Supreme Court asks MeitY to examine PIL seeking recovery or destruction of stolen personal data of citizens on foreign servers

The Supreme Court, in a bench comprising the Chief Justice and two other justices, heard a PIL filed by a cybersecurity professional seeking court interventi...

What Happened

The Supreme Court, in a bench comprising the Chief Justice and two other justices, heard a PIL filed by a cybersecurity professional seeking court intervention to operationalise the Digital Personal Data Protection (DPDP) Act, 2023.
The PIL sought a mechanism to recover or destroy personal data of Indian citizens allegedly stolen and stored on foreign servers, and the constitution of a Special Investigation Team (SIT) to monitor data theft investigations.
The bench declined to entertain the PIL on judicial grounds, observing that the issues primarily concerned information technology policy and fell outside the strict domain of legal adjudication at the Supreme Court level.
The bench directed that the petitioner's plea be treated as a representation to the Ministry of Electronics and Information Technology (MeitY), granting liberty to submit it as a supplementary representation.
The order spotlights the gap between the DPDP Act's enactment in August 2023 and the pending operationalisation of its core institutional mechanisms, including the Data Protection Board of India.

Static Topic Bridges

Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023) was enacted on 11 August 2023, establishing India's first comprehensive statutory framework for protecting digital personal data. It applies to digital personal data processed within India, and to data processed outside India if connected to the offering of goods or services to persons in India.

Consent is the cornerstone: data fiduciaries must obtain free, specific, informed, and unambiguous consent before processing personal data.
Data fiduciaries must implement reasonable security safeguards, report breaches to the Data Protection Board and affected individuals, and erase data once the purpose is fulfilled.
"Significant Data Fiduciaries" — entities processing large volumes of data — face enhanced obligations including a Data Protection Officer, an independent data auditor, and mandatory Data Protection Impact Assessments.
Penalties: up to ₹250 crore for security failures causing a breach; up to ₹200 crore for processing children's data in violation; up to ₹50 crore for general non-compliance.
The Data Protection Board of India is the statutory adjudicatory body; appeals lie before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

Connection to this news: Despite the Act's enactment in 2023, the Data Protection Board had not been constituted as of mid-2026, leaving citizens without a formal redress mechanism — the precise gap the PIL sought to address.

Data Sovereignty and Cross-Border Data Flows

Data sovereignty refers to the principle that personal data generated within a country is subject to that nation's laws and governance structures. When data is exfiltrated and stored on servers in foreign jurisdictions, Indian legal authorities lack direct enforcement power over those servers. This raises questions under both the DPDP Act (which has extraterritorial provisions) and international norms on state responsibility for cyber operations.

The DPDP Act applies to data processed outside India if it involves offering services to Indian residents, but enforcement against entities on foreign soil remains practically difficult without bilateral treaties or mutual legal assistance frameworks.
India has not yet enacted comprehensive cross-border data transfer rules under the DPDP Act; such rules are to be notified by the central government.
The absence of an operational Data Protection Board means stolen-data grievances currently have no designated statutory forum.

Connection to this news: The PIL's demand for a "recovery or destruction" mechanism for data on foreign servers directly confronts this enforcement gap — a challenge that MeitY, rather than the courts, is better placed to address through diplomatic and technical channels.

"Digital Arrests" as a Cyber Fraud Vector

"Digital arrests" refer to a form of cyber extortion in which fraudsters impersonate law enforcement or regulatory officials and coerce victims into staying on a video call for hours or days, threatening arrest over fabricated crimes and extracting money. The modus operandi typically exploits data breaches — using stolen personal data to lend credibility to the impersonation.

The scam has been identified by law enforcement agencies as a growing threat, particularly targeting senior citizens and professionals.
Stolen KYC data, Aadhaar-linked records, and banking credentials sourced from data breaches are commonly used to personalise the deception.
There is no dedicated statutory provision for "digital arrests" — they are prosecuted under existing provisions of the Indian Penal Code and the Information Technology Act, 2000.
Operationalising the DPDP Act — particularly its breach notification and security safeguard requirements — is viewed as a systemic upstream intervention that could reduce the volume of stolen data available to fraudsters.

Connection to this news: The PIL explicitly linked the rise of digital arrests to stolen personal data, framing data protection operationalisation as a national security and public safety imperative, not merely a privacy or commercial matter.

Key Facts & Data

DPDP Act enacted: 11 August 2023 (Act No. 22 of 2023).
Maximum penalty under DPDP Act: ₹250 crore for security failures causing a data breach.
Data Protection Board of India: statutory adjudicatory body under Section 18 of the DPDP Act; not yet constituted as of May 2026.
The PIL was filed by a cybersecurity consultant and sought both operationalisation of the DPDP Act and constitution of an SIT for data theft investigations.
MeitY (Ministry of Electronics and Information Technology) is the nodal ministry for the DPDP Act and for India's cybersecurity and IT governance framework.
The Supreme Court bench was headed by the Chief Justice of India and comprised three judges in total.