Clean Slate, Dirty Data: Does IBC's Resolution Framework Extinguish Data Protection Board Penalties?
With the introduction of the Digital Personal Data Protection Rules in late 2025, India's data protection enforcement era has now formally begun. For the first time, entities that mishandle personal data will face real regulatory consequences, penalties of up to INR 250 crores per breach under Section 33 of the Digital Personal Data Protection Act, 2023 (“DPDP Act”). Yet a very substantial and critical question still remains unaddressed and that is what happens to a pending Data Protection Board (“DPB”) penalty when the corporate debtor against whom it is being imposed undergoes Corporate Insolvency Resolution Process (“CIRP”) under the Insolvency and Bankruptcy Code, 2016 (“IBC”)?
Let us consider a scenario wherein an insurance company, handling the personal and health data of lakhs of customers, suffers a data breach in 2025 and thereafter an inquiry is initiated against that company. Before the inquiry concludes the company enters into CIRP. A resolution plan is approved by the Committee of Creditors (“CoC”) and sanctioned by the National Company Law Tribunal (“NCLT”). Now, months later, DPB concludes its inquiry and imposes a INR 100 crores penalty. Is that penalty enforceable? Or does that penalty stand extinguished by the resolution plan?
This article addresses these questions and argues that the penalties imposed by the DPB are affected by a legislative gap. These penalties fall outside the protection of Section 32 A of the IBC and possess a constitutional character that distinguishes them from ordinary dues.
1. The Clean Slate Doctrine - Settled law
The doctrine of Clean Slate is embedded in Section 31(1) of the IBC and is the cornerstone of India's insolvency resolution framework. It provides that once NCLT approves a resolution plan, it becomes binding on the corporate debtor, its employees, members, creditors, expressly including the Central Government, any State Government, or any local authority, guarantors, and all other stakeholders. The dominant purpose of this doctrine is to provide a fresh slate to the Successful Resolution Applicant (“SRA”) thereby insulating it from any surprise claims.
In the matter of Committee of Creditors of Essar Steel India Ltd. v. Satish Kumar Gupta [2019 INSC 1256] the Hon'ble Supreme Court established that the commercial wisdom of the CoC is paramount and that approved resolution plans bind all parties without exception. The resolution applicant acquires the corporate debtor free from all prior claims not forming part of the approved plan. This “clean slate” is what makes resolution commercially viable and without it, no rational acquirer would bid for a distressed company.
This principle was further extended by the Hon'ble Supreme Court in the matter of Ghanashyam Mishra and Sons Pvt. Ltd. v. Edelweiss Asset Reconstruction Co. Ltd. [2021 INSC 250] where it held that “all dues including the statutory dues owed to the Central Government, any State Government or any local authority, if not part of the resolution plan, shall stand extinguished and no proceedings in respect of such dues for the period prior to the date on which the adjudicating authority grants its approval under Section 31 could be continued.” This ruling expressly covers government dues, statutory penalties, and tax demands, even those crystallising after plan approval but relating to pre-insolvency commencement date (“ICD”) conduct.
2. Section 32 A - Parliament's Fix and Its Limits
In the matter of JSW Steel Ltd. v. Mahender Kumar Khandelwal [Company Appeal (AT)(Insolvency) No. 957 of 2019, NCLAT] when the Enforcement Directorate sought to attach Bhushan Power & Steel Limited's assets post-resolution for alleged money laundering by its erstwhile promoters, a critical vulnerability was exposed. The resolution applicants acquiring distressed companies could face legal consequences for wrongs they never committed.
Parliament responded by inserting Section 32A into the IBC in 2020. It provides that once a resolution plan is approved, the corporate debtor shall not be prosecuted for offences committed prior to the commencement of CIRP, provided the resolution applicant is a bona fide third party unconnected to the original wrongdoing. The legislative intent was to protect the resolution applicants from any surprise regulatory action.
However, Section 32 A is limited in its application because it is confined to “offences” meaning that it is a provision adhering to immunity from any criminal liability post approval of the resolution plan. But, the DPDP Act, by contrast, creates no criminal offences. DPDB proceedings are civil and administrative in nature. Penalties under Section 33 are imposed after an inquiry process, not a criminal prosecution. Section 32A's protective umbrella, therefore, does not extend to penalties under the DPDP Act. Hence, the Parliament fixed the criminal half of the problem and left the civil regulatory half entirely unaddressed.
3. Is a DPDP Act Penalty a “Claim” under Section 3(6) of IBC?
Another question that arises is whether a penalty imposed under the DPDP Act falls under the definition of a “Claim” within Section 3(6) of the IBC which states that a claim is a right to payment, whether contingent, matured, unmatured, disputed, undisputed, secured, or unsecured.
Now let us say the penalties under DPDP Act fall under the category of a contingent claim. The data breach i.e. the underlying wrongful act occurs pre-ICD. The corporate debtor's exposure to potential penalty exists from that moment. Let us now go into the practical mechanics of filing a claim related to a DPB penalty as a contingent claim. Firstly, the question that immediately arises is: who files the proof of claim with the Resolution Professional? The data principals have no right to payment under the DPDP Act. The penalties flow to the Consolidated Fund of India as per Section 34 of the DPDP Act and not to the data principals. Secondly, the DPB itself, being mid-inquiry, has passed no order and has no crystallized claim to submit. The government, as the ultimate Consolidated Fund beneficiary, has no established institutional mechanism for filing insolvency claims on behalf of penalties not yet imposed, unlike the Income Tax Department, which has well developed machinery for participating in CIRP proceedings. Lastly, the quantification problem compounds this further. Now as per Regulation 12 read with Regulation 14, IBBI (Insolvency Resolution Process for Corporate Persons) Regulations, 2016, the claims are to be submitted with supporting documents and a quantified amount (or at minimum a basis for estimation) whereas penalties under Section 33 of the DPDP Act range from zero to INR 250 crores depending on the factors the DPB considers only after concluding its inquiry, nature of violation, intent, remedial steps taken, thereby making estimation at the claims stage impossible.
Hence, it is established that treating DPB penalties under the DPDP Act as contingent claims under Section 3(6) of the IBC, while theoretically plausible, suffers from structural impossibility in practice, thereby rendering their submission during CIRP a futile exercise.
4. The Constitutional Caracter of Penalties imposed by the Data Protection Board: The Non- Derogability Argument.
Let us now address the final question and that is, does the doctrine of clean slate have the power to wipe out accountability for a violation of a fundamental right?
In the matter of Regional Provident Fund Commissioner v. Jayesh Sanghrajka [Company Appeal (AT)(Insolvency) No. 2100 of 2024, NCLAT], NCLAT applied the clean slate rigidly, holding that belated Employees' Provident Funds (“EPF”) claims, even those delayed because their quantum only crystallised after CoC approval cannot be entertained post-approval of the resolution plan. The tribunal prioritised procedural rigidity over the protective purpose of the Employees' Provident Funds and Miscellaneous Provisions Act, 1952. Several commentaries have rightly criticised this, noting that EPF contributions are trust monies held for workers, not commercial debts, and that the clean slate cannot operate to defeat obligations whose non-derogable character Parliament has legislatively recognised through Section 36(4)(a)(iii) of the IBC itself.
Now applying the above non-derogability argument to the DPDP Act, it may be argued that the penalties imposed by the DPB operate at a higher constitutional plane. Informational privacy is a fundamental right under Article 21 of the Constitution of India as recognized by a nine-judge Constitution Bench in the landmark judgment of Justice K.S. Puttaswamy v. Union of India [2017 INSC 801]. The enforcement mechanism under DPDP exists to vindicate that right and deter its violation. When a resolution plan extinguishes a pending DPB penalty, it does not merely take a haircut on a government revenue claim; rather, it eliminates the entire legal consequence of a constitutional violation. The affected data principals, whose personal data was breached, receive nothing under the DPDP Act in any case. The penalties flow to the Consolidated Fund, not to them. Extinguishment therefore produces an outcome where a fundamental rights violation occurs, is investigated, is found proven, but produces zero consequence because the wrongdoer happened to enter insolvency before the inquiry concluded, thereby defeating the entire purpose of the DPDP Act.
5. The Legislative Gap and Recommendations
Now turning to the structural gap between the IBC and the DPDP Act. The DPDP Act has no savings clause for insolvency while the IBC's Section 32A addresses only criminal regulatory liability. The result is a systematic risk: every data-heavy corporate debtor that undergoes CIRP with a pending DPDB inquiry will emerge with that liability extinguished, not because Parliament intended this outcome, but because two statutes enacted independently of each other have never been read together.
The limitation period further compounds this problem. CIRP operates within a statutory outer limit of 330 days under Section 12 of the IBC. Claims must typically be filed within 90 days of the ICD. DPB's inquiry process has no equivalent limitation; hence inquiries can take well beyond a year to conclude. In practice, DPDB will almost always conclude its inquiry after the resolution plan is approved. If the “contingent claim” analysis applies, that claim was never filed during CIRP thereby making extinguishment automatic and invisible, with no claimant ever having had a realistic opportunity to assert it.
We can close this gap by adopting two routes. Judicially, the courts should apply a purposive interpretation in cases of overlap between DPDP Act and IBC whereby they will not ask whether the penalty technically qualifies as a “claim” but whether merely extinguishing it is consistent with the constitutional right to privacy that the DPDP Act exists to enforce. Legislatively, Parliament should consider either amending Section 32A to extend its logic to civil regulatory penalties rooted in fundamental rights, or inserting an express provision in the DPDP Act modelled on Section 36(4)(a)(iii) of the IBC's exclusion of EPF dues thereby preserving DPB's enforcement powers against pre-CIRP conduct of the corporate debtor.
The clean slate is a good idea. It gives buyers of distressed companies the certainty they need, and India's insolvency framework is better for it. But good ideas have limits. A doctrine designed to wipe clean a company's financial past was not designed also to wipe clean its record of violating people's privacy. That distinction matters and it will matter more as India's digital economy grows and the Data Protection Board begins active enforcement. So, the question that this article poses: Can a resolution plan erase accountability for a fundamental rights violation? deserves an answer before a court is forced to improvise one.
Author is an Advocate based in Delhi. Views are personal.