The Data Protection Bill, 2018 and Insolvency and Bankruptcy Code, 2016 (hereinafter referred to as ‘Code’) fail to address how the confidential information obtained by an Insolvency Resolution Professional (‘IRP’) during the insolvency process of a company is to be regulated, handled, stored and shared. On its appointment, the IRP gains unbridled access to such information, which includes intellectual property, contracts, personal data of employees and customers, financial statements etc., without any statutory limitation or regulation on the use of such information by IRP, an unauthorised disclosure of which may bring severe liabilities to the company already undergoing insolvency.
Considering that the IRP acts as an agent of the company, the company shall be liable for any breach of confidential information by the IRP. Such a breach could entail penalties amounting to crores of rupees. To cite an example, Equifax was penalised to a tune of Rs. 4,000 crores for a breach of confidential information of users in U.S.A. Were such a penalty to be imposed, it would harm the interests of creditors as the already insolvent firm would have to pay the penalty to the concerned authority which may diminish the Asset pool. Therefore, the Code needs to be suitably amended to introduce provisions as to how the confidential information held by the IRP is to be regulated, handled, shared and stored.
Presently, the Code provides for the IRP to comply with the laws of confidentiality and insider trading with regards to formulation of resolution plan or information memorandum only and does not provide for ensuring confidentiality throughout the insolvency process. The Insolvency and Bankruptcy Board of India (Insolvency Professionals) Regulations, 2016 carries a provision (Section 21) to ensure confidentiality of information during insolvency process however, this provision is very general and has a very wide ambit which leaves a wide scope for interpretation and litigation as to what would constitute a violation. There are six issues which the Code has failed to address with regards to confidentiality through this provision.
First, all the information in possession of a company is not confidential and it needs to be laid down as to what comprises confidential information. If we consider all information to be confidential, it will place an undesirable burden on the IRP as disclosure of such information requires consent of the concerned party and taking such a consent for every disclosure would be very taxing and it would prolong and hamper the process of insolvency.
Second, the Code does not provide for a penalty for breach of confidentiality. It provides that the IRP shall ensure confidentiality of information during the insolvency process however, it fails to provide any penalty if this section is violated which renders it a mere toothless tiger.
Third, the Code is silent on the issue of waiver of Attorney-Client privilege. When the administration of the company is transferred to the IRP, the information protected under the attorney-client privilege also becomes available to the IRP. The authority to assert or waive this privilege lies with the client (which is the company in this case) and when the administration passes to the IRP, the IRP takes the position of the client. The issue which then arises is that if the IRP finds the protected information to be incriminating or is crucial to unearthing a fraud in the company or any such offence, can the IRP disclose such information to the relevant government authorities by waiving the attorney-client privilege? This issue has been settled in the U.S.A. wherein after years of litigation, the Supreme Court in Weintrauss (Commodity Futures Trading Commission v. Weintraub 471 U.S. 343, 349 (1985)) held that the Insolvency Professional will control the Attorney-Client privilege. Similarly, the issue has been settled by the court in U.K. as well although they came to a surprisingly different conclusion holding that the Attorney-Client privilege cannot be waived by the IP (see Leeds v Lemos (2017) EWHC 1825 (Ch)). The Code can benefit from a study of these two cases and legislate who controls the Attorney-Client privilege instead of relying on the courts to decide on it as and when such a dispute arises, saving judicial time and ensuring legal certainty.
Fourth, the general provision pertaining to confidentiality fails to comprehend the various situations which demand a violation of confidentiality in public interest. For instance, if the IRP comes across any illegal activity or irregularity such as financial fraud, insider trading, misuse of personal data of clients etc., can the IRP then breach confidentiality and report such offences to concerned government authorities? The Code is silent on this point. Further, even if immunity is granted to the IRP from civil damages for breach of confidentiality in such cases, how is it to be decided that the concerned activity or irregularity is blatant enough to be reported to the concerned authorities i.e. what is the threshold? Is it the personal satisfaction of the IRP or the reasonable person test is to be applied? These questions have been left unanswered by the Code. This lack of guidance for IRPs who deal with such situations brings great uncertainty and unpredictability in the actions of IRP. Sung Hui Kim (Chapter 10 - The Ethics of In-House Practice, Lawyers in Practice, Levin & Mather, University of Chicago Press (2012)) proposed a system of four quadrants which lays down situations in which confidentiality can be breached and their thresholds. It could provide much needed guidance for IRPs.
Fifth, if the government authority indeed starts investigating an illegal act or irregularity in the company, it may seize important documents pertaining to such activity. In such a case, the IRP may be denied access to such documents which may hinder the insolvency process. The government investigations usually take years to conclude and the documents may not be available to the IRP till such time the investigation has been completed. Similarly, if the Court orders production of documents containing confidential information of a third party, the third party could sue the debtor company for breaching the confidentiality agreement, which happened in GT Advanced Technologies’ bankruptcy in 2014. In such a case, the Code must also provide an interplay of how the confidential information is to be handled between the government authorities, courts and the IRPs.
Sixth, it must be statutorily mandated that the IRP has to sign a confidentiality or non-disclosure agreement with the debtor company to ensure confidentiality of the information. Presently, the Code casts no such obligation to enter into a confidentiality agreement and leaves a vacuum as far as confidentiality is concerned.
Therefore, the Legislators have left a huge vacuum in the Code with respect to confidentiality and have largely overlooked it. There is a dire need to add a provision which provides ample guidance as to how the confidential information is to be handled, regulated, shared and stored and addresses the problems raised in preceding paragraphs. Further, to ensure confidentiality, the regulatory bodies for IRPs can create soft law instruments such as Code of Ethics & Professional Conduct for IRPs which could provide for ensuring confidentiality and regulate the use, handling, sharing and storage of such information, violation of which could bring disciplinary proceedings against the IRP. Several organisations including INSOL, World Bank and Insolvency Professionals Association, U.K. have relied on soft law to ensure confidentiality in insolvency processes by making it a fundamental principle of insolvency. In the present day and age where personal information is considered invaluable, the importance of its confidentiality shall not be overlooked.