The Insolvency Tightrope: Looking at Protecting Data while Monetizing Assets

[Ashish and Kinjal are students at Chanakya National Law University.]

In India’s digital economy, data has become a strategic asset as well as a potential liability. Start-ups and platform businesses regularly collect huge volumes of personal data such as customer behavioral analytics, transaction histories and customer profiles. When such businesses go insolvent under the Insolvency and Bankruptcy Code 2016 (IBC), their data reserves may constitute a huge proportion of the value that can be recovered by creditors. The IBC clearly prescribes under Section 18 and Section 25, that all assets of the corporate debtor whether tangible or intangible, are to vest with the resolution professional (RP) or liquidator so that the value is maximized, and the dues are repaid. However, the promulgation of the Digital Personal Data Protection Act 2023 (DPDP Act), creates a major statutory conflict, as now data principals (i.e., individuals whose personal data are in the possession of the insolvent company) will have rights to withdraw consent under Section 6 and demand erasure under Section 12 of the DPDP Act. This blog highlights the statutory and constitutional tensions arising from the interplay between the IBC and the DPDP Act, ultimately triggering the question as to which of these rights supersedes when they come into conflict?

Data as an Insolvency Asset

Under Section 36(3)(d) of the IBC, the ‘liquidation estate’ explicitly includes intangible assets, such as intellectual property, securities, and contractual rights, with the open-ended phrase ‘including but not limited to’ allowing for other valuable intangibles like data. The phrase ‘including but not limited to’ broadens this scope to encompass other high-value intangibles like data. In a digital economy where personal and business data can carry substantial commercial worth, recognizing it as part of the liquidation estate aligns with the IBC’s overarching aim of maximizing asset value. However, this recognition is not absolute as the economic value of personal data is inherently tied to the validity of consent and compliance with data subject rights. If data principals withdraw consent or demand erasure during insolvency, the very asset being monetized may depreciate or even dissolve. Thus, while data undeniably belongs to the liquidation estate, its valuation and transferability must account for the legal and practical constraints imposed by data protection laws.  Also, a recent study highlights that data qualifies as an intangible asset under International Financial Reporting Standards, particularly under IAS 38, which explicitly lists ‘databases and customer lists’ as examples.

In practice, data assets have been successfully sold in foreign insolvency proceedings. For instance, in CTLI, LLC (528 B.R. 359), the US bankruptcy court authorized the sale of social media assets of the debtor along with the related customer data, provided that the norms of data protection should be met. Similarly, in the Netherlands, the bankrupt online travel agency TravelBird sold its customer database to competitor Secret Escapes in 2018. The receiver notified all data subjects of the impending sale, allowing a two-week objection period, and imposed strict conditions like purpose limitation, no secondary use, etc. In India, data as an asset is not as well conceptualized as in other jurisdictions like the U.S. or EU but is increasingly becoming a monetizable asset. But such treatment must be reconciled with the nature of personal data not simply as an economic asset, but also as the subject matter of fundamental rights, especially under Article 21 of the Indian Constitution in the wake of the decision in Justice KS Puttaswamy (Retd) v. Union of India. 

Data Subject Rights under the DPDP Act

The DPDP Act makes such compliance requirements clearer and stricter. Section 6 and section 12 of DPDP Act establish such rights which may, in practice, extinguish or gravely restrain the market value of a data asset. Section 6(4) gives data principals a right to withdraw the consent to the processing of personal data at any point in time, the result of which is the necessity to cease the further processing unless some other legal basis is provided. Section 12(3) grants a right to erasure in which data fiduciaries (in this case the insolvent company and the RP as fiduciaries) must delete personal information unless retention is required for the specified purpose or to comply with law. Assuming that, thousands of customers exercise these rights during the insolvency the database of customers available to the debtor may either be reduced or rendered worthless and this would directly affect any recoveries made by the creditors. This is no longer a hypothetical situation since under the European General Data Protection Regulation (GDPR), regulators such as the Financial Conduct Authority have confirmed that when a data controller becomes insolvent the GDPR does not diminish data subject rights. 

Do These Rights Survive Insolvency?

The core challenge is whether data subject rights sustain insolvency and limit the powers of the RP. Section 238 of the IBC states unequivocally that the provisions of the code will override any inconsistent laws. The supremacy of this non obstante clause has been reaffirmed by apex court in Innoventive Industries Limited v. ICICI Bank  and Committee of Creditors of Essar Steel India Limited v. Satish Kumar Gupta , which stated that in case of any discrepancy between the IBC and any other law, the IBC will have precedence. However, this principle must be in consonance with the constitutional aspect of privacy. In Justice KS Puttaswamy (Retd.) v. Union of India, the Supreme Court affirmed that informational privacy is part of Article 21, i.e. Right to Life and personal liberty.

While Section 238 of the IBC provides an overriding effect over other laws for the purpose of insolvency resolution, any restriction placed on data subject rights under the DPDP Act (such as the right to erasure or withdrawal of consent) should be interpreted in light of statutory context and the specific objectives of insolvency proceedings. Instead of a wholesale denial, courts and regulators might require a fact-specific balancing approach, assessing whether the restriction is justified by the aims of asset maximization, protection of creditor interests, and the public interest in insolvency resolution. This balancing could incorporate proportionality principles, but the application would depend on the circumstances, the available safeguards, and whether alternative, less intrusive means to achieve insolvency objectives exist. Therefore, the denial of privacy rights in insolvency is not absolute; rather, the scope of such denial must be justified by insolvency imperatives and subject to supervision for fairness, necessity, and respect for data subjects’ rights to the extent practical.

Additionally, the DPDP Act is a more recent and more specific legislation that primarily addresses data protection, and Section 33 of the DPDP Act provides that contravention by data fiduciaries can be set to punishment through penalties, and Resolution Professionals may be included in this category in case they wield excessive control over personal data. This implies that blanket application of Section 238 is inadequate.

Comparative experience under GDPR reinforces this caution. In the Southern Pacific Personal Loans Limited case ([2013] EWHC 2485 (Ch)), the UK High Court held that insolvency practitioners are not automatically ‘data controllers’ if they merely act as agents. However, where administrators make substantive decisions about data processing (such as selling customer databases), they become controllers and assume corresponding obligations. The Information Commissioner’s Office and the UK Financial Conduct Authority have jointly warned that insolvency does not extinguish data protection responsibilities. While India has not issued comparable guidance under the DPDP Act, the logic remains persuasive, insolvency administrators must not treat personal data as fungible property unencumbered by rights.

Possible Resolutions

A pragmatic model to resolve these conflicting interests could involve tiered measures. First, a data protection impact assessment (DPIA), a process covered by GDPR Article 35 and applicable by analogy in India, must be carried out by the RP prior to any transfer or sale of personal data, to consider possible risks, as well as the means to address them. Second, a ‘consent refresh’ mechanism must be integrated with this DPIA stage. Under this mechanism, data principals would be informed periodically, especially before any data transfer or monetization about the intended use of their personal data. This allows them a meaningful opportunity to reaffirm or withdraw their consent or to exercise rights such as erasure. This automatic reaffirmation respects data subjects’ autonomy and ensures ongoing transparency in how their data is handled during insolvency. Third, data anonymization or pseudonymization must be considered to preserve analytical utility without retaining personally identifiable elements. Fourth, RPs can consider seeking guidance from the National Company Law Tribunal (the adjudicating authority) for specific directions clarifying whether the transfer is necessary for resolution and in assessing the reasonableness of the ripple effect of the exercise on the privacy rights. Such a procedural measure could provide an additional layer of judicial oversight, aligning with principles of accountability and transparency under the DPDP Act and the IBC.

Conclusion

In conclusion, this conflict demonstrates a policy dilemma on large scale. IBC’s objectives of focusing on time-bound resolution and asset maximization must be reconciled with the DPDP Act’s mandate to respect informational self-determination. Perhaps, in future, the Insolvency and Bankruptcy Board of India or the Ministry of Electronics and Information Technology will issue clarificatory guidelines or rules to streamline these statutes. Until then, RPs, creditors, and potential buyers must recognize that data is not merely a commodity to be liquidated but a bundle of rights that can be exercised, revoked, or transferred by individuals even in the face of corporate insolvency.

With India is still in process of transforming to a data-oriented economy, insolvency law and data protection will be complex areas in need of interpretive and regulatory support. The risk of undervaluing data subject rights or failing to comply with the DPDP Act is not merely theoretical. Under Section 33, non-compliance can trigger substantial financial penalties, further complicating insolvency proceedings. A measured, rights-respecting approach is not only legally sound but ultimately in the interests of all stakeholders: creditors, consumers, and the integrity of India’s insolvency ecosystem.