The commencement of India's data protection enforcement regime under the Digital Personal Data Protection Act, 2023 (DPDP Act) has created a new legal challenge for insolvency practitioners and corporate stakeholders. A recent legal analysis examines whether penalties imposed by the Data Protection Board of India (DPBI) can survive an approved resolution plan under the Insolvency and Bankruptcy Code, 2016 (IBC).
The debate centres on the well-established "clean slate" doctrine under Section 31 of the IBC. The doctrine, reinforced by the Supreme Court in Committee of Creditors of Essar Steel India Ltd. v. Satish Kumar Gupta and Ghanashyam Mishra & Sons Pvt. Ltd. v. Edelweiss Asset Reconstruction Co. Ltd., provides that claims not incorporated into an approved resolution plan generally stand extinguished, enabling successful resolution applicants to acquire distressed companies free from historical liabilities.
The article considers a hypothetical scenario where a company experiences a personal data breach and subsequently enters the Corporate Insolvency Resolution Process (CIRP) before the Data Protection Board concludes its inquiry. If the Board later imposes a significant penalty, questions arise regarding whether such liability remains enforceable against the reorganised entity.
According to the analysis, Section 32A of the IBC may not offer a complete answer. While the provision grants immunity from prosecution for offences committed before commencement of CIRP, penalties under the DPDP Act are civil and administrative in nature rather than criminal. Consequently, they may fall outside the scope of Section 32A's protections.
The article further examines whether a pending DPDP penalty could qualify as a contingent claim under Section 3(6) of the IBC. It argues that practical difficulties arise because the Data Protection Board may not have completed its inquiry during CIRP, the amount of any penalty remains uncertain, and there is no established mechanism for filing such prospective claims during insolvency proceedings.
A central theme of the discussion concerns the constitutional status of privacy. Since informational privacy has been recognised as a fundamental right under Article 21 of the Constitution following the Supreme Court's landmark decision in Justice K.S. Puttaswamy v. Union of India, the article argues that extinguishing data protection penalties through insolvency proceedings could undermine accountability for violations of constitutional rights.
The analysis identifies a potential legislative gap between the DPDP Act and the IBC. It suggests that Parliament may need to clarify whether Data Protection Board penalties should survive insolvency resolution or whether special statutory protection should be introduced, similar to protections afforded to certain employee-related dues under the IBC.
As India's data protection framework matures and enforcement actions become more frequent, courts may eventually be required to determine whether insolvency law's clean slate principle extends to penalties imposed for breaches of privacy obligations.