The Data Paradox in Distress: Reconciling IBC's Asset Maximisation with India's New Privacy Regime

Introduction

The digitisation of insolvency processes in India has accelerated transparency and efficiency in corporate rescue and liquidation, but it has also exposed a serious blind spot: the protection of personal data handled during insolvency. Resolution professionals (RPs), insolvency practitioners and committees of creditors routinely aggregate, process and market vast volumes of sensitive personal and financial data — employee records, customer databases, creditor information and transactional logs — as part of the corporate debtor’s “assets” or as materials necessary for due diligence. This activity now sits awkwardly alongside India’s new statutory framework for personal data: the Digital Personal Data Protection Act, 2023 (DPDP Act). The collision of IBC practice and the DPDP Act raises concrete questions about lawful grounds for processing, duties of care, confidentiality obligations, limits to data monetisation during resolution, breach reporting, and remedies for affected data principals. This blog explains the problem, analyses the legal and practical fault-lines, assesses competing interests and jurisprudence, and suggests practical steps and regulatory fixes to better align insolvency practice with privacy law.

The problem in practice: how insolvency processes generate and expose personal data

When a corporate debtor enters the Corporate Insolvency Resolution Process (CIRP), the RP takes custody of the company’s books and records, and must preserve, manage and monetise the debtor’s assets in order to maximise value for creditors. The IBC expressly tasks the RP with conducting the CIRP, managing operations and protecting assets, which necessarily includes business records and databases. In practice, RPs create virtual data rooms for resolution applicants and share wide-ranging operational information with bidders to enable meaningful due diligence. That information often contains personal data collected originally for a narrower commercial purpose: passenger manifests and booking records in airlines, customer lists and transaction histories in retail, employee files and payroll data, and creditor contact details. Aviation insolvency in India provides a prominent empirical example: Jet Airways’ CIRP involved the transfer and evaluation of passenger and employee databases as part of the asset sale and due diligence processes. 

This wholesale sharing and — at times — sale of databases raises four interlocking problems. First, the legal basis for such processing under the DPDP Act is frequently unclear: much of the data was collected under a contract with a private purpose and may not have been lawfully licensed for transfer or re-purposing to prospective buyers. Second, RPs and bidders may lack the technical and contractual safeguards (pseudonymisation, strict access controls, processor agreements) required under the DPDP Act and guidance from the Insolvency and Bankruptcy Board of India (IBBI). Third, the commercial pressure to maximise returns incentivises packaging personal data as an ‘intangible asset’ without adequate regard to data principals’ rights. Fourth, the confidentiality-transparency tension—between the RP’s duty to preserve confidentiality of commercially sensitive information and statutory or judicial requirements for open process—creates procedural friction and judicial disputes about sealed filings and redactions. 

Legal framework and tensions: IBC, IBBI regulations and the DPDP Act

The IBC vests RPs with wide managerial control and a duty to preserve assets and run the CIRP in a time-bound manner. Sections and IBBI regulations reiterate the RP’s obligation to take custody of the corporate debtor’s records and maintain confidentiality of information relating to the CIRP, liquidation or bankruptcy process. The DPDP Act, by contrast, creates a statutory regime governing digital personal data: it defines duties for data fiduciaries and processors, prescribes purpose limitation, storage limitation and reasonable security safeguards, and establishes rights for data principals (access, correction, grievance redressal). The Act is, however, not absolute: it contains specified exemptions and carve-outs for processing required for prevention or investigation of offences and for enforcement of legal rights and claims; the central government may further notify exemptions.

The tension is therefore structural. On one hand, the RP must share records with potential resolution applicants to enable value-maximising bids; on the other, the DPDP Act demands that personal data be processed only for specified lawful purposes and with appropriate safeguards. Two legal features are especially consequential. First, the DPDP Act does not leave data protection entirely dependent on consent: it recognises other lawful bases for processing (including compliance with a law or for performance of a contract), but those bases must be demonstrable and proportionate. Second, the IBBI’s professional code emphasises confidentiality but does not granularly prescribe data-protection mechanisms (for example, it does not set binding standards for anonymisation, data room access logs or breach notification timelines compatible with the DPDP Act).  

This regulatory asymmetry

produces legal uncertainty for RPs and prospective bidders: is simple “sealed” or “redacted” filing enough? If data is disclosed to bidders outside India, what cross-border transfer rules apply under DPDP? If a data breach occurs during CIRP, who bears liability — the RP as a fiduciary custodian, the corporate debtor (pre-insolvency controller), or the buyer?

Judicial and regulatory signals: transparency versus privacy

Indian adjudication under the IBC has already confronted the confidentiality-transparency debate. Tribunals have at times permitted RPs to file documents under seal to protect commercially sensitive information, generating appeals that question the propriety of excluding stakeholders from information. These decisions highlight a judicial instinct to protect commercial bargaining positions in CIRP (to preserve value) while insisting on the IBC’s transparency goals. In parallel, the emergence of the DPDP Act raises the prospect that courts and tribunals will be asked to adjudicate privacy claims in the insolvency context: data principals whose information is disclosed or sold may seek remedies under the DPDP Act or under general tort/privacy doctrines. Recent academic and practitioner commentary has begun to map this terrain and advocate regulatory guidance from the IBBI and the Ministry of Electronics & IT to reduce uncertainty around permissible processing during insolvency.

One salient consequence is that market participants may face competing compliance duties. Under DPDP, a data fiduciary must implement reasonable security safeguards and, in certain circumstances, report breaches and maintain records of processing. Under the IBC, an RP must disclose information to bidders in a way that enables informed bidding but is also answerable to the adjudicating authority for procedural propriety. Without harmonised sectoral guidance, RPs may over-share (risking DPDP breaches) or under-share (reducing the pool of meaningful bids and possibly running afoul of the RP’s duty to maximise value).

Practical compliance architecture: how insolvency practice should adapt

Practical, legally defensible practices can and should be embedded into CIRP workflows to reconcile value-realisation with data protection. First, RPs should treat datasets as contingent assets whose transferability depends on lawful processing grounds and contractual limitations arising from prior collection. Before opening a data room, an RP should conduct a rapid data-mapping exercise (or procure a short Data Protection Impact Assessment) to identify categories of personal data, contractual constraints (terms of service, consent scopes), and statutory exemptions that might justify processing during CIRP. This step creates a record that the RP acted with due diligence under both IBC and DPDP obligations. Second, information sharing must be tiered and purpose-limited: anonymised or pseudonymised datasets should be the default for initial due diligence; identifiable data should be released only under strict non-disclosure agreements, processor/fiduciary contracts that allocate liability, and technical controls such as time-limited access, watermarking and audited access logs. Third, resolution plans and asset-sale documents should include express data clauses that bind buyers to DPDP-compliant processing post-acquisition and require buyers to obtain any necessary consents or establish legal grounds for continued processing. Fourth, RPs and insolvency professionals should build minimum-security checklists (encryption at rest and transit, least-privilege user management, breach response plans) and document compliance steps so that, if challenged, the RP can demonstrate proportional safeguards. These practical steps mirror what data protection practice requires in other M&A contexts and are readily adoptable in CIRP. Practitioner guides and recent legal commentaries already urge similar measures. 

Policy recommendations and litigation-ready reforms

Beyond practice changes, there is a compelling case for targeted regulatory and legislative clarity. The IBBI should issue specific guidance or amendment to its professional code that: (a) clarifies the RP’s responsibilities as a de facto data custodian during CIRP; (b) prescribes minimum technical and contractual safeguards for virtual data rooms; (c) lays out a protocol for sealed filings and redactions that harmonises with DPDP duties; and (d) sets standards for breach notification timelines in insolvency contexts, including who bears reporting responsibility where data created pre-insolvency is exposed during CIRP. Such guidance would reduce litigation and market friction. The DPDP Act itself, by providing exemptions for processing for enforcement of legal rights, contemplates lawful processing in legal proceedings; however, the law’s exemptions are not a carte blanche and require careful interpretation to avoid undermining data principals’ rights. Courts should interpret exemptions narrowly, ensuring they are used only when genuinely necessary for legal enforcement or statutory duties. 

There is also room for legislative fine-tuning. Parliament or the IBBI could incorporate a limited statutory provision that treats an RP as a “temporary data fiduciary” for the period of CIRP, subject to explicit duties and safe-harbour protections where the RP has followed prescribed protocols. A statutory safe harbour would protect RPs who adopt mandated safeguards from strict liability for historic data collection faults that pre-dated the RP’s appointment, while preserving redress for data principals where gross negligence or deliberate misuse occurs.

Conclusion

The digitalisation of insolvency is an unequivocal public good: it improves discoverability, accelerates resolution and widens pools of bidders for distressed assets. But it also converts repositories of personal data into commercial leverage unless governance safeguards are put in place. India’s DPDP Act, 2023 has supplied an essential baseline of rights and duties that must now be woven into insolvency practice. RPs, adjudicating bodies and regulators must acknowledge that data is not a frictionless “intangible” to be packaged and sold without constraint. Short-term, practicable steps rapid data mapping, tiered disclosure, contractual warranties, and technical safeguards will mitigate risks. Medium-term reforms IBBI guidance and a statutory calibration recognising the RP’s temporary custodial role — will provide certainty and protect both value and privacy. If insolvency practice fails to adapt, the likely result is a series of privacy-driven disputes that will diminish recoveries, chill bids for sensitive businesses, and frustrate the IBC’s objective of achieving maximum value. The law and market practice must therefore move together: efficient insolvency that is also data-responsible.