Change Of Control Under CIRP: Change Of Control, Continuity Of Processing, And Personal Data Rights Under Indian Insolvency Law

Lakshay Arora & Khushi Sharma, Christ (Deemed to be University) Delhi NCR

ABSTRACT

This paper examines whether a successful Corporate Insolvency Resolution Process (CIRP) resulting in a change of control creates a fresh consent or renewed notice obligation under India's Digital Personal Data Protection Act, 2023 (DPDP Act). Existing commentary has addressed the monetisation of data assets in insolvency, but has not adequately confronted the prior and conceptually distinct question that does a material change in the identity of those who govern, direct and exploit personal data alter the legitimacy of continued processing. The paper argues for a hybrid position. Prior consent should not automatically lapse upon resolution, as a blanket reset would undermine going-concern value and impede legitimate rescue. However, where a resolution results in a material change of control, processing purpose, or data recipient, the incoming resolution applicant incurs renewed notice obligations and, in cases of genuinely new or incompatible use, a requirement to obtain fresh consent.

The paper through doctrinal analysis supported by comparative examples, and normative proposal, analyses the relevant provisions of the IBC and the DPDP Act, examines the Toysmart and RadioShack controversies in the United States and the GDPR framework in Europe as persuasive guides, and proposes a calibrated Indian framework built around a mandatory post- resolution notice obligation, a continuity safe harbour for operationally necessary processing, a material-change trigger for renewed consent, and better coordination between insolvency and data protection regulators.

Keywords: Corporate Insolvency Resolution Process, Consent, Data Fiduciary, Data Principal, Purpose Limitation, Personal Data Governance.