Category Archives: Articles

Analysis of Section 396 of the Companies Act, 1956 in the light of NSEL merger order.

Section 396 of the Companies Act 1956 (‘the Erstwhile Act’) (i.e. Section 237 of the Companies Act 2013) gives power to the Central Government to order “forced amalgamation” of two companies if it is satisfied that it is essential in the “public interest”. This was invoked for the first time by the Ministry of Corporate Affairs (‘MCA’) in 2014. The order came in order to revive the National Spot Exchange Limited (‘NSEL’) from the major financial crisis in the year 2013 and in the setting, the Forward Market Commission (‘FMC’) had proposed a merger between NSEL and its holding company FTIL (now 63 moons) in ‘public interest’ so that dues amounting to Rs. 5,600 crores could be paid to investors and traders of NSEL. It was an unprecedented order made by the MCA and led to a lot of speculations on how the said provision can be invoked to revive a private limited company. Before analyzing the given provision under law, it would be relevant to discuss the background of the case.


In 2013, NSEL, a spot exchange for trading commodities was trading in commodities which were not backed by the stocks in the warehouse. This resulted in a crisis with NSEL owing more than INR 5500 crores to its investors. Thereafter, the Government suspended all the forward trading operations by NSEL and made it subject to resolution plan of 33 weeks so as to revive it. The plans failed and NSEL could not be restored to its normal or even near-normal functional capabilities. To revive the subsidiary and to protect all its shareholders, FMC recommended its merger with its holding company (i.e. 63 moons). This step appeared to be in contradiction to the “limited liability” state of private companies and was criticized by many. Subsequently, in order to revive NSEL, MCA passed a merger order and marked it as a precedent for all similar future scenarios. This order was eventually contested in the Bombay High Court, where the bench upheld the merger order. It was further appealed by 63 moons in the apex court which rejected the order by analyzing the principle behind Section 396 of the Erstwhile Act.

Legal Provision

MCA passed the merger order by the powers it had under Section 396 of the Erstwhile Act (i.e. Section 237 of the Companies Act, 2013)[1]. Section 396(1) reads:

“(1) Where the Central Government is satisfied that it is essential in the public interest that two or more companies should amalgamate, then, notwithstanding anything contained in sections 394 and 395 but subject to the provisions of this section, the Central Government may, by order notified in the Official Gazette, provide for the amalgamation of those companies into a single company with such constitution ; with such property, powers, rights, interests, authorities and privileges ; and with such liabilities, duties, and obligations; as may be specified in the order.”

Further, Section 396(3) of the Erstwhile Act reads:

“(3) Every member or creditor (including a debenture holder) of each of the companies before the amalgamation shall have, as nearly as may be, the same interest in or rights against the company resulting from the amalgamation as he had in the company of which he was originally a member or creditor; and to the extent to which the interest or rights of such member or creditor in or against the company resulting from the amalgamation are less than his interest in or rights against the original company, he shall be entitled to compensation which shall be assessed by such authority as may be prescribed and every such assessment shall be published in the Official Gazette..”

The underlined words suggest that the powers held by the Central Government may be exercised only when an amalgamation is “essential in public interest”. Also, it is to be noted that the stakeholders would continue to enjoy the same rights and interests in the new company post amalgamation as they were entitled earlier. Therefore, any order made invoking the said provision has to satisfy these basic criteria as pre-requisites.


MCA propounded while giving the merger order that it was of the “considered opinion that to leverage combined assets, capital and reserves for efficient administration and satisfactory settlement of rights and liabilities of stakeholders and creditors of NSEL, it would be in essential public interest to amalgamate NSEL with FTIL“. MCA further contended that NSEL seemed incapable of recovering any of its dues from its defaulting members and given the amount in question it intended to protect the interests of the creditors by merging the defaulting holding company with its parent company, considering that NSEL does not have the wherewithal to make payment of Rs. 5,600 crore.

The apex court’s bench consisting of Justice R. F. Nariman and Justice Vineet Saran heard contentions of both sides and held that the amalgamation order was ultra-vires Section 396 and violative of Article 14 of the Constitution of India and struck it down.

The court discussed the meaning and application of term “public interest” at length. To quote from the judgement authored by Justice Nariman:

In the context of compulsory amalgamation of two or more companies, the expression “public interest” would mean the welfare of the public or the interest of society as a whole, as contrasted with the “selfish” interest of a group of private individuals. Thus, “public interest” may have regard to the interest of production of goods or services essential to the nation so that they may contribute to the nation’s welfare and progress, and in so doing, may also provide much needed employment. “Public interest” in this context would, therefore, mean the combining of resources of two or more companies so as to impact production and consumption of goods and services and employment of persons relatable thereto for the general benefit of the community. Conversely, any action that impedes promotion of industry or obstructs growth which is in national or public interest would run counter to public interest as mentioned in this Section.

Further Justice Nariman concluded that on a holistic reading of the amalgamation order, the leveraging of combined assets, capital, and reserves of the companies was primarily intended to settle liabilities of certain stakeholders and creditors who had allegedly been duped and hence no “public interest” was served through the amalgamation order.

Explaining the scope of Section 396 of the Erstwhile Act, the court explained that, “essential to public interest” is the first and foremost criteria which should be satisfied whenever an order is invoked under this section. The expression “essential” has been defined in P. Ramanathiyer’s Law Lexicon (4thEdn.) as follows:

Essential. Indispensably necessary; important in the highest degree: requisite that which is required for the continued existence of a thing.

In this instance, the sole objective of the amalgamation is to satisfy the dues of the creditors and this being a private interest cannot be translated into an essential public interest. Therefore, an amalgamation order should not only be in public interest but it should also satisfy the litmus test of being essential.

The Hon’ble Supreme Court also settled the issue with respect to immunity of the Central Government’s amalgamation order under Section 396 of the Erstwhile Act from being challenged under Article 14 or Article 19 by virtue of Article 31 A of the Constitution of India. Article 31A(c) of the Constitution saves certain laws from being challenged under Article 14 or Article 19 if the law provides for the amalgamation of two or more corporations either in the public interest or for the proper management of any corporation. It was opined by the apex court that Article 31A has to be construed in light of Article 13 (3) of the Indian Constitution, which defines ‘law’. It states ‘law’ could be any ordinance, order, by-law, rule, regulation, notification, custom or usage in India having the force of law.

However, the ‘order’ should be legislative in nature and not administrative. The Hon’ble Supreme Court relied on number of judgements to set out the difference between a legislative order and an administrative order. It has laid down that legislation is a rule making process wherein a general rule of conduct is formulated without referring to any particular case. It is indicative of the future course of action. Whereas administration is the process of applying the general rule of conduct to particular cases by performing particular acts or issuing orders. It is determinative of past and present facts and the rights and liabilities. While the former is general, the latter is particular.

The argument that the amalgamation orders passed under Section 396 of the Constitution of India is immune from being challenged under Article 14 or Article 19 by virtue of Article 31A was not accepted by the Apex Court. It was held that the above-mentioned amalgamation order was not a legislative order but an administrative order because it directly impacted the rights and liabilities of the company, its shareholders and creditors. Such orders do not generally apply to all the companies but to particular companies which are to be amalgamated. There is an absence of general rule of conduct in the Central Government’s amalgamation order as it a specific direction with respect to two specific companies. Relying on the K.I. Shephard judgment[2], the bench concluded that even if Section 396 (5) mandates the Central Government order to be laid before the Houses of Parliament, it does not detract from the fact that the order is administrative in nature and not legislative. Therefore, it cannot be construed as ‘law’ within the meaning of Article 13 and the Central Government order cannot claim immunity under Article 31A.


In the context of the exceptional order of the Central Government, the court analysed the power of the Central Government in relation to the amalgamation of companies in public interest. For a Section 396 merger, no order of amalgamation can be made unless an order of compensation is first made under sub-section (3) of Section 396, and an appeal therefrom has either not been filed or has been disposed of. Also, keeping the corporate identity of a holding-subsidiary company intact, a merger under the said section should be ordered only when all other possible routes of reviving a company have failed.

Authors: Unnita Bhattacharya and Asis Panda


[1] [Last Accessed on May 15 2019 at 4pm]

[2] K.I. Shephard&Ors. v Union Of India, 1988 AIR 686


Simplified process of Incorporation & Commercial registrations


The Ministry of Corporate Affairs (MCA) had notified the Companies (Incorporation) Third Amendment Rules, 2019[1] on 29 March 2019 which introduced the e-form INC-35 [Application for Goods and services tax Identification number, employees state Insurance corporation registration pLus Employees provident fund organisation registration (AGILE)]. The said AGILE form aims at bringing a single window where applicants can make applications under the Goods and Services Tax (GST), Employees Provident Fund Organization (EPFO) and Employees State Insurance Corporation (ESIC).

At present, the application for incorporation of a Company is made in e-form INC-32 (SPICe) along with e-Memorandum of Association (e-MOA) in Form No. INC-33 and e-Articles of association (e-AOA) in Form no. INC-34. Through e-form INC-32, the applicants can apply for PAN and TAN and now with the deployment of e-form INC-35, applications can be made for GST, EPFO and ESIC while incorporation of the Company.

This is a welcoming change brought about by the MCA wherein the incorporation process has been made hassle-free and the applicants can apply for various registrations while incorporating the Company. Previously, even after obtaining the certificate of incorporation Companies had to apply for registrations under the GST, EPFO and ESIC and subsequent approval. This proved to be a setback for companies and they couldn’t actually commence operation. However, with the introduction of the AGILE form the Ease of doing Business in India initiative has now been further enhanced.

How does this work?

For incorporation of the Company, applicants have to upload the requisite incorporation related linked e-forms i.e., INC-32, INC-33, INC-34 and INC-35. Thereafter, on approval of the same by the MCA, the Certificate of Incorporation, PAN and TAN is issued. Subsequently, the requisite information for GST, EPFO and ESIC (whichever service is availed) that has been filed in e-form INC-35 is forwarded to the concerned departments for its approval.

Thus, there are no repetitive submissions of incorporation related documents for obtaining registrations under GST, EPFO and ESIC.

Practical issues faced

Though this new amendment has made the incorporation process stress-free, applicants still face practical issues in this respect. Some of the issues are as follows:

  1. Companies have to provide a registered office address compulsorily for the AGILE form: While incorporating a company, applicants have an option to provide a correspondence address instead of a registered office address. However, they do have to obtain a registered office address within 30 days from the date of incorporation of the Company. This helps applicants a sufficient time to set up a registered office in case they do not have one at the time of incorporation. However, for the purpose of filing the AGILE form it is mandatory to have a registered office address as the form will only accept the address provided in the SPICe i.e., INC-32, or the correspondence address has to be the same as the address of the registered office.
  2. Principal place of business should be the same as the Registered Office of the proposed Company: Applicants willing to apply for GSTIN/Establishment code as issued by EPFO/Employer Code as issued by ESIC at the time of incorporating company, have to make sure that the principal place of business is the same as the Registered Office Address of the proposed Company. Thus, Companies intending to have the principal place of business different from the Registered Office address cannot avail this facility. They have to follow the existing registration procedure under the GST, EPFO and ESIC.
  3. Mandatory filing of AGILE form: Applying for GSTIN/ Establishment code as issued by EPFO/Employer Code as issued by ESIC at the time of incorporating company is optional. However, applicants have to still file the e-form as it is a linked e-form which accompanies the SPICe form for incorporation. This can prove to be an unnecessary compliance requirement for applicants who do not want to apply for GST, EPFO and ESIC registrations at the time of incorporation. 
  4. Resubmission of GST Application through the GST portal: In case of any error in the GST Application and the same has been sent for resubmission, applicants have to resubmit the application through the GST portal only. Further, if the TRN expires, a fresh application for GST shall have to be made through the GST portal too.


The introduction of this form surely proves to be beneficial for stakeholders however it still does not cover all the general registration requirements for a newly incorporated company such as Professional Tax, Trade License, Shop and Establishments, etc. Additionally, the MCA also has to look into the practical issue that are being faced and incorporate the changes to provide a seamless service.

Authors: Alivia Das and Ashwin Bhat




The Madras High Court delved into an important issue related to protecting children’s privacy in the context of web-based applications such as Tik-Tok, published by Bytedance (India) Technology Private Limited (“Company”). The petitioner contended that the app was “degrading culture”, encouraging pornography and exposing children to paedophiles.

As per Section 79 of the Information Technology Act, 2000 (“IT Act”) an intermediary would not be held liable for any third party information, data, or communication link made available or hosted by him provided that the intermediary’s functionality is limited to providing access to a communication system over which information made available by third parties is transmitted, temporarily stored or hosted or if the intermediary does not– (i) initiate the transmission, (ii) select the receiver of the transmission, and (iii) select or modify the information contained in the transmission. The exemption would not be applicable if the intermediary is involved in the unlawful act or if the intermediary fails to take down any unlawful content upon receiving actual knowledge of such content.

Further, for the exemption to be applicable the Intermediary should abide by the due diligence standards prescribed in the Information Technology (Intermediaries Guidelines) Rules, 2011 (“IT Rules”). The Rules provide that an intermediary should, among other things:

  1. publish the rules for access or usage of the intermediary’s computer resource and inform its users that in case of non-compliance with rules, the Intermediary has the right to immediately terminate the access to the intermediaries resources.
  2. Include in the aforementioned rules, that the users should not host/upload any content that is grossly harmful, obscene, pornographic, paedophilic, libellous etc.
  3. publish on its website the name of the Grievance Officer and his contact details as well as mechanism by which users can notify their complaints

Tik-Tok can be deemed an “intermediary” under the IT Act. The petitioner had incorrectly compared the Tik-Tok to the infamous “Blue-Whale” application, which unlike Tik-Tok is not an intermediary. Through an interim order the Hon’ble High Court had directed the Government to prohibit any further downloads of the app and asked the Central Government whether it would enact any statute specifically protecting the privacy of children online, akin to US’s Children’s Online Privacy Protection Act (“COPPA”).

The COPPA was enacted with the intention of protecting the children and making the website operators more diligent towards the protection of personal data. The resultant obligations ensure that the websites obtain consent from the parents prior to collecting or processing any child’s information. COPPA requires site operators to allow parents to review any information collected from the children. This entails that the website would have to provide full access to all user records, profiles and log-in information upon being requested by the parent.

Mr. Arvind P. Datar, learned Senior Counsel, the amicus curiae submitted that the Indian laws were comprehensive enough to deal with the issues mentioned by the petitioner and that no special legislation needed to be enacted. It may also be noted that the draft Personal Data Protection Act (“Bill”) also deals with certain aspects of children’s privacy such as barring website operators from profiling of children or making any targeted advertising directed children.

The Company contended that it followed all the requirements under the IT Act and the IT Rules and in fact went above and beyond the requirements by 1) engaging a content moderation team to screen harmful content, 2) allowing users to block mischievous users, 3) providing a “report” feature which lead to average takedown time of just 15 minutes (even though the law expected intermediaries to initiate suitable actions within 36 hours of being informed of any unlawful content) 4) providing parental control/supervision related features  5) deploying an AI-powered takedown mechanism that detects illegal content, including content that is violative of Section 354C of the Indian Penal Code, 1860 and Section 66E of the IT Act etc.

The contentions of the Company with regards to diligence practices in accordance with industrial standards were taken on record by the Madras High Court as an undertaking and in furtherance of same, the interim ban imposed by its previous order dated April 3rd,  2019 was lifted.

Author: Spandan Saxena and Asis Panda

Reference:  S. Muthukumar v. M/S Bytedance (India) Technology Private Limited-

Valuation for issuance of shares: Which method to choose?

Determining the fair market value (FMV) of unquoted shares may prove to be challenging for companies owing to choose the valuation method. There have been multiple rulings by the Income Tax Appellate Tribunal (the “ITAT”) wherein the methodology adopted by the company for the valuation has been rejected on the grounds of being non-substantial. However, few rulings have also been in favour of Companies where the ITAT has squashed the argument of the Assessing Officer (the “AO”) stating that the tax authorities can scrutinise the valuation report to the extent of finding any arithmetical mistakes and not compel a taxpayer to choose the method of valuation.

Despite Valuation practice being prevalent since the last six decades in India, there is no specific guidance on the same and the debate continues pertaining to the method to be followed.

Valuation Methods as per Rule 11UA of Income Tax Rules, 1962

As per Rule 11UA of Income Tax Rules, 1962, Companies have an option to adopt either the Net Asset Value (the “NAV”) method or the Discounted Free Cash Flow (the “DFCF”) method for valuation purpose. On 24 May 2018, the Central Board of Direct Taxes (CBDT) has amended the Income Tax Rules, 1962, by omitting the words “or an accountant” from rule 11UA(2)(b). As a consequence of such amendment, now only a merchant banker can independently determine the FMV of the unquoted equity shares by using the DFCF method and an accountant is no longer eligible to do this valuation.

Various Case Laws pertaining to the Valuation Methods opted by Companies

Case 1: In the case of M/s. TUV Rheinland NIFE Academy Pvt. Ltd., Vs. The Income Tax Officer, the Company had issued 5,00,000 shares having face value of INR 100 each, at a premium price of INR 479 per share, to its parent, TUV Rheinland (I) Pvt. Ltd. (“TUVR India”). The Fair Market Value (the “FMV”) of the shares was computed as Rs. 479 as per the DFCF Method which was based on the projections of the company’s future cash flows.

The Assessing Officer (the “AO”) rejected the valuation report on the grounds that the values were certified by the management of the taxpayer. Further, the AO computed the FMV based on the NAV and concluded that the FMV should be INR 84.20 per share. Hence, the AO passed an order wherein an addition of INR 19.74 crore was made to the taxpayer’s income. Such an addition was made under section 56(2)(viib) of the Income Tax Act, 1961.

The ITAT concluded that the AO had not rejected the choice of valuation method but the valuation entirely justifying that it was non-substantial and there is no proof given for the basis of estimates provided in the valuation. Further, the ITAT also mentioned that the actual figures did not have any relevance with the projections made. Thus, the arguments of the Company were rejected and reference was drawn from the ruling in Agro Portfolio Pvt. Ltd v. ITO wherein the AO can carry out its own independent valuation and adopt the NAV method for this purpose, after rejecting the original valuation by the Company.

Case 2: In the case of Innoviti Payment Solutions Pvt. Ltd. vs. ITO, the Company had issued 10,42,658 shares having face value of INR 10 per share at premium of INR 23.50 per share. The FMV was determined by a Chartered Accountant through the DFCF method.

The same was rejected by the AO mentioning that the accountant has taken haze cash flow as certified by the management and the projections were not verified by the valuer. Further, it also added that the company had failed to provide any basis for the projections and that the management had clearly ignored factors such as performance, growth prospects, earnings capacity, etc. The Bangalore Bench of the ITAT ruled that the projections made in the valuation report should be supported with reasonable certainty and in its absence the valuation report shall be deemed unworkable.

A similar contention was also drawn in the case of 2M Power Health Management Services Pvt. Ltd. vs. ITO.

Case 3: Contrary to the case 1 & case 2 above, the Bombay High Court in the case of Vodafone M Pesa Ltd. v PCIT, ruled that the AO do not have the authority to reject the method of valuation already adopted by the taxpayer. It justified that the AO has the power scrutinize the valuation report and point out any arithmetical error in the same, but not compel the taxpayer to choose an entirely different valuation method.

The Income Tax Rules, 1962 provides for an option to the taxpayer to choose either the DFCF or NAV method of valuation. Thus, the AO could not adopt a method of his choice, especially when Rule 11UA gives an option to the taxpayer to choose the method of valuation. Doing so, the it would render clause (b) of Rule 11UA(2) as purposeless.

The Jaipur Bench of the ITAT had drawn a similar ruling in the case of Rameshwaram Strong Glass Pvt. Ltd. vs. ITO and ACIT vs. Safe Decore Pvt. Ltd.

Concluding thoughts

Based on the various rulings, it can be concluded that the tax authorities do not have the power to order the taxpayer to adopt any particular method of valuation. The taxpayer has the right to choose the DFCF method or the NAV method for valuation as mentioned in the Income Tax Rules, 1962. However, it should be noted that the taxpayer should be able to provide reasonable information to substantiate the projections certified by the management. Since the valuation report shall be subject to scrutiny, the valuer should verify the parameters taken into consideration in preparation of the valuation report and should be in a position to justify the same.

Authors: Alivia Das and Shivani Handa

Cyber-Security: The Vulnerability of Medical Institutions to Cyber-Attacks

McAfee researchers were able to modify the vital sign data in real time providing false information to medical personnel by switching the heartbeat records from 80 beats a second to zero within five seconds. You would have woken up to news that Medstar patient records database was subject to ransom ware cyber-attack and was asked to pay bitcoins. Unfortunately, the hospital did not have backup of medical records and in some cases, they had to turn away the patients. These incidents, unfortunately, are not stray incidents.

There are various technologies converging and a rapid increase in machine to machine communications.

It is predicted that by 2025, most hospitals will have the ability to network connect more than 90% of their devices.

However, many hospitals are yet to make their data security systems extremely robust. Data privacy and data security are the two important pillars that needs urgent consideration. Just as financial data is loved by the cybercriminals, so is health data becoming a gold-mine with the cyber offenders. Specially so when the hospitals are run on legacy systems or no dedicated framework or surveillance on its own data.

Personally identifiable data is an indicator of an individual, such as  name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;[i]

A number of cyber-attacks on medical institutions are initiated to extract the electronic health records (EHRs). These EHRs may contain personal health information of the patients, their medical history, diagnosis codes, billing information, etc. which can be exploited by the cyber offenders in various manners, for instance to get ransom from the medical institutions or to create fake IDs to buy medical equipment(s) or medication which can be resold or only sold on prescription.

Take this example. On 12 May 2017 a global ransomware attack, known as WannaCry, affected more than 200,000 computers in at least 100 countries. The ransomware attack also affected 80 out of 236 trusts (medical institutions under NHS) further 603 primary care and other National Health Service (“NHS”) organisations were infected with the ransomware virus including 595 general practitioners. The trusts which were affected with WannaCry ransomware faced issues like patient appointments being cancelled, computer being locked out, diversion of patients from accidents and emergency departments etc.

As reported in the investigation report on the WannaCry ransomware attack on NHS, published by the National Audit Office (“NAO”, an independent parliamentary body in the United Kingdom), all NHS organisations infected with the WannaCry virus had unpatched or unsupported Windows operating systems. NHS Digital (a national provider of information, data and IT systems for commissioners, analysts and clinicians in health and social care in England) informed the NAO that the ransomware spread via the internet, including through the N3 network (the broadband network connecting all NHS sites in England), though there were no instances of the ransomware spreading via NHS mail (the NHS email system).

In India, as reported by multiple news agencies, last year in the month of June Mahatma Gandhi Memorial (a trust run hospital) hospital, Mumbai (MGM Hospital) was affected by a similar cyber-attack where the hospital administrators found their systems locked, and noticed an encrypted message by the attackers demanding ransom in Bitcoins to unlock it. It was reported that the MGM Hospital had lost 15 days’ data related to billing and patients’ history, though the hospital didn’t face any financial loss.

Once these cyber offenders have access to the EHRs, they hold the systems of the medical institutions hostage for ransom, by encrypting all the systems completely inaccessible and unusable for the victimised medical institutions. The vulnerability to such cyber-attacks arises due to many reasons, outdated digital infrastructure or medical personnel not being aware or not trained about cyber-attacks. Cyber offenders may gain access to medical institutions’ systems through various ways and sometimes as simple as (a) using a USB drive; (b) exploiting vulnerable or expired software, (c) stealing medical personnel’s mobile devices, (d) hacking emails, or (e) phishing etc. It is time that our healthcare providers upgrade their technologies, networks, understanding on this subject.

Regulatory bodies across the world have suggested / adopted guidelines and standards to ensure necessary cybersecurity processes and controls which helps medical institutions to mitigate cyber risks and vulnerabilities. For the purpose of this article we will be primarily focusing on various safeguards and standards put in place by European Union and India to deal with such cyber-attacks.

Position in Europe

As a part of the EU cybersecurity strategy, the European Commission adopted the EU Network and Information Security Directive (“NIS Directive”) on 6 July 2016 and the same came into force in August 2016. As the NIS Directive is an EU directive every member state had to adopt a national legislation which would transpose the NIS Directive by 9 May 2018 and identify operators of essential services under the transposed law by 9 November 2018.

The NIS Directive has three major parts to it (i) national capabilities, (ii) cross-border collaborations and (iii) national supervision of the critical sectors including health.

  • National Capabilities: The NIS Directive mandates every member state of the EU to have certain cybersecurity capabilities, e.g. it is a mandate for every member state to have a national Computer Security Incident Response Team (“CSIRT”).
  • Cross Border collaborations: The NIS Directive encourages collaborations between EU member states like the EU CSIRT network, the NIS cooperation group, ENISA etc.
  • National Supervision of critical sectors: As per the NIS Directive every member state shall supervise the cybersecurity of critical market sectors in their respective country including health sector.

Further, as a part of the NIS Directive the NIS cooperation group through ENISA has developed guidelines regarding (i) identification criteria of cyber-attacks, (ii) incident notification, (iii) security requirements for Digital Signal Processors (DSPs), (iii)  mapping of operators of essential services (OES) security requirements for specific sectors including health and (iv) audit and self-assessment frameworks for OESs and DSPs.

With a view to prescribe certain standards of safety and quality, three recognised EU standards organisations namely (a) the European Committee for Standardisation (CEN), (b) the European Committee for Electro-technical Standardization (CENELEC) and, (c) the European Telecommunications Standards Institute (ETSI) were set up. By setting common standards across EU, CEN. ETSI and CENELEC ensures protection of consumers, facilitates cross-border trade, ensures interoperability of goods/products, encourages innovation and technological development, and includes environmental protection and enables businesses to grow.[ii]

The General Data Protection Regulations (“GDPR”)[iii] specifically defines ‘data concerning health’, ‘genetic data’ and ‘bio metric data’ and regards them as ‘special category of data’, this means that parties who are processing special category of data shall comply with additional higher safeguards and process it legitimately. Recital 53 of the GDPR states that special categories of personal data which merit higher protection should be processed for health-related purposes only.

Position in India

Personal medical/health information in India is regarded as sensitive personal information as per the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011 (“Rules”).

The Indian legislature took an important step for addressing issues relating to cyber security when it amended the Information Technology Act, 2000 in 2008, through which they established an Indian Computer Emergency Response Team (CERT), a national agency for incident response. CERT is primarily responsible for handling cyber security incidents occurring in India and analysing information related to cyber-crimes, but among other things CERT is also indulged in issuing guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incident[iv].

CERT-India has been entrusted with performing the following main functions (a) collecting, analysing and disseminating of information on cyber incidents, (b) forecasting and giving alerts on cyber security incidents, (c) laying down emergency measures for handling cyber security incidents, (d) coordinating cyber incident response activities, (e) issuing guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents, and (f) performing any other functions relating to cyber security as may be prescribed[v].

CERT-India in the last five years or so has focused on making various institutions who are highly dependent on cyber/digital networks ‘cyber resilient’. Being cyber resilient allows these institutions which is nothing but a process of effectively anticipating the various threats and the mechanism of dealing with the cyber-attacks. Anticipate, withstand, contain and recover are the 4 main contours of being cyber resilient[vi]:

  • Anticipate: Maintain a state of informed preparedness in order to forestall compromises of mission/ business functions from adversary attacks
  • Withstand: Continue essential mission/business functions despite successful execution of an attack by an adversary
  • Contain: Localize containment of crisis and isolate trusted systems from untrusted systems to continue essential business operations in the event of cyber attacks
  • Recover: Restore mission/business functions to the maximum extent possible subsequent to successful execution of an attack by an adversary
  • Evolve: To change missions/business functions and/or the supporting cyber capabilities, so as to minimize adverse impacts from actual or predicted adversary attacks

To strengthen the framework and to ensure that reasonable security practices and procedures are followed, the Department of Information Technology introduced certain Rules. The Rules requires each and every body corporate including medical institutions who are collecting such sensitive personal information to have security measures as documented in their security policy/programme which is considered to be a reasonable security practice keeping in mind the nature of their business and considering the fact that they are collecting sensitive personal information. One such international standard as recommended under the Rules is the IS/ISO/IEC 27001.

Taking a step further, the Ministry of Health and Welfare has introduced a draft bill for Digital Information Security in Healthcare Act (“DISHA”). One of the key purposes of DISHA is to ensure reliability, data privacy, confidentiality and security of digital health data. DISHA prescribes that the storage of digital health data so collected would be held in trust for the owner and the holder of such data would be considered as the custodian of data thereby making such holder responsible to protect privacy, confidentiality and security of data.

To bring it all together:

Majority of the cyber-attacks reported worldwide are caused due to reasons which sometimes are trivial and perhaps ignored more often, such as out-dated Windows operating system patch, lack of proper anti-virus or reasons such as phishing, lack of awareness among the people about cyber security etc.

EU, through GDPR has made data security an integral part of law and India is taking strong steps have a robust data protection and data security law. Various regulations, programmes, codes, standards etc. discussed in this article are some indicate steps that can be implemented.

Law is just one part to solve the issue. The real question is who is responsible for safety of our personal data, commercial data, data assets etc.? We secure our houses with a lock, burglar alarms, video cams because the house owner wants to protect it. Similarly, individuals, organizations, healthcare personnel, hospitals and other institutions who collect health data for multiple reasons should be aware of various cyber-threats and has to take steps to safeguard its networks and systems from such threats.


[i] Article 4.1 General Data Protection Regulations (GDPR).

[ii]CENELEC, Marketing Standards for Europe, available at:

[iii] GDPR (2016/679) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area

[iv] Section 70B (4) of the Information Technology Act, 2000

[v] Supra footnote 1

[vi] CERT- In, Cyber Crisis Management Plan for Countering Cyber Attacks and Cyber Terrorism


This article was first published at Innohealth Magazine, Volume IV Issue II

Essentials of Statements of Work

In order to avoid having a multiplicity of contracts between such vendors and clients, and to save time, a Master Service Agreement (MSA) is entered between the parties with corresponding Statements of Work (SoWs) for different services or work orders to be performed by the service providers for future transactions. An MSA is entered between the parties which establishes the terms which once negotiated remain fixed between the parties, for example, representations and warranties, confidentiality obligations, ownership of intellectual property, the liability of the parties, indemnity, the scenarios under which the parties can terminate the contract, dispute resolution, etc. Therefore, the MSA forms the genesis of the legal relationship between the parties which is generally negotiated once. The Statement of Work (SOW) on the other hand is a concise document executed for a specific project. It lays down specific services to be provided as a part of the work order, the deliverables, the commercials, etc.

Key components of an SOW are as follows:

  • Specific services have to be detailed in an SOW. An SOW should clearly spell out the specific services which need to be provided under the project. It should also state the roles and responsibilities of each party and the safeguards which should be kept in place if there are any inaccuracies in deliverables or delay in the project. An SOW in addition to providing the details regarding the exact nature of the services to be provided should also provide the key assumptions, dependencies of the project, if any. Once the assumptions of a project are identified it helps to shape a project in ways such as identifying the skills required to complete a project, the availability of a member working on the project, the delivery times of the project, etc. Dependencies on the other hand in an SOW clearly spell out the factors which the respective parties are dependent on for the completion of the project. Dependencies can be a crucial part of the SOW as one can assess the dependencies to fasten the liability on a party in case the project is not completed successfully. The SOW should have in place a timeline for the project i.e. the start and the end date of the specific project. The commercials involved canned be mapped to the timeline in certain cases. If a specific project is time-based it is recommended to state the number of hours or days that one should take to complete the project.
  • An SOW should outline in detail the particular items which need to be delivered, if any, i.e. the deliverables, and provisions should be in place to safeguard the interest of the client in case the deliverables are inadequate. Acceptance criteria is one of the ways of safeguarding the interests of the client. Acceptance criteria lays down the requirements and essential conditions which must adhered to vis-a-vis the deliverable.  For instance, in an SOW for the development of a software various quality/functionality analysis tests could be included in the acceptance criteria to ensure that the software is functional and suits the needs of the client.  At times the parties may want to change the services which have been agreed to be provided through the SOW. This is can be done if the SOW provides for change orders which have been agreed by both the parties.
  • SOW should also provide the specific location where the services are required to be performed.
  • Finally, it is a good practice in the SOW to have in place the staffing requirements needed to complete the project, and to appoint a Project Manager from each party who would serve as the point of contact.

There are two key issues which arise from the interplay between an MSA and an SOW. First, what should be the position the parties should take to tackle conflicts between provisions of an MSA and an SOW and second should all the SOWs terminate if the parties terminate the main agreement i.e. the MSA.

An SOW generally uses the MSA as a backdrop and then builds upon the MSA to bring the project to life. Therefore, the SOW terms are supplemental to the MSA terms and as MSA is the one which is vetted heavily by legal professionals and negotiated at length between the parties, the parties would usually want the MSA to prevail over an SOW.

On the other hand, there can be scenarios when the parties would want the SOWs to prevail over the MSA. For example, if specific conditions for termination are laid down for a particular SOW in the SOW, and the same conflicts with the termination clauses stated in the MSA, the parties would want the SOW’s provisions to prevail over those of the MSA. However, one should note that only the particular SOW would prevail over the MSA(in relation to such conflict) and not the other SOWs which have been entered between the parties. Therefore, the decision on which of the agreements will prevail over the other has to be taken in accordance with the flexibility the parties need to exercise while entering into the SOW and it is dependent on the level of scrutiny that an SOW would go through.

The second issue pertaining to an MSA and an SOW is the effect of termination of an MSA on the SOWs. The same has to addressed keeping in mind the intention of the parties. The Parties may decide that upon termination of the MSA for any reason, all SOWs then in effect and all rights granted pursuant to the MSA and the SOWs would continue in accordance with their terms, in which case this MSA will continue in effect with respect to such pending SOWs until the completion of such SOWs, even though no new SoWs can be executed post the termination of the MSA.

Author: Anuj Maharana

Post-Merger Corporate Governance

Corporate governance is an important aspect for the success and growth of any organisation. A well-structured corporate governance regime becomes even more important post a merger (strategic or otherwise). It might prove to be especially beneficial in the smooth transition and functioning of the business of the merged entity, especially during the early stages after the merger. At the same time, a weak corporate governance structure may be detrimental to the success of the merged entity.

In a merger, the merging entities commonly come together to work and operate as a single merged entity. This would mean the integration of different cultures, mindsets, viewpoints, work ethics, principles, etc. Therefore, post-merger corporate governance becomes important so that all discussions between the key stakeholders of the merged entity are seamlessly documented leaving zero scope for potential conflict in the future. This would also help the key stakeholders to run the business of the merged entity without having to worry about internal conflicts, mismanagement, etc. Also, depending on the end goal or the objectives of the merging entities, there has to be a clear understanding on the type of merger to be undertaken. Refer to our previous post on M & A: Different structures and a comparative to know more about different structures of M&A.

What is Corporate Governance?

Before moving on to the different aspects of corporate governance to be considered post a merger, let us try to understand the meaning of the term ‘corporate governance’. With respect to early-stage unlisted entities, corporate governance generally refers to the internal rules and policies of the organisation, the relationship between the shareholders, the roles and responsibilities of the directors and the top management and the decision-making structure, including the financial and operational decision making. In a nutshell, it includes all aspects which govern the organisation and basis which business is conducted and an organisation is run, both with respect to internal stakeholders, as well as external stakeholders.

Significance of Post-Merger Corporate Governance

Merger of entities, more often than not, would mean the integration of different cultures, mindsets, viewpoints, work ethics, principles, etc. Even though the end goal would be the same, that is, the success and growth of the merged entity, perspectives on the means to achieve the end goal may differ from person to person. However, since the merging entities would no longer be separate entities, it is important that the means to achieve the end goal is also aligned. Thus, while corporate governance is very important for every organisation, it gains even more significance post a merger.

There has to be a clear understanding on the structure of the corporate governance post-merger, which could primarily be recorded discussions and step plans to achieve the objectives of the merger. For example, if the main objective of a merger is market expansion of the business, it would be good to have a clear step plan detailing out the potential markets, key people to target the same, timelines and other operational parameters which could eventually determine achievement of results as agreed amongst the key stakeholders. If a merger involves employee movement, a clear plan for the transitioning of employees, in terms of location, identification, compensation plan, positive interactions across teams and often (in new age companies) regular counselling on challenges faced may prove to be tremendously beneficial in the long run.

Also, post the merger, it is always better to have each and every discussion documented. Such discussions (including the informal discussions) should also be conducted at the board level, which would help in ensuring that the important stakeholders are part of these discussions. The objective is not to increase bureaucracy but to ensure that the operations are seamless. This might not seem to be important especially during the initial stages after a merger. However, the importance of documenting every discussion comes into play when, at some point, the difference of opinion arises. In order to avoid tense and awkward situations at that point of time, if every decision or discussion in relation to the business and operations is documented and is taken with the knowledge of all the key stakeholders, it would to a large extent help in solving the issue at hand in a much more efficient and faster manner.

A merger would, in most circumstances, result in a change in the board composition and management. The board of the merged entity will play an important role in effective management and quick transition. The composition of the board (and the committees of the board) is usually determined prior to the closing of the transaction and is documented in the transaction documents. The composition of the board (and the committees of the board) will have to be properly thought through and well planned. Every member of the board/committee needs to understand their respective roles. It is important to ensure that there is equal representation for all the key stakeholders. The members of the board/committees have to be diverse, experienced and should have a clear understanding of the goals of the merger. Also, it is important to conduct review meetings to ensure that the goals or targets are being met and if not, analyse on the reasons and improve on the same. The board/committee meetings may be conducted on a regular basis.

It may be a good option to appoint an independent director to the board. This will help in situations where there is a difference of opinion between the various members of the board since the independent director will be a neutral party and would be able to give unbiased opinions. The independent directors bring objectivity and an independent opinion to the decisions made by the directors. They can also help in bringing more transparency to the proceedings of the board and also ensure that the interests of the shareholders are given due regard. However, an independent director can play a major role in ensuring good corporate governance only as long as he/she functions independently. His/her decisions should not be influenced by the other board members. Refer to our previous post on Independent Directors to know more about independent directors and their independence.


Even though there is no specific statute or law governing corporate governance as a whole in case of unlisted companies, there are various provisions under the Companies Act, 2013, SEBI guidelines, etc. which indirectly strives to have a good corporate governance system like provisions for appointment of independent directors and their roles and duties, appointment of audit committees, role of directors, etc.

To achieve the goals and objectives of the merged organisation and for a smooth transition, a well-structured corporate governance is vital.


Author: Paul Albert, Associate at NovoJuris Legal