This article has been written by Khushi Jain and Suryansh Pandey,2nd and 5th year students at RMLNLU, Lucknow, and DNLU, Jabalpur, respectively.

1. Introduction

Airline insolvencies in India reveals a critical fault line in the regulatory treatment of passenger data during Corporate Insolvency Resolution Process (“CIRP”). A direct conflict arises between insolvency practitioners, who regard passenger data as commercially valuable asset, and statutory privacy safeguards, which prohibit its transfer or monetization without specific, informed consent. This data is not merely an operational byproduct of aviation services, but a legally protected informational asset governed by fiduciary duties and purpose-specific limitations under the Digital Personal Data Protection Act, 2023 (“DPDP Act”).

This paper advances the core thesis that personal data is legally and normatively distinct from traditional property and cannot be treated as transferable asset in insolvency proceedings. The commercial logic of Insolvency and Bankruptcy Code (“IBC”), which views assets as a bundle of rights to be liquidated, breaks down when applied to personal data linked to individual identity.

Building on this, the blog critically examines the conflict between the IBC’s asset maximization mandate and the fiduciary, rights-based framework governing personal data under the DPDP Act. It argues that the data cannot be included in the definition of the term “asset because of two prohibitions, firstly per constitutional principles, secondly, due to the DPDP Act. The analysis provides plausible recommendations for corporate governance and privacy in India’s digital age.

2. Understanding the Nature of Data: Beyond the Asset Paradigm

Personal data refers to any information that can identify an individual, either directly or indirectly.  This may include names, contact information, biometric identifiers and even behavioural patterns. It has increasingly come to be treated as a commodity, much like traditional natural resources such as oil, coal or timber, regarded as tangible property. Anonymized data, by contrast, has been processed in such a way that individuals can no longer be identified.

Companies and platforms that collect and process such data do not acquire ownership over it; rather, they hold it in trust. This distinction is crucial, because ownership implies control and alienability, whereas trust implies responsibility and accountability. As such, it cannot be unconditionally “owned” by another party without infringing on privacy and autonomy rights.

The legal architecture in India, particularly under the DPDP Act, reinforces this conceptual shift. The Act introduces the concept of the data fiduciary, highlighting that entities collecting personal data must act in a manner that respects the rights and expectations of the “data principal”, the individual to whom the data relates.

Unlike the European Union’s GDPR framework, which provides explicit guardrails for the transfer of customer data in insolvency scenarios, the Indian regime remains silent, creating interpretative ambiguity that risks undermining both creditor recovery and individual privacy rights. The fiduciary nature of data, established by the DPDP Act, directly challenges the IBC’s asset maximization mandate, which we will now explore.

3. The Maximization Mandate and the Liquidation Estate

The objective of the 2016 Code is the “maximisation of value of assets” of corporate debtor in a time bound manner. This forms the bedrock of the whole legislative effort. The same is visible in the structural design of the Code and the whole process. For instance, the Resolution Professional, takes over the management of the debtor company for managing the company as a going concern and to maximise recovery for the CoC.

The term “asset” has not been defined in the 2016 Code. However, the operational sections such as Section 18 (Duties of interim resolution professional) and Section 25 (Duties of the Resolution Professional) use the term “asset” in an inclusive manner. The SC in Victory Iron Works Ltd. Vs. Jitendra Lohia & Anr  held that the term denotes “property of any kind”. It stated that the bundle of rights over the property constitutes an “asset” within Section 18(f) and Section 25(2)(a) of the 2016 Code. This interpretation further expands the already wide meaning of assets to now include intangible form of value within the liquidation estate.

However, explanation to Section 18 excludes the “assets owned by a third party in possession of the corporate debtor held under trust or under contractual arrangements including bailment” from the ambit of Section 18. This exclusion is however limited to this section only, as held in Victory Iron Works Ltd (Supra), since the words “for the purpose of this section” has been used. A conflicting intent of both the legislations could be inferred from the above discussion.

This analogy is instructive for personal data. Just as leased aircrafts or bailed goods cannot be subsumed into the debtor’s estate, personal data held by the corporate debtor in a fiduciary capacity ought to be excluded from the liquidation pool. The fiduciary framework under the DPDP Act positions the debtor not as an owner but as a custodian, much like a bailee or trustee. It thus does not create a statutory conflict but rather aligns with the IBC’s consistent treatment of third-party property.

4. The Constitutional Dimension: Informational Privacy as a Limit on Commercial Transferability

The Court, in K.S. Puttaswamy v. Union of India elevated the right to privacy to the status of a fundamental right under Article 21 of the Constitution. This constitutional recognition creates a substantive barrier against commercial treatment of personal data during insolvency resolution. Under the 2016 Code, assets of the corporate debtor, including customer databases, are often considered part of the resolution estate. While Section 238 of IBC provides overriding effect, it cannot eclipse constitutional guarantees. Reading it otherwise would allow economic expediency to dilute fundamental rights, a proposition firmly rejected by the Supreme Court in Puttaswamy and reaffirmed in Swiss Ribbons v. Union of India .

As substantiated in Airline insolvencies, the sale of customer databases, profiling tools, and other personal data-rich assets directly violates the Puttfaswamy principles. Moreover, informational self-determination is not merely a statutory right but a fundamental right. Therefore, commercial instruments like resolution plans or asset transfers cannot permit unrestricted access to or sale of personal data without infringing constitutional values.  

Thus, any statutory reading of the IBC that enables the transfer of personal data in contravention of constitutional privacy norms is vulnerable to challenge. Courts are likely to adopt a rights-forward interpretive approach, placing the burden on RPs and CoCs to demonstrate that data use complies not only with the IBC and DPDP Act but also with the fundamental rights of data principals.

5. Limitation by Law

Under the DPDP Act framework, the personal data can only be processed if the data principal has given her free, specific, informed, unconditional and unambiguous consent with a clear affirmative action. There are two types of limitations applicable to such activity. Firstly, purpose limitations and secondly collection limitations. These limitations apply to and affect the insolvency proceedings too.

Under Section 6(1) of the DPDP Act, purpose limitation imposed on the Data fiduciary creates a bar on the data fiduciary for the collection of data and mandates granularity in obtaining consent. The transfer of data to a new controller (the successful resolution applicant) for a new purpose (processing of data under a new brand) without obtaining the renewed consent of the Data Principal breaches this fundamental principle.

The purpose driven framework of the DPDP Act allows for retention of data for the time till the purpose is served. The term “processing” encompasses “storage” of personal data. In case the purpose changes and the data is stored beyond what is necessary, the DPDP Act renders the consent invalid. The indefinite inclusion of a customer database in a liquidation estate violates this norm.

Most importantly, the DPDP Act provides no “safe harbour” or exemption for insolvency proceeding. For Instance, under the California Consumer Privacy Act (CCPA), data subjects retain rights to opt-out of transfers even in corporate restructuring, while the UK’s Data Protection Act 2018, read with the GDPR, requires that any transfer of personal data during insolvency must be justified under the principles of purpose limitation and lawful processing. Therefore, a resolution plan would be required to obtain renewed consent from every single data principle, that too, with an affirmative action.

6. Conclusion and Suggestion

In reconciling the differences between both the acts, their legislative objective must be considered. It is therefore imperative upon the legislative to recognise personal data distinct from commercial assets and explicitly excluded from the insolvency estate. It must be solely governed by the DPDP Act. A statutory carve-out should exclude identifiable personal data from the IBC estate, permitting valuation only of anonymised data that meets strict standards of irreversible anonymisation under data protection law.

This would require coordination between the IBBI and the Data Protection Board, so that resolution professionals cannot rely on superficial anonymisation but must demonstrate compliance through independent audits or certification. In such a framework, only datasets that have been demonstrably stripped of all identifier  and therefore fall outside the DPDP Act’s definition of “personal data” could be transferred for valuation. This preserves the IBC’s commercial objectives without compromising the consent-based fiduciary regime of the DPDP Act.

Moreover, a duty through explicit regulation or code of conduct could be imposed on RPs to comply with the stipulations of DPDP Act. While the law may permit valuation of anonymized or aggregated data as part of the debtor’s business value to ensure that the insolvency framework remains commercially workable, identifiable data should only be processed within the contours of DPDP Act. Therefore, for the sake of continuity of business operations, where the transfer of personal identifiable data becomes necessary, renewed, affirmative consent must be taken before continuing processing under the new corporate structure.

Finally, an inter-regulatory coordination mechanism between the IBBI and the Data Protection Board should be institutionalized building on permissible treatment of data during CIRP and liquidation. This mechanism could build upon the existing framework of the DPDP Act, which requires significant data fiduciaries to appoint a Data Protection Officer. In practice, resolution professionals could be mandated to consult the Data Protection Officer of the corporate debtor at every stage of data-related decision-making. Such a requirement would ensure that fiduciary duties under the DPDP Act are not sidelined during insolvency proceedings, while also providing the IBBI with a compliance checkpoint to prevent conflicts between the two statutes.

To maintain legal and constitutional integrity, personal data must be treated as existing outside the corporate insolvency estate, governed exclusively by the consent-driven, rights-based framework of the DPDP Act. It is only through this clear demarcation that India’s insolvency framework can achieve genuine legitimacy in the digital age.