General Data Protection Regulation (“GDPR”) enforcement action against a data controller located outside the European Union (EU) against Aggregate IQ Data Services Ltd. (“AIQ”) located in Canada.

The above incident is the first example of extraterritorial applicability of GDPR, where a data controller was located in Canada but the data processing activities were targeted towards the data subjects present in EU. AIQ was monitoring the behaviour of each data subject for the purposes of targeting individuals with political advertising messages on social media and therefore the provisions of GDPR were held to be applicable. Non-European Internet-based service providers across the globe have been concerned about the applicability of GDPR.

The European Data Protection Board (“Board”) is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities.

The Board in November, 2018 issued draft guidelines (“Guidelines”) on the territorial scope of the GDPR under Article 3. Whereas the Guidelines were released for the purpose of public consultation, nonetheless the Guidelines do provide explanations on important concepts introduced under Article 3 of the GDPR which defines the territorial scope for direct application of the GDPR.

  1. Application of the ‘Establishment’ criteria under Article 3(1)

The Guidelines specify that Article 3(1) ensures that GDPR is applicable to controllers and processors individually if any one of them or both of them have an establishment in EU, and the processing of the personal data of a data subject is in the context of the activities of such establishment, regardless of the actual place of the data processing. In order to determine the applicability of Article 3 the Board recommends few norms detailed below.

‘Establishment’ in EU

It is provided that the notion of ‘establishment’ is broad and does not necessarily imply a legal personality such as a branch or subsidiary; rather it simply implies effective and real exercise of activities through stable arrangements in EU. This interpretation is in line with the interpretation of the Court of Justice of the European Union (“CJEU”) in several of its rulings.[1]

Further, it is also provided that both these factors, i.e. (i) effective and real exercise of activities and (ii) stability of arrangements should be considered in the light of the nature of economic activities and provision of the services concerned. This means that a single employee’s or agent’s presence in EU, with sufficient degree of stability maybe sufficient to consider it as an ‘establishment’. However, the accessibility of a website in EU of a non-European entity would not be sufficient to conclude that such an entity has an establishment in the European Union.

Processing of data ‘in the context of the activities of’ the establishment

The Guidelines provide that if the controller or the processor is outside EU but there exists a local establishment in EU and if the processing of the data is in the context of the activities of an establishment then the GDPR would be applicable. The Guidelines state that the activities of the local establishment in EU should be ‘inextricably linked’ to the data processing activities of the non-EU controller or non-EU processor, regardless of whether the local establishment in EU plays any role in the actual processing of the data. The Board recommends that non-EU organisations should undertake an assessment of their processing activities in the following manner:

  1. First, by determining whether personal data is being processed
  2. Secondly by identifying potential links between the activity for which the data is being processed and the activities undertaken by the organisation having any presence in EU.

Example: A website based in X country, having a local establishment dealing with marketing campaigns towards EU markets. Since the activity of the local establishment is inextricably linked to the processing of the personal data carried out by the website, Article 3(1) is applicable where the controller or the processor is present in EU.

Application of the GDPR to the establishment of a controller/processor in the Union, regardless of whether the processing takes place in the Union.

As per Article 3(1), the processing of personal data in the context of the activities of an establishment of a controller or a processor in EU triggers the application of GDPR and the related obligations for the data controller or processor concerned.

Application of the establishment criteria to controller and processor

The establishment of a controller and that of a processor must be considered separate as there are distinct obligations for controllers and for processor listed under the GDPR. The existence of a relationship between a controller and a processor does not necessarily trigger application of GDPR to both, if only one of the entities is established in EU. The two scenarios detailed below should explain the position.

  • Where processor is located outside EU and not subject to the GDPR, but the controller is present in EU: It is provided that the controller should comply with Article 28 (3) of the GDPR and ensure that the GDPR obligations are extended to the processor by the means of a contract.
  • Where the processor is present in EU and the Controller is not: Assuming that the controller is not processing data in the context of its establishment in EU, the processor alone is subject to GDPR obligations. Therefore, unless other factors are present Article 3(1) will not apply to the controller but would apply to the processor.

Further, the Guidelines provide that the EU territory cannot be used as a ‘data haven’ and the legal obligations beyond the EU data protection law, including rules with regard to public order will have to be respected by the data processor established in EU, regardless of the location of the data controllers.

  1. Application of the Targeting criterion under Article 3(2)

Article 3(2) sets out the circumstances in which the GDPR applies to a controller or processor not established in EU, depending on their processing activities.

This criterion becomes applicable in absence of an establishment of the entity in EU, if the activities of a controller or processor of the entity are related to processing of personal data of the data subjects who are present in EU. The applicability of GDPR is triggered when the processing activity is related to (i) offering goods or services to the subject or (ii) monitoring the behaviour of the subject for profiling, etc.

In order to assess the applicability the criterion, the Board recommends a two-fold approach under the Guidelines.

Data subjects in EU

It is provided that protection under Article 3(2) extends to every natural person present in EU, irrespective of their nationality or place of residence.

The requirement of the location of natural persons in EU, must be assessed when the processing activity takes place, i.e. when the offer is made or when the monitoring in undertaken as per Article 3(2) of GDPR.

It is also provided that the element of ‘targeting’ the data subjects in EU either by offering goods or services or by monitoring them is crucial and should be present for applicability GDPR under  Article 3(2). Which effectively means that, if a tourist travelling through EU makes use of an online mapping service which is available in her country and not marketed in EU and is collecting certain personal data, this act of data processing will not fall under the ambit of Article 3(2) as the services are not primarily offered to people who are using the mobile application in EU.

  1. ‘Offering goods or services’

It is provided that the trigger activity, of offering goods or services to a data subject applies irrespective of whether a payment is required to be made by the data subject for that particular good or service. Further, there should be an ‘intention’ to offer goods or services to the data subjects who are in EU. The factors that can be considered in ascertaining the intention to offer goods or service can be the language used on the website, the currency available to use while ordering from the websites, apparent mention of the offer, etc.

  1. Monitoring of data subjects behaviour

The second activity identified under Article 3(2) is monitoring of behaviour of the subject for profiling, etc. For Article 3(2) (b) to trigger the application of the GDPR, the behaviour monitored must first relate to a data subject in EU and, as a cumulative criterion, the monitored behaviour must take place within the territory of EU.

The Guidelines state that even though recital 24 relates to monitoring of behaviour through the tracking of a person on the internet, the Board considers that tracking through other types of network or technology involving personal data processing should also be taken into account in determining whether a processing activity amounts to a behavioural monitoring, for example through wearable and other smart devices.

The Board clearly mentions that ‘monitoring’ implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behaviour within the EU. The Board opined that any online collection or analysis of personal data of individuals in the EU would not necessarily be considered as “monitoring” and that it would be necessary to consider the controller’s purpose for processing the data and, in particular, any subsequent behavioural analysis or profiling techniques involving that data.

  1. Processing in a place where the law of the Member state applies, by the virtue of public international law – Article 3(3)

This provision is expanded upon in Recital 25 which states that “[w]here Member State law applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union, such as in a Member State’s diplomatic mission or consular post.”

The Guidelines provide the following example to illustrate the applicability of Article 3(3). The Dutch consulate in Kingston, Jamaica, opens an online application process for the recruitment of local staff in order to support its administration. While the Dutch consulate in Kingston, Jamaica, is not established in the Union, the fact that it is a consular post of an EU country where Member State law applies by virtue of public international law renders the GDPR applicable to its processing of personal data, as per Article 3(3).

Designation of Representatives in EU

Article 27 provides that whenever a controller or processor becomes subject to GDPR as per Article 3(2), it has to designate a representative in EU. The Guidelines provide guidance with respect to the designation, establishment and obligations of the representative, as mentioned below.

  • Designation of the Representative

It is provided that there should be a written mandate to the representative of the controller or processor of the GDPR obligations. A representative can be legal or a natural person, who can be appointed as a representative on the basis of a contractual relationship. One person can act as a representative for multiple entities. In case of a company or any organisation – one person is to be assigned as the lead person in charge of an entity. However, the designated representative cannot be deemed to be the external data protection officer (DPO) nor does such designation qualify as an ‘establishment’ under the ambit of Article 3(1)

  • Location of the Representative

It is provided that the criterion of establishment of the representative is the location of the data subjects whose personal data is being processed and the place of processing is not relevant. It is also provided that if significant portion of the data processed is from one member state, then the establishment of representative should be in that state, as a matter of good practice.

  • Obligations of the Representative

The obligations of the controller or the processor are distinct from the obligation of the representative. The representative acts on behalf of the controller or processor. The representative shall maintain a record of the processing activities on behalf of the controller or processor. Maintenance of such record is a joint obligation, as the controller or processor should provide accurate and updated information. The representative should perform its tasks in accordance to the mandate of the controller or processor, including cooperation with the competent supervisory authorities with regards to ensuring compliance with the GDPR.

Author: Manas Ingle, Associate at NovoJuris Legal


[1] Google Inc. v AEPD, Mario Costeja González (C-131/12), Weltimmo v NAIH (C- 230/14), Verein für Konsumenteninformation v Amazon EU (C-191/15) and Wirtschaftsakademie Schleswig- Holstein (C-210/16)

National Policy on Software Products, 2019

The Ministry of Electronics and Information Technology released the National Policy on Software Products, 2019 (“the Policy”) aimed at stimulating the software products ecosystem in India. The Policy acknowledges that the Indian IT/ITeS industry is primarily service oriented. The Policy cites NASSCOM’s Strategic Review, 2017 which claimed that the global software products industry was valued at 413 billion USD, while the Indian software products industry’s contribution stood at just 7.1 billion USD.  The Policy aims to develop India as a global software product hub which is driven by innovation. The Policy aims to help start-ups related to software products in conducting their business in India while dealing with regulations and compliances in a hassle-free manner. MeitY had introduced the draft of the Policy back in 2016, which was commended by the industry bigwigs. The salient features of the Policy are summarised below.

The Policy defines a software product as “a programme used or produced by a computer or network which can be stored or transmitted through an electronic medium and offers some form of utility. In addition, such a product can be protected in India through permissible Intellectual Property Right laws and can be commercialized for use through licensing”. In order to determine which companies would be able to avail the benefits under the Policy, an Indian Software Product Company (“ISPC”) is defined as “an Indian company in which 51% or more share-holding is with Indian citizen or person of Indian origin and is engaged in the development, commercialisation, licensing and sale /service of Software products and has IP rights over the Software product(s).

Some key missions of the Policy include:

(a) Achieving a ten-fold increase in India’s contribution towards the global software product industry by 2025.

(b) Nurturing 10,000 tech startups including 1000 such startups in lower tier cities and towns leading to employment of 3.5 million people by 2025.

(c) “Upskilling” a million IT professionals, motivating 100,000 students and producing 10,000 leaders for the Indian industry.

(d) Developing 20 strategically located clusters to support software product companies with ICT infrastructure, R&D and mentorship.

For achieving the goals envisaged in the Policy a National Software Product Mission (“NSPM”) would be established under the aegis of MeitY. The NSPM would be responsible for designing strategies for the development of the industry, monitoring of the special funds created under the Policy and facilitating Government agencies in the promotion of Software Products.

Ecosystem Development

The Policy envisages the creation of an Indian software product registry to provide a trusted trade environment and conception of an environment that allows software product companies to participate in the capital market. A single window platform would be established to allow the industry to deal with regulatory issues pertaining to imports/exports and incorporation/dissolution of ISPCs. ISPCs would also be able to set off any taxes payable with respect to R&D. For the classification of software products in a logical fashion, a model Harmonised System Code would be created.

Promotion of Entrepreneurship, innovation and Employment

A “fund of funds” called Software Product Development Fund (“SPDF”) with a corpus of Rs. 1,000 crore would be created for participation in venture fund to promote the scaling up of market ready products, with the ultimate goal of having at least 100 ISPCs with a valuation of Rs 500 crore or employing more than 200 employees. An incubation program would be initiated to provide startups with adequate mentoring, seed fund, R&D and testing facilities and marketing support. Rs. 500 crore would be set aside by the Government to support innovation and research in institutes of higher learning, with the objective to support industry-academia research. 20 dedicated challenge grants would be initiated to encourage the industry to tackle issues related to pressing societal needs such as sanitation and healthcare. A centre of excellence would be set up to specifically promote design and development of software products. The Policy envisions the creation of an “upgradable” infrastructure to help software product startups to identify and tackle cyber vulnerabilities.

Human Resource Development

Considering the pace with which technology is changing, the Policy wishes to enable Indian students and professionals to have future-ready skills. The Policy acknowledges that the existing course curriculum needs to be revised. Further, short term skill development programs and national level competency tests would be developed.

Promotion of Trade

The software product registry (discussed earlier) would be integrated with Government e-market[i]. The Policy states that the industry would be encouraged to create and use open APIs for improving interoperability of Indian software products and enable incremental innovation. Indian software products would be given preference vis-à-vis Government procurement in accordance with the Public Procurement (Preference to Make in India) Order, 2017. Indian software products would be showcased abroad through various events and specialised infrastructure to be set up in India and abroad. Further, Indian software products would be integrated in India’s foreign aid programs. The industry would be encouraged to develop products which would help people overcome language barriers, so that all sections of the Indian populace are included in this digital boom.



  2. National Policy on Software Products (2019)-


Regulatory Update: MCA amends Incorporation Rules in relation to Shifting of Registered Office and Incorporation fee for companies

As part of Government’s efforts to make India a startup hub and continuous efforts of ease of doing business in India, the Ministry of Corporate Affairs (the MCA) has issued notification dated 6 March 2019. With this notification following changes will come into effect:

Sl No Category Before Amendment After Amendment Effect of this amendment
1. Shifting of Registered Office from One State to Another The Companies desirous to shift their Registered office from one state to another state shall advertise the notice of shifting the registered office in a vernacular newspaper in the principal vernacular language in the district and in the English language in an English newspaper with the widest circulation in the State in which the registered office of the company is situated.





The Companies desirous to shift their Registered office from one state to another state can advertise the notice of shifting the registered office in a vernacular newspaper in the principal vernacular language in the district and in the English language in an English newspaper with the wide circulation in the State in which the registered office of the company is situated.



This will remove the confusion among the stakeholders with respect to publication of notice in the newspaper and they can choose the newspapers with minimum circulation as well.


Prior to amendment if any Company choose to publish in 2nd widest circulation newspaper, then the application would be rejected and this entails to start shifting process a fresh and this would take additional 3-5 months to complete.


With this relaxation, companies can choose among various newspapers which has wide circulation.

2. Fee on Incorporation of a Company The companies incorporated with a nominal capital of less than or equal to rupees ten lakhs, fee on INC-32 (SPICe) shall not be applicable. The companies incorporated with a nominal capital of less than or equal to rupees fifteen lakhs, fee on INC-32 (SPICe) shall not be applicable with effect from 18 March 2019. Earlier the Companies with initial authorised capital up to INR 10 lakh was exempted from any MCA fee on Incorporation and only stamp duty was applicable.


Now the exemption limit has been increased to INR 15 lakh. Therefore, Companies to be incorporated with nominal capital up to 15 lakh is exempted from MCA fee and stamp duty shall continue to be applicable.



Ministry of Health and Family Welfare- Draft Amendment Rules to amend the Drugs and Cosmetics Rules, 1945.

The Ministry of Health and Family Welfare vide its notification dated 26th February 2019 has introduced the draft amendment rules to amend the Drugs and Cosmetics Rules 1945 inviting suggestions/comments from the public. The changes proposed are summarised below.

An additional condition has been imposed on certain applicants who wish to obtain licences under the Drugs and Cosmetics Rules, 1945. The applicants shall be required to furnish an undertaking stating that no similar brand names or trade names exist in the market which will lead to any deception or cause confusion in the market. This condition has to be satisfied by the applicants for obtaining the following licences:

  1. a loan licence[i] or renewal of a loan licence from the authority in Form 25, or a licence/ renewal of the licence for the manufacture of drugs included in Schedule X in Form 25-F.
  2. a licence for repacking of drugs, the drugs other than those specified in Schedule C and C(1), or renewal of the licence in Form 25-B.
  3. a loan licence for the manufacture of drugs for sale or for distribution of drugs other than the drugs specified in Schedule C, C(1), and X in Form 25A.
  4. a licence (in Form 28, 28-B or 28-D) to manufacture (or renewal thereof) for drugs specified in Schedules C and C(1), [excluding those specified in Part XB and Schedule X].
  5. a loan licence/ renewal licence (in Form 28A or 28DA) to manufacture for sale or for distribution drugs specified in Schedule C and C1 excluding drugs specified in Schedule X or of Large Volume Parenterals, Sera and Vaccine and recombinant DNA (r-DNA) derived drugs.


  1. Explanation to Section 69 (A) (1) of the Drugs and Cosmetics Act, 1940- loan licence means a licence which the Licensing Authority may issue to an applicant who does not have his own arrangements for manufacture but who intends to avail himself of the manufacturing facilities owned by a licensee in Form 25.
  2. Draft Rules –