Category Archives: Articles




Peer to Peer (“P2P”) lending platforms (the “Platforms”) aims to provide individuals and entities with an alternative source for fulfilling their capital requirements. Whether it is for obtaining capital to run a business, financing to complete a personal project, or to obtain a loan for any other purpose, these Platforms allow borrowers and lenders to meet and transact on mutually acceptable terms.The Platform itself typically assists the process by listing lenders and their terms and conditions, verifying the identity and initial creditworthiness of the borrowers, disbursing the loans/tranches, collecting loan repayments etc.For these services, both the borrowers and lenders pay the Platform a commission.

Most Platforms follow a ‘reverse auction model’, where the lenders bid with their own terms and conditions for a borrower’s loan proposal, and the borrower has the freedom to choose between the various bids.This gives borrowers who would typically struggle to get loans from banks/NBFCs with a variety of options. Further, the other advantage of the Platforms is that borrowers can now stay away from money lenders/the unorganized sector, as the Platform verifies all lenders and provides a streamlined and regulated process for obtaining loans. Finally, in most cases, the interest rates on loans obtained on the Platforms is also lower than what individual money lenders would usually charge.

Since the popularity of P2P Platforms in India has grown in the recent past, they remained unregulated till recently. However, with the growth of the fintech industry and the multiple use cases/benefits of these Platforms, the RBI released a consultation paper on regulating P2P Platforms, in 2016. On receipt of feedback and comments from the public and all stakeholders, the RBI released its Master Direction –Non-Banking Financial Company – Peer to Peer Lending Platform (Reserve Bank) Directions, 2017 (the “Directions”)– recently to officially regulate and monitor P2P Platforms. Thus, it is pertinent to understand and analyse the regulations laid down by the Directions:


The Directions provide that only corporate entities registered as a ‘company’can operate and engage in the business of P2P lending. Companies operating existing Platforms will have to obtain a certificate of Registration (“CoR”) from the RBI within a period of 3 months from the date of publication of the Directions.Additionally, the Directions provide for minimum capitalisation requirements, which need to be met before obtaining registration. This requirement is INR 2,00,00,000 (Rupees Two crore only), which is in line with the requirement for all NBFC’s in accordance with Section 45-IA of the Reserve Bank of India Act, 1934.

The Directions also provide the criteria on which registration will be determined.This includes ensuring that the Platform has the necessary technological and managerial resources, a robust IT system, fit and proper directors, a viable business plan etc. On being satisfied with an application, the RBI will first give an in-principle approval for setting up and operating a prospective NBFC-P2P platform. Within 12 months from the in-principle approval, the company must develop its technology platform as per the RBIs satisfaction, and also submit all other legal documentation as may be requested.

For a platform acting as a mere marketplace for the meeting of lenders and borrowers (one that does not provide any of the additional services described above), the capitalisation requirements contained in the Directions seem a little harsh. Additionally, the requirement may prevent start-ups from entering this space entirely, which will adversely affect innovation in this space.We recommend that the threshold should be revised downwards and can be made incremental with each year of an entity’s operations, to ensure that only companies that are growing continue to retain their license/registration.

Permitted Activities

As per the Directions, the Platforms can perform the following activities/services:

  1. Mere Aggregator

The Platform can act as a mere aggregator, intermediary or marketplace to facilitate the meeting of lenders and borrowers. While they can participate in the lending/borrowing process in certain ways (described below), and cannot raise deposits in any capacity.

  1. Principle, Return and Guarantees

The Platform cannot guarantee the return of a loan to any lender or provide guarantees of no loss. This will ensure that all lenders signing up on the Platform do so at their own risk, and will hopefully bring about transparency by reducing instances of false advertisement/lending in the name of the Platform.

  1. Nature of the Loan

The Platform can allow lenders to offer only unsecured loans. This was the original idea behind P2P Platforms, and it allows customers with little/no security to avail of loans as well.

  1. Associated Businesses

The Platform shall not cross-sell any product except for loan specific insurance products.

  1. Financial don’ts for the Platform
  • The Platform cannot hold, on its own balance sheet, funds received from lenders for lending, or funds received from borrowers for servicing loans. This ensures that no money from any of the transaction on the Platform can be compromised by the Platform provider’s own financial standing as an entity;
  • The Platform cannot permit the international flow of funds. With this restriction, foreign lenders and/or borrowers have been excluded from participating directly on the Platforms in India, unless they hold a bank account within India.
  1. Duties of the Platform
  • The Platforms are required to conduct a due-diligence on all participants in the Platform. This includes a credit risk assessment and risk profiling of all borrowers registering on the Platform. This information is also required to be disclosed to the lenders, and it helps in creating a transparent environment on the Platform;
  • Platforms can render services for recovery of loans originated on the Platform;
  • Platforms can undertake the documentation of loan agreements; and
  • Platforms can provide assistance in disbursement and repayments of loans.

Prudential Requirements

  1. Permissible Thresholds of Lending and Borrowing

Any registered lender or borrower cannot lend or borrow more than INR 10,00,000/- (Rupees Ten Lakhs only) across all registered and authorised P2P Platforms. Further, no single lender can lend more than INR 50,000/- (Rupees Fifty Thousand only) to any single borrower across all Platforms. While these thresholds may seem conservative at first, considering the nascent stage of the P2P lending industry we believe that these limits are appropriate. The Platforms were anyway meant to facilitate small, unsecured loans from individual lenders, and if demand rises the limits can be revised in the future.

  1. Maturity Period: No loan provided via a Platform can have a maturity period of more than 36 (thirty-six) months. This seems apt, given the loan value is also capped at a number that is not very high.

Operational Guidelines

The Platform is required to have and implement a policy approved by the Board of Directors of the Company (the “Board”) regarding the eligibility criteria for participants, pricing of their services, and detailed rules for matching lenders with borrowers on an equitable and non-discriminatory manner, and other matters concerning the operation of the Platform. Additionally, any and all liabilities regarding the collection, storage and protection of personal data by the Platform will have to be borne by the Platform itself, even if any of these functions are outsourced to third-party service providers.

The Platforms are also required to maintain 2 escrow accounts for the transfer of funds – one for funds from lenders and the other one for funds collected from borrowers.Cash transactions are prohibited, which will help in accounting for all money being transacted via a particular Platform.

Enhanced Transparency and Disclosure Requirements

Previously, the scant availability of information regarding a borrowers’ credit history and defaults made the sheltering of defaulters easy. The Directions are aimed at rectifying this situation.They seek to introduce transparency and information symmetry between the borrowers and lenders, while simultaneously protecting the privacy of the data belonging to both parties.

  1. Disclosure to the Lenders:

Prior to accepting any loan arrangement on a Platform, the lenders should be made aware of the personal identity of the borrower, the loan amount, the credit score determined by the Platform and other details regarding the borrower.This ensures that the lenders can be made an informed decision regarding engaging with any borrower.

  1. Disclosure to the Borrower:

Borrowers are made aware of fewer details than the lender – they are informed about the lender’s proposal, repayment terms and interest rate, but are not informed of the lender’s personal identity, contact information and other personal information. This seems logical, as the borrower’s decision regarding the lender’s proposal should be based purely on the commercial terms offered, and not on the details of the particular lender.

  1. Public Disclosures:

The Platform is required to publish on its website the overview of the credit assessment methodology and factors considered; data protection and privacy measures; dispute settlement mechanism; portfolio performance including a share of non-performing assets monthly and segregation by age; and its broad business model.This is intended to give any individual/entity looking to register on the Platform the opportunity to make an informed decision.

Data Security and IT Framework

Considering the volume of personal data collected, stored and analysed on the Platform, ensuring a robust IT and data security framework is one of the foremost necessities. In light of this, the Directions lay down some robust standards:

  1. All Platforms are required to have “adequate safeguards” in their IT systems to protect against unauthorized access, destruction, modification, utilization etc. of the data. While the Directions do not lay down any specific minimum standard for maintaining these safeguards since the Platforms deal with personal data it can be assumed that they fall within the stipulations of the IT Reasonable Security Practice Rules, 2011;
  2. All Platforms are required to have a Board approved Business Continuity Plan in place for safekeeping of information and documents and servicing of loans for full tenure in case of closure of the Platform;
  3. The Platform has to carry out a yearly information system audit, as well adhere to all requirements under the Master Direction on Information Technology Framework for the NBFC Sector, June 8, 2017.


With India marching towards the aim of being a paperless, cashless and consent-secured data sharing economy, these Directions are expected to open up new avenues for obtaining capital for individuals and small businesses, while simultaneously maintaining transparency and accountability in the process.Perhaps the only clause missing from the Directions is one on penalties, describing the repercussions if a Platform fails to adhere to any of the given guidelines. Yet overall, the Directions seem to be apt for P2P Platforms and well-thought through, especially considering that the industry around such Platforms is still nascent in India. As these Platforms gain more prominence the Directions can be modified accordingly, but for now, they seem to be a good starting point.


Author: Ayushi Singh; Reviewed by Madhav Rangrass


Estonia: The ‘Smart’ Country

Estonia: The ‘Smart’ Country

We had an opportunity to visitTallin, the capital city of Estonia and what a rich experience it was, as we went from exploring the Enterprise Estonia showroom and the e-Residency opportunities to having interesting discussions with legal partners and witnessing the high energy, high technology ambience of Tallinn Science Park, Tehnopol.We have been connected to the Estonian innovation eco-system earlier but witnessing that in person and at close quarters was indeed a great experience

Enterprise Estonia

Enterprise Estonia showroom, where Media Team Member FredericoPlantera took us through the pulse of Enterprise Estonia – a short presentation (enter e-Estonia) on how with just a population of about 1.3 million the country is managing to be in the top tiers of theWorld Bank, OECD and other similar ratings. With 99% of services being online (excluding a few like divorce, marriage and buying and selling real estate), the country boasts of having recognised Internet as a social right, providing smart ID cards to all its residents (not citizens) and having 7% of its GDP coming from the Information, Communication and Technology (ICT) sector. Innovation is digital-by-default and incorporation of a company is a matter of 18 minutes in this country; add to that the facilities of e-taxation and e-residency (see our post on e-residency here); and there is a high potential of having a magical combination.

We also got a glimpse into how X-Road, the ‘highway of e-Estonia’, works. X-Road is basically the infrastructure and backbone of e-Estonia that connects various databases, ERPs, tax boards, state portals, banks, telecom companies, population registers, et al. across the country, thereby facilitating over millions of transactions per year. We are told that the technology of X-Road is largely similar to and a predecessor of today’s block-chain technology (having been in existence since 2001). It is also being exported and there are talks of exporting this technology to other EU countries like Finland, Netherlands, with the creation of a digitised EU market being the ultimate goal.

Amongst other things, Enterprise Estonia also provides ‘Start-up grant’ of up to €15,000, subject to certain terms and conditions. It is also the focal point for receiving various other grants and funding, made available through the Ministry of Economic Affairs under the Organisation of Research and Development Act, which is an enabling legislation for baseline funding, research grants.

Legal framework and taxation: We had the opportunity of meeting some of the top law firms in Tallin with detailed discussions on legal structure and taxation. You’ll be glad that there isno corporate income tax in Estonia on retained and reinvested profits; 20% corporate income tax on distributed profits (actual and deemed); dividends paid to non-residents being not subject to any withholding tax; DTAA between India and Estonia; 20% value added tax rate; no mandatory auditing for private limited companies below certain thresholds; easy foreign direct investment in Estonia; minimum share capital requirement (for private limited) of €2500, but the company can be established so that the share capital is paid later on; etc.

Incubation space: We also had the opportunity of visiting the incubation space of Tallinn Science Park, Tehnopol, which has supported companies such as Skype, GuardTime (the block-chain service provider to the Estonian government).Tehnopol is one of the biggest tech hubs in the Baltic region and works extensively with companies in the green technology, ICT and health technology sector, often times providing supports to companies, even at prototyping phases. The average incubation period is up to 2 years and till a company raises capital/generates the first sale. It invests up to € 10 000worth of expertise to start-up companies to find the first seed investment or reach export markets, providing access to 30+ business coaches working hands-on with start-ups, 70+ trainings, investor panels, sales, pitching and networking events annually, co-working center, and last but not the least, access to € 300,000prototyping fund PROTOTRON ( (For more details, see here).

So there, if you as an Indian enterprise wish to expand to EU, perhaps Estonia can be your landing place.

E-RESIDENCY. Estonia- Country as a Service

The biggest disruption in this world is that the concept of physical boundaries is constantly challenged by internet and more pronounced through rapidly changing technologies.

Globalization has not only made companies to do things in new ways but has also forced governments and sovereign nations to think differently to attract businesses around the world (and therefore attract income from taxes).

Mr John Perry Barlow in his letter ‘A Declaration of the Independence of Cyberspace’ addressing sovereign governments has stated that “cyberspace does not lie within your border” and that “you have no sovereignty where we gather”. His intentions were to strictly warn the sovereign governments, who in 1996 were thinking of governing and regulating cyberspace; however, under this article attention has been restricted only to the literal meaning of the two statements quoted above.

Estonia with only 1.3 million inhabitants has proved the statements of John Perry Barlow true by becoming the first country in the world to introduce e-residency. E-residency is a mechanism to enhance the prospects of digital trade, by providing remote access to its own digital infrastructure, economy and trade. E-residency has proved to blur the interstate borders which have long existed on the world map.

‘Vasudhaiva Kutumbakam’ is a Sanskrit phrase found in Hindu texts, such as the Maha Upanishad, which means “the world is one family”. Is this possible?

Physical boundaries of nations have its many reasons namely formation of governments, constitution, citizenship, currency, legislative and judicial powers, taxation and many others following from these.  We are living in exciting times where the operative word is “disruption” – cryptocurrency to traditional currency, internet to physical borders and Estonia is now creating a new kind of disruption to residency/ citizenship.

IMG_8858 (1)

In Estonia as an e-resident, one will be able to:

  • establish and run a company online, from anywhere in the world;
  • conduct banking online (e.g. open a bank account, make electronic bank transfers);
  • have access to international payment service providers;
  • digitally sign documents (e.g. annual reports, contracts) within the company as well as with external partners;
  • verify the authenticity of signed documents;
  • encrypt and transmit documents securely; and
  • declare taxes online.

E-Residency thus offers the opportunity to establish and run a location-independent international business in Estonia. Estonia has been ranked highly for its transparent and competitive business environment and was placed sixth among the European Union economies by the World Bank for the ease of doing business (World Bank, 2016).

How do they do it?

It is very simple. All one has to do, is fill out an online application form. Then the Estonian Police and Border Guard will do a background check. Upon this background verification, the person will receive a digital card, which is nothing but a digital access to Estonian economy and trade.

Currently, one can choose any one of the Estonian consulate or embassies out of the 38 across the world to physically pick up this e-resident card, one being in Delhi. Applicants for e-residency undergo a background check, submit biometrics, and meet face-to-face with an Estonian official before obtaining the e-Residency digital ID. The program claims strong privacy protection, reinforcing trust in the internet as a place to do business and manage personal data.

The European ‘Digital Single Market’

The European Union has created a Digital Single Market. To support this, the regulation on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation) adopted in 2014 aims to enable secure and seamless electronic interactions between businesses, citizens and public authorities. In this regard, the eIDAS Regulation ensures that: (a) people and businesses can use their own national electronic identification schemes (eIDs) to access public services in other EU countries; and (b) creates an European internal market for eTS – namely electronic signatures, electronic seals, time stamp, electronic delivery service and website authentication – by ensuring that they will work across borders and have the same legal status as traditional paper-based processes (European Commission, 2015).


E-residency does not have any direct influence on the tax residency. Being an Estonian e-resident does not mean that one becomes the Estonian tax resident.

An individual is a tax resident in Estonia if

  • his or her place of residence is in Estonia or
  • he or she stays in Estonia for at least 183 days over the course of a period of 12 consecutive calendar months

If an e-resident has established the Estonian company, then such company is regarded as Estonian resident. The profit of the Estonian resident company derived from all countries is taxable in Estonia, which is subject to the tax regime in Estonia and the Double Tax Treaties entered with Estonia and the country of the incorporator.

The Tax and Customs Board of Estonia, mentions that the profit is taxable at the moment of payment out, for example as dividends. It is really nice to know that double taxation is avoided, which means, if the actual activity of the Estonian resident company is only in foreign countries, the profit paid out as dividends in Estonia from profit taxable abroad, may be exempted in Estonia.

Estonia is experimenting with a concept called “data embassies”, where friendly countries would host servers housing Estonia’s critical data and applications and, in the event of an attack, the Estonian government could switch over to those external databases to keep the country running and keep the data safe.[1]

Food for Thought

Can Aadhar provide for being such a game changer? (i.e., assuming after Aadhar addresses all the teething trouble that it currently has, in terms of security, privacy, confidentiality, robustness, authenticity, etc.). Would such a program enable e-residency to foreign directors to set up companies in India and conduct trade?

Can Aadhar provide a digital gateway for interested companies to virtually enter the Indian economy and market?

There is a lot of flak Aadhar is facing and below is an “only if” scenario:

Aadhar provides a very strong foundation to build upon for doing business with accountability, without any hassle and to cut short the bureaucracy. Aadhar uses bio-metric information of an individual to identify and verify their authenticity which provides an additional layer of cybersecurity while trading or doing business digitally.

For a country this large as India, with 1.2 billion population, it is a daunting task to recreate something like what Estonia has achieved.But, wouldn’t virtual businesses, who become tax-residents in India, be another income possibility for the country?

With ‘Digital ho Raha hai India’ can we create a virtual economy, with KYC, with security, with legislative backing, with ease, with new India Shining?  Can we use programs/disruptions such as these to jump-start and skip the moves, to becoming a highly developed nation?

It might also be a way to not get caught in the digital-divide that the world is moving towards.

Author: Manas Ingle is an Associate with NovoJuris Legal.


For further reading:

Supreme Court Judgement on ‘Existence of Dispute’ under Insolvency and Bankruptcy Code

‘Existence of Dispute’ in case of application by Operation Creditor

This blog is in continuation to our earlier blog dated 15 September 2017 which was titled as “Dispute” is heavily disputed under Insolvency and Bankruptcy Code (IBC) and written about the NCLT Order. On appeal, Supreme Court has weighed in on “existence of dispute” under IBC.  Read on.


Kirusa Software Private Limited (Kirusa) had filed an application before the National Company Law Tribunal (NCLT), Mumbai for initiation of Corporate Insolvency Resolution Process (CIRP) of Mobilox Innovations Private Limited (Mobilox) under Insolvency and Bankruptcy Code, 2016 (the Code).  The NCLT, Mumbai dismissed Kirusa’s application on the ground that Mobilox has issued a Notice of Dispute. An appeal against the NCLT order was filed by Kirusa before the National Company Law Appellate Tribunal (NCLAT). The NCLAT allowed Kirusa’s appeal on the ground that Mobilox’s reply to the demand notice does not raise any dispute within the meaning of Section 5 (6) or Section 8 (2) of the Code, that Mobilox has disputed the payment merely on “some or other account” and that its defence was “vague, got up and motivated to evade the liability”. Accordingly, the NCLAT had set aside the order of NCLT, Mumbai and remitted the case to it for consideration. Mobilox has appealed the NCLAT order with the Supreme Court of India (the Court) to set aside the order of the NCLAT highlighting that there is an “existence of dispute” and therefore the CIRP application has to be dismissed.

Excerpts of the Judgement by the Supreme Court

While passing an order by the Court in relation to aforementioned case in determining “existence of a dispute” occurring in Section 8(2)(a) of the Code, the Court uplifted Mobilox’s appeal holding that there was a dispute in existence which was sufficient to withhold and dismiss the CIRP application filed by Kirusa with the NCLT, Mumbai. Few considerations by the Court before its verdict is discussed below:

Existence of Dispute prior to the Demand notice issued by the Operational Creditor

The Court contented that the CIRP applications filed by operational creditors should be dismissed, in case if it is corporate debtor is able to prove that the existence of the dispute and/or the suit or arbitration proceeding must be “pre-existing” i.e. it must exist before the receipt of the Demand Notice.

Test to be tried by the adjudicating authority and ambit of the “Dispute”

The NCLT, while admitting the CIRP application is only required to identify is whether there is a plausible contention which requires further investigation and that the “dispute” is not a deliberate legal argument or an assertion of fact unsupported by evidence. The Court also contended that, the NCLT while determining whether dispute exists or not, it is not required to satisfy itself that the defence is likely to succeed or examine the merits of the dispute. So long as a dispute truly exists in fact and is not spurious, hypothetical or illusory, the adjudicating authority has to reject the application.

One of the arguments made by Kirusa was that since Non-Disclosure Agreement executed between Kirusa and Mobilox does not fall under any of the three sub-clauses of Section 5(6), no “dispute” is there on the facts of this case. However, the Court rejected the argument and said that the intention of legislature was to make the definition of “dispute” to be an inclusive one and therefore, the word “includes” substituted the word “means” which occurred in the first Insolvency and Bankruptcy Bill. The “dispute” is said to exist, so long as there is a real dispute as to payment between the parties that would fall within the inclusive definition contained in Section 5(6). The correspondence between the parties would show that on 30 January 2015, the appellant clearly informed the Kirusa that they had displayed the Mobilox’s confidential client information and client campaign information on a public platform which constituted a breach of trust and a breach of the NDA between the parties. They were further told that all amounts that were due to them were withheld till the time the matter is resolved. Basis this Mobilox in response to the demand notice, disputed in detail in its reply dated 27 December, 2016, which set out the e-mail of 30th January, 2015. Going by the test of “existence of a dispute”, the Court held noted that without going into the merits of the dispute, the Mobilox had raised a plausible contention requiring further investigation which is not a deliberate legal argument or an assertion of facts unsupported by evidence. The defense is not spurious, mere bluster, plainly frivolous or vexatious. A dispute does truly exist in fact between the parties, which may or may not ultimately succeed, and the Appellate Tribunal was wholly incorrect in characterizing the defense as vague, got-up and motivated to evade liability.

Conflict between “AND” – “OR” in Section 8(2)(a) of the Code

Section 8(2)(a) of the Code reads that the corporate debtor in within 10 days from the date of receipt of Demand Notice from operational creditor, had to bring to the notice of operational regarding the existence of a dispute, if any, and record of the pendency of the suit or arbitration proceedings filed before the receipt of such notice or invoice in relation to such dispute. In this case, the Court has highlighted that the word ‘and’ occurring in Section 8(2)(a) must be read as ‘or’ and also highlighted that the legislative intent and the fact that it will be inconsistent if it is not read as ‘or’. Further, one may note that if the aforementioned section is read as ‘and’, then the corporate debtor could stave off the CIRP only if the dispute is already pending in a suit or arbitration proceedings and not otherwise before the demand notice is received from operational creditor. This would lead to great hardship; in that a dispute may arise a few days before triggering of the insolvency process, in which case, though a dispute may exist, there is no time to approach either an arbitral tribunal or a court. This would cease the right of the corporate debtor available under the said section.

Timelines under the I&B Code – Mandatory

The Court held that the timelines fixed under the Code are intrinsic to the CIRP and are important to its effectiveness. It pointed out that the intention of the legislature is to speedy CIRP and both the NCLT and NCLAT shall be adhere to the timelines prescribed under the Code. The Court, referred to the judgment delivered in Innoventive Industries Ltd. v. ICICI Bank & Anr, wherein, it has clearly laid down that strict adherence of the timelines is of essence to both the triggering process and the insolvency resolution itself. It also stated that one of the principal reasons why the Code was enacted was because liquidation proceedings went on perpetually, thereby damaging the interests of all stakeholders and in which case the management would continue to hold on to the company without paying its debts. Therefore, Court directed both the NCLT and the NCLAT to keep in mind this principal objective sought to be achieved by the Code and to strictly adhere to the time frame within which they are to decide matters thereunder.

Considering above-mentioned points, the Court has set aside the order passed by the NCLAT and rejected the application made by the Kirusa for CIRP.


Since the Code become effective, there were ambiguity and the conflicting interpretation of Dispute and the Existence of Dispute. With the intervention of the Court, there is a clear instruction to the NCLT and NCLAT on the tests to be adopted while entertaining the CIRP application from the operational creditor with reference to the “existence of dispute” and it is hoped that the uncertainties and ambiguities in the Code, would get settled. However, the wide meaning that has been accorded to the term ‘dispute’ may become a shackle around the necks of operational creditors.

It is also pertinent to note that with the clear instruction of the Court in adhering to stricter timelines, it can be expected that the NCLT and NCLAT would take note of the principal objective of the Code as discussed above and completion of CIRP process would be expected within the timeline provided under the Code.

Author: Ashwin Bhat is a Senior Associate with NovoJuris Legal


Medical devices have seen quantum leaps in terms of functionality, intelligence, and usefulness in the last decade. Improved design, better and cheaper production materials, and more sophisticated software, and have all contributed to this improvement. However, perhaps the biggest recent development that has greatly enhanced the ability and uses of medical devices, is the use of technology to connect medical devices (including those implanted in humans) to the internet, to hospital systems, and to other devices. This makes it possible to make these devices smarter, to control them remotely if required, to monitor their activity and functioning, and to pause or alter their operation without having to remove them from the human body.

However, like all devices that come with internet connectivity, these connected medical devices come with one major potential harm – the vulnerability to hacking, malware, and/or viruses. Potentially, this could create havoc for health care providers and patients, as third-parties may be able to break into and dictate the functioning of medical devices such as drips or other implanted devices. This problem is not new either. Since 2012, the Food and Drug Administration of the USA (the “FDA”) has been increasing security infrastructure standards for all connected medical devices, and has been constantly warning manufacturers of potential threats.

Sure enough, a short while ago, the first major medical device manufacturer in the USA suffered from the threat of security breaches. On August, 30, 2017, the FDA announced the recall of approximately 465,000 pacemakers manufactured by Abbot (previously St. Jude Medical), due to the fear of security vulnerabilities being exploited by hackers. As per the FDA, if the vulnerabilities were left unremedied, hackers could reprogram the pacemakers to alter the heart rate of the patient and/or to drain the batteries quickly. Both scenarios could have potentially catastrophic effects.

Fortunately for Abbot, the vulnerabilities could be fixed via a firmware update that could be installed by health care providers in just 3 minutes. The pacemakers did not need to be removed from the patients’ bodies, as the update could be installed wirelessly. Further, Abbot was able to report that there had been no incidents of a security breach/hack before the firmware update was rolled out. Yet, this should not detract from the seriousness of the situation and the extent of the harm that could have been suffered by both the manufacturer and the patients. In light of this, we find it pertinent to take a deeper look at the different minds of medical devices available today, and the potential harm that can be caused through them if the current security infrastructure is not in place.

Medical Devices and Their Potential Harms

Medical devices, apart from being controlled remotely, are also great repositories of data. In order to be able to automatically adjust their own functionality, alert users/controllers at times of low battery, and to be able to provide efficient statistics as to the health of a patient, they have to constantly collect, monitor and analyse data from the patient’s body. This means that they contain sensitive personal information regarding patients’ medical conditions, bringing in the important aspect of data privacy.

Medical devices have been used for a variety of purposes – from diagnosis of multiple diseases, to studying patient’s conditions during treatment of diseases, and to ensuring patient adherence to a prescribed treatment plan. Perhaps, given the wide range of uses for connected medical devices, it will be easier to understand the problems that they may face, by taking a few examples:

  1. OpenAPS – Closed loop insulin delivery – This software, which can be used along with standard medical devices, allows patients to track data from their CGM (continuous glucose monitor), and use it to control/trigger their insulin pump whenever glucose levels demand the same. The patients PII is not owned by any third party here, but if hacked, this system could not only give hackers access to this information, but could also allow hackers to alter the trigger mechanism/program that controls when insulin is released to
  2. Activity trackers during cancer treatment – These devices are used to gather lifestyle data regarding patients, during their treatment from various forms of cancer. These are wearable devices (like many other activity trackers/smart watches), but they track the patient’s energy levels, fatigue, and appetite automatically. The data generated via these devices is usually accessible and analysed by doctors and other health care providers. In a disease where the treatment is actively changed depending on the patient’s reaction to the ongoing medication/therapy, such a device is extremely important. Additionally, it aids doctors to keep track of a patient’s lifestyle, to ensure that patients are taking care of themselves appropriately. Thus, this device places data privacy and security restrictions on doctors etc., with respect to the PII that they hold. Additionally, there is a responsibility on the manufacturers of such devices to ensure that the security infrastructure of the device is strong enough to protect it against hacks/malware. If hacked, not only will the critical data regarding a patient’s current condition be available to the hacker, but they can also alter the functioning of the device to change the readings. This could potentially prevent a cancer patient from receiving the correct follow-on treatment, which is critical to their health.
  • Connected inhalers – Devices like Propeller’s Breezhaler connect wirelessly to a digital platform available on the patient’s mobile phones and with the doctors as well. This helps in tracking the usage of the inhaler, sending reminders to the patient in case of sporadic usage, and ensuring patient adherence to a treatment plan. If such systems are hacked, patients and doctors could stop receiving accurate data regarding inhaler usage, potentially leading to non-adherence to treatment plans and a worsening of existing breathing problems.
  1. Parkinson’s – Pfizer and IBM have collaborated on Project Blue Sky, a planned clinical trial involving the use of a system of sensors, mobile devices, and machine learning to provide round-the-clock monitoring of the symptoms, development and progression of Parkinson’s in patients. Though more research oriented, such a system could potentially be extremely important in discovering a cure for Parkinson’s.

The above are only a few examples of connected medical devices available today. Yet some common themes run through all of them – (a) they all record and store sensitive personal information regarding patients in order to function; (b) they are all accessible remotely; and (c) this makes them vulnerable to hacking/malware etc. Considering the nature of the information stored on the devices, it becomes even more important for the manufacturers to ensure data security of the devices, and for the doctors/other entities storing and analysing the data to ensure its privacy and non-disclosure. No data security infrastructure is fool proof or completely protected from hackers. However, increased standards and more robust protection techniques could help in ensuring that these devices remain protected in the near future.

Author: Madhav Rangrass is an Associate with NovoJuris Legal.


Comparative Stack between Litigation, Arbitration, and Mediation


  Litigation Arbitration Mediation
What is? Litigation is the process of going to Court to enforce one’s legal right.

Litigation is an adjudicatory process.

Arbitration is a private Court, where a neutral third party is appointed by the parties as an arbitrator, who renders a decision after hearing both sides.

Arbitration is an adjudicatory process.

Mediation is a voluntary process, where a mediator assists the parties in negotiating with each other to develop their own settlement terms to resolve their disputes.

Mediation is assisted negotiation, which is a collaborative process.

Nature of Cases The types of cases include criminal, civil, constitutional, tax matters etc. Mostly civil commercial matters are arbitrated. All Civil disputes except those requiring statutory and constitutional interpretation, public policy issues and establishing precedents.

All Criminal disputes that are compoundable can be mediated. Non-compoundable criminal cases cannot be mediated, except dowry harassment cases filed specifically under Section 498A of the Indian Penal Code, 1860. A petition is required to be filed under S. 482 of the Criminal Procedure Code, 1973 at the High Court for quashing the S. 498A petition.

Procedure The Court identifies the issues in the matter, based on the pleadings submitted by the parties, and after considering the evidence presented, renders a binding order or judgment on who is right and wrong or what is fair and unfair. Arbitrator relies on facts, evidence and law to render an award. Mediator helps parties in identifying underlying interests and needs, core concerns, understand the issues and create options to negotiate a mutually acceptable settlement.
Timelines Cases litigated can go on for several years in Court. With recent amendments, an arbitration proceeding cannot exceed 18 months. Cases are usually concluded in a few sessions, with a majority of the cases being concluded on the same day in private mediation, where mediations could be day long

In Court- annexed mediations two months’ time is given with provision to extend for another one month.

Nature of Process Formal in nature, governed by strict rules of evidence and procedure. Cases can be rejected if proper procedure of filing is not adhered to. Formal – governed by the Arbitration and Conciliation Act, 1996. Flexible and informal – not bound by rigid rules. The mediation process is structured to suit the needs of the parties. Informal and holistic process as all connected issues and disputes are addressed.

Procedural rules prescribed in the Evidence Act, 1872 and Civil Procedure Code, 1907 do not apply in mediations.

Participation Participation almost only by Attorneys. Very rare instances of parties representing themselves. Participation primarily by Attorneys. Parties are central to the process and Attorneys are active participants.

Experts and others who can contribute positively to the negotiations can participate.

Privacy and Confidentiality Public hearings. Arbitration is essentially a private process, but the decisions are publicly available.

“Court-like” evidentiary hearings.

No private communications with the arbitrator.

Confidentiality is a fundamental principle of mediation. In confidential private sessions with mediator the core concerns of the parties can be addressed.

In Private mediations, confidentiality is protected through Confidentiality Agreements. In Court-annexed mediations, confidentiality is maintained through the Court prescribed mediation rules.

Nature of Outcomes Outcomes in win/lose judgments.

Invariably relationships are damaged.

Outcomes are unpredictable and beyond the control of the parties.

Result is win/lose award.

Invariably relationships are damaged.

Outcomes are unpredictable and beyond the control of the parties.

Mediation is negotiation in which parties attempt to find solutions that are mutually acceptable and therefore win/win.

The presence of a neutral mediator, makes the negotiation multi-dimensional and relationship may be maintained, enhanced or created.

Outcomes are controlled by the parties.

Finality Judgements are subject to appeals and  revisions at different levels. Awards can be challenged in Court on certain grounds. There is a high rate of settlement in mediation.

In case of a settlement in mediation, they are binding on parties as a contractual agreement or as a conciliator’s award under Section 74 of the Arbitration and Conciliation Act, 1996.

Mediated settlements are hardly reopened or challenged as there is a high level of self-determination in reaching the outcome, and hence enjoy a high degree of finality.

Conclusion of the Process Litigation continues until finally decided or withdrawn. Arbitration continues until final award is passed or withdrawn. Mediation is a voluntary process and the parties can decide to leave the process if they’re not comfortable with it, without affecting their rights to try other legal processes.


If you wish to be a mediator, please ping us on


Interview with Bruce Edwards, JAMS Founding Partner

In this special edition of our newsletter on Mediation, we caught up with Mr. Bruce Edwards.

Bruce A. Edwards, Esq. is one of JAMS founding partners and most experienced attorney mediators.Mr. Edwards has served as a mediator, arbitrator, and special master since 1986.  During that time, he has developed extensive expertise in handling complex, multiparty cases with emphasis on construction, engineering and infrastructure, business, employment, and traumatic personal injury matters.

Bruce has mediated over 4,500 disputes throughout the United States, Canada, and Mexico on a wide variety of legal issues including construction, engineering and infrastructure, personal injury, healthcare, employment, business, professional malpractice, mass tort, and insurance coverage. Bruce has settled over one-half billion dollars in construction claims since 2001 in California, Nevada, and Washington.

Sharda Balaji:  Bruce, you believe very strongly that mediation reduces the burden on courts. One of the aim of this special edition of the newsletter is to highlight how Indian courts could perhaps adopt mediation as an effective way to reduce its burden. What in your opinion has kind of helped US Courts to adopt use Mediation?

Bruce Edwards:  Mediation has effectively reduced the burden on courts in several meaningful ways. First, mediators are often called upon to assist judges in managing the case on its way to mediation, effectively reducing the judges need for oversight and court hearings. Second, most cases settle outside of court. If a case settles early because of mediation, it isn’t in the court system for as long as, if it settles on the courthouse steps. Cutting down the typical life cycle of a case by as much as half, has benefits to a court with limited capacity.   Third, and most important, mediation in the United States has effectively reduced the number of cases tried before a judge or jury in both State and Federal court. Federal court mediation programs have you been so effective that federal courts have seen substantial reductions in jury trials over the past 10 years. Fourth, as mediation becomes more widely accepted as a dispute resolution approach of first resort, whether through contract provisions or laws favoring its use, lawsuit filings have gone down, further reducing the burden on the court system.

Sharda: While Mediation is pretty effective in bringing out an array of solutions that the parties themselves determine, how binding are those “settlement agreements” on the parties and does it require to be formalized before the courts?

Bruce: It is important to remember that a mediated settlement agreement becomes binding primarily through the agreement reached between the parties. My experience in over 30 years of settling cases through mediation every week reveals only a handful of times when parties failed to comply with the terms of settlement once agreement was reached. Problems sometimes arise when parties aren’t clear on the specific terms of settlement when they leave the mediation. It is incumbent on the mediator, and is increasingly the standard of practice in the United States, to ensure the parties have a signed agreement setting forth specific understanding between the parties. This practice usually avoids the most common post-mediation concern regarding disputed settlement terms.

Increasingly, mediators are directing the parties to put the terms of the settlement on the record before a judge or otherwise formalize their understanding of settlement terms so they can be enforced. In some countries, the mediator will file with the court a document that will enable the judge to enforce settlement terms. In my practice, once a settlement agreement has been memorialized between the parties, I will stay involved through the drafting of final settlement documents and the compliance phase to ensure the parties follow through on their expressed intentions.

Sharda: 30 years of extensive experience Bruce. I love the way you distill those learnings and provide it in a capsule form for upcoming mediators, in your training programs. In your opinion, what types of disputes are suited for mediation?

Bruce: An overwhelming majority of disputes can be resolved through mediation. Certain types of disputes including those deemed “complex” due to complicated issues of law, multiple parties or the presence of high emotion are especially well-suited for mediation. Recently, certain countries such as Uganda have attempted to implement the mediation process into its criminal justice system. Mediation is used in both reconciliation and sentencing.

Interestingly, it is sometimes thought that cases on appeal where parties have either won or lost in the underlying trial court would not be a worthy candidate for mediation. Yet in the United States most appellate courts employ staff and volunteer mediators who routinely mediate cases on appeal, often employing telephone and email mediation techniques given the geographic separation of parties. It’s worth noting that the majority of these cases also settle through mediation.

The types of cases thought to be poor candidates for mediation include those cases where legal precedent may be required.

Sharda: Over the many years that you have seen mediation being effectively used in the United States, what are your thoughts or perhaps top 5 issues on how mediation has been successfully used?

Bruce: I think, Mediation has been used successfully in the United States largely because:

  1. Mediation addresses the needs and interests of the parties in dispute often more directly than could otherwise be obtained in the legal system.
  2. Mediation allows for creative solutions to complex problems while results available through litigation are often more narrow and constrained.
  3. Mediation allows the parties to address meaningful settlement discussions on a day of their own choosing and often well in advance of when the court system can make itself available.
  4. Mediation offers clients the opportunity to maintain control of their disputes and exercise self-determination regarding their resolution, in contrast to historically feeling controlled by lawyers and at the mercy of the court system.
  5. Mediation often results in satisfactory settlements at a fraction of the cost of litigation.