Digital Assets in Distress: Reconciling India’s IBC with the DPDP Act

Introduction

In India’s race towards a digital economy, even insolvency and bankruptcy have gone online, but privacy seems to have been left behind. The Insolvency and Bankruptcy Code (‘IBC’), designed to maximise value in distress, has embraced digitalisation across filings and resolution. Beyond tangible assets, insolvency today increasingly involves a valuable new class: personal and financial data.

However, the proliferation of digital data has heightened global concerns over privacy and security, with India, ranking fifth in global data breaches in 2023, facing pressure to strengthen its legal framework. The Digital Data Protection Act, 2023 (‘DPDP Act’) mandates that data processing be done lawfully, with explicit consent and strict minimisation standards, all of which directly impact CIRP.

But the IBC remains silent mainly on personal data. Creditors’ lists are published with identifying details, and virtual data rooms containing sensitive and personally identifiable information are shared with multiple bidders without anonymisation. This blog focuses on the compliance gap as the IBC facilitates asset monetisation, often treating customer databases as saleable assets while comparing the global trends. The authors argue that without regulatory alignment, resolution professionals operate in a confusing grey zone, risking privacy breaches in the process of insolvency resolution.

Mapping the Legal Framework

The IBC does not define assets, adopting a functional approach that includes all tangible and intangible assets of a corporate debtor. Section 18(f) of the Act empowers the resolution professional to identify and take control of these assets, but the lack of standardised valuation methods poses challenges. While the IBC establishes Information Utilities (‘IUs') under Sections 209–216 to maintain authenticated debt records, it contains no explicit personal data protection provisions. “Data protection principles” are assumed but undefined, with no standards for encryption, retention limits, or breach notifications. The confidentiality obligations under Sections 214(2) and 215(2) are couched in broad terms without detailing how sensitive financial information should be secured, processed, or accessed. The IBC Amendment Bill, 2025, while expanding the IU authority and mandating procedural compliance, still fails to introduce substantive data safeguards. Due to this, a regulatory vacuum for privacy governance within the insolvency infrastructure has started to form.

In contrast, Section 2(h) of the DPDP Act defines a personal data breach as the unauthorised use or disclosure of personal data, whether deliberate or accidental, that compromises its confidentiality, integrity, or availability. “Unauthorised” may be interpreted as use without consent or for illegitimate purposes prohibited under Section 4. Moreover, Section 6 requires that consent be free, informed, specific, and given through an explicit affirmative action. Section 5 further restricts the usage of the data fiduciaries without consent, which includes a detailed notice to be sent to the data principal.

These unreconciled provisions create a compliance paradox with IBC’s absence of explicit privacy safeguards, and the DPDPA’s stringent consent-driven processing requirements operate in isolation and with a lack of any proper legislation. In many CIRP scenarios, datasets such as customer lists, transaction histories, and employee records are treated as intangible assets capable of enhancing the commercial value of a resolution plan. While this aligns with the IBC’s asset-maximisation objective, it conflicts with the DPDPA’s requirement that personal data transfers be backed by valid consent or a lawful exemption. The IBBI’s own discussion paper acknowledges that insolvency professionals increasingly manage sensitive data sets without a privacy framework. At the same time, a 2023 NASSCOM-NSCI report flags over 60% of corporate involvements involving unstructured customer data transfer without consent mechanisms.

Data as an Asset- Economic Value vs. Privacy Rights

In the landmark Jet Airways case, the resolution professional aggressively marketed the personal data of over 18 million JetPrivilege loyalty program members including travel preferences, payment histories, and personal identifiers as a critical financial asset to prospective bidders, aiming to maximize creditor recoveries under the IBC by treating this information as a monetizable commodity rather than restricting its use to the original purpose of flight services. This strategy, while enhancing asset value during the Corporate Insolvency Resolution Process (‘CIRP’), severely compromised privacy rights and risk of potential misuse of exposing personal information. Similarly, in the case of DHFL insolvency, millions of borrowers’ loan and transaction details were treated as part of the company’s assets and sold to Piramal Group, but this happened without considering anonymisation or borrower consent, showing how economic recovery was prioritised over data rights.

In contrast, the insolvency of GoAir calls for a more cautious approach. Bidders were given access to passengers' data only under strict confidentiality undertakings and subject to regulator oversight. While this reflects an awareness of privacy concerns, it is still operating within the legal grey zone. This means that there still exists a lack of any explicit statutory duty. This example highlights that India’s challenge is not simply ignorance of privacy risks but the absence of codified obligations that clearly govern how personal data should be treated during CIRP. A potential solution lay in a proportionality test like that under IBC Section 238. This would require RPs to show that any data processing is necessary and has to align with DPDP Section 7 on legitimate use. This approach would clarify grey zones, reduce NCLT appeals and ensure respect for privacy.

Comparative Insights: EU and US Approaches

In the EU, insolvency is governed by GDPR compliant court procedures where control of a company’s assets passes from directors to a court-appointed insolvency practitioner or trustee. This includes managing intangible assets like customer databases. GDPR mandates that consent must be freely given, specific, informed, and withdrawable at any time. Fresh consent is required for any data transfer or sale in insolvency, as original consent is often tied to limited, specific purposes.

In the U.S., the Bankruptcy Code (Title 11) allows asset sales under Section 363, including personal data, but privacy safeguards come from FTC enforcement and the Consumer Privacy Ombudsman (‘CPO’) role, introduced by the 2005 BAPCPA. The FTC uses Section 5 of the FTC Act to prevent deceptive practices, as seen in FTC v. Toysmart.com (2000), often imposing conditions such as selling data only with other assets, limiting buyers to similar businesses, and requiring opt-in consent for new uses. The CPO investigates potential impacts of sales breaching privacy policies and recommends mitigations.

While the EU offers a consent-driven model and the US relies on regulator-driven oversight, the UK, blending GDPR roots with a standard law insolvency regime offers lessons particularly relevant for India. India needs a stronger legal interface between the DPDPA and the IBC, one that does not commodify personal data without re-consent, drawing on UK and EU models to balance creditor recovery with privacy rights.

Liability Framework for Stakeholders

While the IBC envisages the RP as the custodian of the corporate debtor’s assets, the DPDP Act treats personal data not merely as a tradable good but as an extension of individual autonomy. This creates a liability or a grey zone in insolvency, which risks leaving all stakeholders exposed in the event of a data breach. In South Pacific Personal loans, the UK HC clarified that insolvency practitioners become data controllers only when independently deciding on personal data use.

RPs, who control the company records, qualify as “Data Fiduciaries” under the DPDPA. The Act imposes duties of lawful processing minimisation and security. None of these are explicitly integrated into the IBC framework. The World Bank’s Principles for Effective Insolvency Systems underscore the RP’s role as a neutral and competent administrator, which in the new digital era necessarily extends to safeguarding sensitive personal data. The Committees of Creditors (‘CoC’), which do not directly handle datasets, but do influence decisions on data monetisation and sale to resolution applicants. Previously, there have also been cautions over creditor governance, which states that collective decision-making bodies should not outsource ethical liabilities where personal rights are at stake, suggesting the possibility of joint liability if CoC directly enables privacy violations.

Resolution Applicants (‘Ras’) acquire data-rich assets, face obligations that persist beyond the CIRP. The UK’s Information Commissioner’s Office has previously intervened in involvement transactions to ensure that post-sale data use aligns with the original consent terms, a safeguard absent in India. The IBBI, as a regulator, is conspicuous by its silence on data protection norms in its CIRP regulations. Without clear safe harbour provisions for good faith compliance or explicit liability allocation, stakeholders may be vulnerable to overlapping penalties under the DPDPA and IBC.

A liability matrix at each stage reveals a troubling pattern. This carries a risk, but here accountability is not well defined. The UNICTRAL Working Group V deliberations gave a solution in the form of statutory safe harbours for RPs who follow the regulator's issues SOPs coupled with joint liability for wilful or reckless breaches. Such calibrated allocation would protect value maximisation objectives while safeguarding personal data as a non-fungible right.

Reform Roadmap

The current regulatory silence on data privacy within India’s insolvency framework is not sustainable. As digitised CIRP becomes the norm, the law must recognise that personal data is not just another “intangible asset: but a legally protected category under the DPDPA. A forward-looking reform could achieve this integration without undermining the IBC’s central mandate of value maximisation.

The IBC Regulations should explicitly define “personal data assets”. This would bring conceptual clarity and prevent the implicit commodification of employee, customer, or creditor data. RPs should be mandated to prepare a data inventory alongside the asset information memorandum. This inventory could classify datasets, flag sensitive information, and identify any existing limitations, mirroring the best practices under the UK’s Insolvency Practitioners’ Code of Ethics.

Anonymisation or pseudonymisation should be a precondition to data transfer unless the purchaser can demonstrate lawful grounds under the DPDP Act. The EU’s GDPR framework shows that anonymisation significantly reduces post-sale breach risks while preserving data utility for business continuity. CIRP timelines should build in DPDPA checks, with the RP certifying lawful data use before any sale. Breach reporting must also align with CIRP deadlines, as the current gap risks disclosures coming only after sensitive data is transferred, weakening accountability.

The IBBI should frame clear SOPs on due diligence, anonymisation, and sale agreements, in line with UNCITRAL’s call for privacy safeguards in insolvency. Drawing from GDPR and UK practices, India can build a system where insolvency efficiency and data dignity go hand in hand.

Conclusion

The Fourth Amendment to the IBBI Regulations, 2025, signals the start of a new era where insolvency law must grapple with data governance as seriously as financial restructuring. By highlighting the treatment of personal and commercially sensitive data within CIRP, the reforms are in line with broader global trends that recognise data as a strategic asset. Still, the challenges remain, such as the absence of granular definitions, the risks of overburdening resolution professions, and the tension between maximising asset value and protecting privacy rights. Comparative insights from the GDPR and UK insolvency practice reveal that robust safeguards can coexist with market efficiency. The way forward lies in institutionalising a clear liability framework, embedding safe harbour protections, and issuing IBBI-led SOPS that operationalise companies. Ultimately, the success will be measured not by regulatory intent but by how seamlessly the insolvency ecosystem integrates data into its very architecture.