Data, Debt, and Due Process: Comparative Perspectives on Treatment of Digital Assets in Insolvency

[Nidhi is a student at Institute of Law, Nirma University.]

Apart from fiscal concerns, India's airline insolvency regime still exhibits a notable gap in the treatment of passenger data privacy, particularly in light of the Digital Personal Data Protection Act 2023 (DPDP Act). The law, while a milestone in the acknowledgment of informational autonomy, is silent on the status and handling of personal data upon the entry of a data fiduciary into insolvency. This absence is especially concerning in industries such as aviation, where large amounts of sensitive consumer data are regularly collected and processed.

The precedent of State Bank of India v. Jet Airways is a classic example of handling sensitive data. Its frequent flyer program, JetPrivilege, though operationally independent and wholly owned by Etihad Airways, was a high-value intangible asset. In insolvency proceedings, the prospect of monetizing passenger data was the subject of commercial negotiation that raised essential privacy issues. The exchange of customer databases as exchangeable assets highlighted the inability of India's prevailing regime to protect personal data in insolvency scenarios.

Such personal data treatment, in the absence of express informed consent provisions, as provided under the Digital Personal Data Protection Rules 2025 or legislative bars to sale or transfer, not only threatens to erode passenger confidence but also subjects data principals to exploitative situations, especially when asset control falls into the hands of interests with conflicting goals. Conversely, several jurisdictions approach personal data as non-transferable absent express data subject consent, particularly when such data was gathered under special privacy terms.

To address this, India should implement explicit statutory protections, either in sectoral laws or by amending the DPDP Act, which forbids the commercialization of passenger data/ other such sensitive data in the event of insolvency. This would keep data rights inalienable and non-derogable, even in bankruptcy, further strengthening consumer protection and harmonizing the insolvency framework with international data fiduciary norms.

The Legal Status of Data Under the IBC Framework

The Insolvency and Bankruptcy Code 2016 (IBC) emphasizes achieving the maximum value of the assets of the corporate debtor that would be available for distribution to stakeholders in the optimal manner and thus assure economic efficiency. According to Section 18, the interim resolution professional takes control and custody of the property of the corporate debtor to preserve the value of its tangible and intangible property. This is necessary to avoid a deterioration in the value of the assets during the resolution process and to maintain them as a going concern for effective resolution. Together, Sections 18 and 53 (waterfall mechanism) capture the overarching aim of IBC, that is, value maximization, maintaining enterprise value in the resolution process, and ensuring fair, certain results in liquidation. The system emphasizes the code's shift from asset recovery to preservation of value and timely resolution.

Insolvency proceedings against data-intensive players like GoMechanic raise multifaceted issues beyond financial restructurings, most notably regarding data governance and privacy. These firms hold enormous repositories of sensitive personal and financial information, from customer profiles and payment history to geolocation and biometric details, which may inadvertently be treated as intangible assets in the context of insolvency. The lack of express provisions under IBC and DPDP Act on the post-insolvency handling of such data poses serious issues regarding unauthorized access, monetization, or transfer of personal data in the process of asset sales or restructuring. The risk is particularly high in fintech insolvencies, where consumer trust and data integrity are non-negotiable. 

Under insolvency, data is increasingly being viewed as a financial asset to be monetized. In the absence of proper statutory protection, the insolvency process may inadvertently breach data protection standards or dilute consumer protection. As such, India's insolvency regime needs to adapt to include explicit data governance norms for such proceedings, consistent with international best practices in privacy-focused resolution forums.

Personal Data under the DPDP Act: Scope, Ownership, and Transfer

The DPDP Act is a revolutionary change in India's data protection regime, placing at the forefront principles of individual agency, informed consent, and proportionality. At the heart of the law is the consent-driven processing paradigm, under which the collection, storage, or use of personal data should be preceded by the free, specific, informed, and unambiguous consent of the data principal. This permission must expressly set out the purpose and nature of the processing, and any further variation or extended utilization necessitates new authorization. The purpose limitation provision under Section 5(1) requires that personal data shall only be processed for the specific purpose it was gathered for, and thus avoid commodification or secondary use in the absence of renewed consent. Further, the law also gives the data principal a right to erasure (Section 12(2)), giving individuals the authority to seek deletion of their data when the purpose is achieved or consent is revoked, thereby instilling the principle of data temporality and control.

The DPDP Act positions data fiduciaries, ordinarily companies or organizations dealing with personal data, as trustees of said data, and they must provide transparency, security measures, and grievance redressal. Notably, personal information is not "owned" by such fiduciaries but instead licensed to them for limited, purpose-specific use by the Data Principal. This conceptualization effectively eliminates corporate claims of proprietary rights to user information, particularly in situations such as insolvency or asset monetization. The regulatory approach of the Act thus excludes the wholesale transfer, sale, or assignment of individuals' data to third parties, like resolution applicants or asset reconstruction firms, without taking fresh, informed consent from the concerned individual.

Most importantly, the DPDP Act has no statutory exemptions or carve-outs in the case of data processing in insolvency situations. In contrast to jurisdictions that allow derogations in insolvency for the transfer of data as part of asset recovery, Indian law is mum, leaving a compliance void of substantial magnitude. Therefore, any move to treat personal data as an assignable asset in insolvency processes under IBC has to balance with the DPDP Act's rigid consent and purpose tests. The outcome is a legal conflict: whereas insolvency law is directed towards asset maximization, the DPDP Act enforces non-negotiable parameters on data flows, so unconsented transfers are theoretically illegal.

International Approaches to Data in Insolvency: Comparative Jurisprudence

Around the world, insolvency regimes relating to data-intensive entities have increasingly sought to reconcile asset realization with robust data protection guarantees, a field in which India's regime continues to trail. The European Union's General Data Protection Regulation (GDPR) provides a strong benchmark in insisting on express, purpose-by-purpose consent to process personal data. Within the insolvency context, this implies that even within bankruptcy proceedings, users' data can neither be sold nor reused without falling foul of GDPR principles. Major cases, such as Cambridge Analytica-style bankruptcies, have reaffirmed that data subjects' rights under EU law are not abrogated by insolvency.

In the US, while data transfers during bankruptcy are allowed by legislation like the California Consumer Privacy Act, they are subject to disclosure and the right to opt out. The RadioShack bankruptcy particularly witnessed a court-ordered intervention by the Federal Trade Commission requiring rigorous privacy protections before a sale of data.

The United Kingdom's Data Protection Act 2018 takes a balanced approach, permitting some use of personal data in the public interest in insolvency. Insolvency practitioners must, however, carry out data protection impact assessments and are required to follow guidance from the Information Commissioner's Office about handling data under the insolvency estate.

For India, these cross-border practices highlight the imperative for engrafting data privacy issues into insolvency law. Currently, there is a regulatory gap, and no coordinated regulation between the Insolvency and Bankruptcy Board of India, the Ministry of Electronics and Information Technology (MeitY), and the Data Protection Board. The absence of clarity causes serious privacy issues in situations concerning digital platforms, fintechs, or information-intensive companies. A harmonized approach that upholds user rights while facilitating insolvency resolution is critical to aligning India’s regime with global standards.

The Way Forward

The doctrinal tension at the core is between IBC's asset maximization aim and DPDP Act's rights-oriented approach focused on user consent and purpose limitation. The lack of legislative clarity poses the threat of privacy invasions, regulatory breaches, and user trust loss. Change is necessary. To begin with, the IBBI and MeitY need to issue in concert guidance outlining the acceptable range and protections for data processing within insolvency. Second, the DPDP Act must include sector-specific carve-outs or procedure protocols for insolvency scenarios so that compliance does not hinder resolution. Third, resolution plans must involuntarily include independent data valuations as well as data protection impact assessments to promote clarity in the way user data is handled. Finally, India needs to weigh economic recovery against digital constitutionalism. Users are not mere commodities but legal persons having a right to dignity, autonomy, and well-informed participation in the destiny of their personal data, even in the event of insolvency.