Liability in No Man’s Land: Is the Resolution Professional the Data Fiduciary during CIRP?

I. Introduction

The initiation of the Corporate Insolvency Resolution Process (“CIRP”) under the Insolvency and Bankruptcy Code, 2016 (“IBC/the Code”) results in a shift in control from the existing management of the Corporate Debtor (“CD”) to the Resolution Professional (“RP”). This shift includes control over all assets of the CD, including personal data. Given the growing recognition of personal data as a valuable intangible asset, its treatment during insolvency proceedings is of significant importance. Further, the continued operation of the CD as a going concern during the CIRP also entails the processing and management of such personal data. At the same time, the Digital Personal Data Protection Act, 2023 (“DPDPA/the Act”) imposes obligations based on who determines the purpose and means of processing such data, creating uncertainty when control and decision-making may not fully align. Against this backdrop, a legal curiosity arises: the characterisation of the RP appointed to conduct the CIRP under the IBC. Specifically, under the DPDPA, does the RP function as a data fiduciary, or does such responsibility continue to rest elsewhere? Thus, in this article, the authors first explore the nature and extent of control exercised by the RP under the IBC and, second, evaluate whether such control satisfies the threshold of determining the purpose and means of processing under the DPDPA, drawing on comparative jurisprudence.

II. Position under IBC 2016 and DPDPA 2023

As per Section 23 of the IBC, an RP is responsible for managing the operations of the Corporate Debtor (“CD”) and conducting the entire CIRP efficiently. Complementing this, Section 25 lays down the specific duties of the RP, which include preserving and protecting the assets of the CD, and taking immediate custody and control of all its assets, including intangible assets such as personal data, which have emerged as a critical asset for businesses. The question of the liability and legal status of the persons who assume control over such assets (in this case, personal data) becomes especially relevant with the enactment of the DPDPA. The Act establishes the roles of a data processor and data fiduciary, each of which has certain responsibilities with regard to personal data. Section 2(i) of the Act defines a data fiduciary as any person who determines the purpose and means of processing personal data, whereas Section 2(k) states that a data processor is one who processes such data on behalf of a fiduciary. Both categories are subject to differing responsibilities under the DPDPA. Before analysing where an RP might fall within this framework, it is useful to examine how other insolvency practitioners are characterised in other jurisdictions with parallel data protection laws, specifically, whether they are treated as data controllers (akin to fiduciaries) or data processors.

III. Global Position

One of the most prominent judgments dealing with the role of the RP in the privacy-insolvency framework is Re Southern Pacific Personal Loans Limited of the United Kingdom (“UK”). In this case, it was clarified that insolvency practitioners do not automatically assume the role of data controllers by virtue of their office. Insolvency practitioners are treated as agents of the company for pre-liquidation data, and the Court rejected the notion that they become independent data controllers for any data already being processed by the company prior to its liquidation. The Court held that the company undergoing insolvency (or even liquidation) will retain its position of a data controller. However, insolvency practitioners may be data controllers in their personal capacity for data they process independently while performing their statutory functions, such as adjudication of claims. This position was further reaffirmed and clarified in Green v. Group Ltd & Ors. Here, the Court held that insolvency practitioners are not deemed independent controllers for pre-existing data, though they may assume controller status only in respect of data processed independently while carrying out their statutory duties. Similarly, in Ireland, in practice, whether an insolvency practitioner assumes the role of a data controller or a data processor is dependent on whether they are a person who determines the purpose and means of processing of the personal data.

In the Netherlands, the Dutch Data Protection Authority has iterated that receivers/trustees (i.e., insolvency professionals) are data controllers of the bankrupt company from the date of bankruptcy. Therefore, court-appointed trustees are required to manage personal data responsibly while ensuring compliance with the General Data Protection Regulation (“GDPR”). On the other hand, in the Cayman Islands, insolvency practitioners are required to carefully consider whether, upon appointment, they fall within the category of data controllers or data processors. However, it is important to note that under their respective data protection law, service providers performing outsourced administrative or support functions are generally characterised as data processors, whereas those providing regulated professional services, such as insolvency practitioners, are more likely to be treated as data controllers.

IV. Indian Position

In the Indian context, the RP is empowered to act independently under Sections 23 and 25 of the IBC, which vest in the RP the control and management of the CD’s operations during the CIRP. The Ministry of Corporate Affairs issued a circular dated February 17, 2020, wherein it clarified that the RP/liquidator will be able to make filings on behalf of the CD, and for the purpose of those filings, the RP would be treated as the Chief Executive Officer of the CD. Therefore, it can be inferred that the RP steps into the shoes of the management of the CD for all legal purposes. However, it is pertinent to note that the Supreme Court (“SC”), in the landmark case of Swiss Ribbons Pvt. Ltd. and Anr. v. Union of India and Ors., held that the RP acts as a mere facilitator of the CIRP. Similarly, in the case of Arcelor Mittal India Pvt. Ltd. v. Satish Kumar Gupta and Ors., the SC held that the duty of the RP is only to examine and confirm that the resolution plan submitted by the resolution applicant is aligned with the requirements given under Section 30(2) of the Code. These judicial pronouncements clarify that the RP does not perform any adjudicatory role in the CIRP, and instead discharges administrative and procedural functions, which remain subject to the oversight of the Adjudicating Authority (“AA”) and the Committee of Creditors (“CoC”).

In the data protection context, the RP cannot automatically be treated as a data fiduciary merely because the management of the CD is vested in them during the CIRP. Sections 18, 20, and 25 of the Code lay down the duties and functions of the RP and may appear to suggest that the RP is responsible for the day-to-day operations of the CD. However, the RP is primarily required to preserve the CD as a going concern and may appoint agencies or professionals to carry out managerial functions on behalf of the CD. The underlying objective of the insolvency framework is to place the CD under the effective control of creditors, with the RP acting as a supervisory and coordinating authority rather than as an independent decision-maker. Accordingly, the control exercised by the RP is limited and representative in nature rather than personal or substantive. Under the DPDPA, a data fiduciary is the entity that determines the purposes and means of processing personal data. During the CIRP, the purposes for which personal data is processed continue to arise from the CD’s existing business operations, while the RP merely manages these operations to ensure business continuity and value maximisation. Therefore, treating the RP as a data fiduciary would incorrectly equate temporary managerial oversight with actual authority over decisions concerning the processing of data, a conclusion inconsistent with the schemes of both the IBC and the DPDPA.

At the same time, it is important to account for situations where the RP undertakes the processing of new personal data during the CIRP, such as in the verification of creditor claims or disclosures made to the CoC. In such instances, the RP may be seen as independently determining the purpose and means of processing, albeit within the confines of their statutory duties. However, this limited and functional role does not alter the broader position that the RP does not assume the status of a data fiduciary for all the data of the CD. Rather, the RP’s responsibility in such cases may be understood as being confined to specific instances of processing, without displacing the CD’s primary position as the data fiduciary under the DPDPA.

The reasoning stands in line with the international decisions, such as Re Southern Pacific Personal Loans Limited and Green v. Group Ltd (as discussed above), where insolvency practitioners were held not to be data controllers of pre-existing personal data unless they independently determined the purposes and means of processing. Since the Indian insolvency framework does not permit the RP to act as an independent decision-maker, but instead places the RP under the supervision of the AA and the CoC, the RP cannot, as per these decisions, be regarded as a data fiduciary under the DPDPA.

Even assuming that the RP were to determine the purposes and means of processing personal data during the CIRP, such a situation is not envisaged under the present Indian legal framework. Unlike jurisdictions operating under the GDPR, the DPDPA does not explicitly recognise the concept of joint data controllers or joint data fiduciaries. Consequently, the CD cannot be absolved of its obligations under the DPDPA merely because management has temporarily vested in the RP. The CD, as the entity in whose name the data was originally collected and for whose business purposes it continues to be processed, would remain the data fiduciary and continue to bear primary liability in compliance with the Act.

V. Conclusion

In conclusion, in the Indian insolvency framework, the RP does not act as an independent decision-maker and therefore cannot be treated as a data fiduciary under the DPDPA. Even during the CIRP, the CD continues to determine the purposes and means of processing personal data and remains responsible for compliance with data protection obligations under the Act. However, the absence of explicit regulatory guidance creates uncertainty in practice. Clear guidance from the Insolvency and Bankruptcy Board of India is therefore necessary. Such guidance should, at a minimum, clarify the allocation of data protection responsibilities between the RP and the CD, delineate the extent of the RP’s obligations while handling personal data, and provide a compliance handbook for ensuring adherence to the DPDPA during the resolution process, so that the privacy of individuals is not compromised. Such clarification would ensure that the treatment of personal data during insolvency is clearly regulated and does not fall into a legal no-man’s-land.

About the Author

Nandinii Tandon and Mehul Sharma are law students at the Rajiv Gandhi National University of Law, Punjab.

Editors

Aahini Gandhi, Senior Editor

Nupur Trivedi, Assistant Editor