Supreme Court Sends Stolen Data PIL to MeitY, Avoids Direct Intervention

The Supreme Court on May 19, 2026 declined to directly entertain a public interest litigation (PIL) on the theft and offshore storage of Indian citizens’ personal data, instead directing the petitioner to submit a supplementary representation to the Ministry of Electronics and Information Technology (MeitY). Chief Justice Surya Kant’s bench stressed that the issues raised—cross‑border data theft, offshore storage, and recovery or destruction of stolen data—are highly technical and better suited to administrative and technological solutions than immediate judicial intervention.

The PIL, filed by cyber security consultant Nitish Kumar, sought three key measures: full operationalisation of the Digital Personal Data Protection (DPDP) Act 2023, creation of a Special Investigation Team to oversee data theft probes, and a mechanism to recover or destroy stolen personal data stored on servers in at least five foreign jurisdictions. While acknowledging the seriousness of threats such as misuse of biometric identifiers and the “digital arrest” extortion scheme, the Court highlighted a practical limitation: in the absence of extradition treaties and robust cross‑border cooperation frameworks, Indian authorities cannot easily compel the return of either accused persons or stolen data.

By referring the matter to MeitY rather than dismissing it outright, the Court has effectively placed responsibility on the executive to design the architecture for cross‑border data recovery, destruction, and enforcement. The DPDP Act 2023 remains only partially in force, with critical Rules still pending, and this case illustrates the risks of that regulatory gap. Organisations handling sensitive personal data should anticipate that forthcoming Rules may tighten obligations around cross‑border data flows, jurisdiction, and data destruction, and should proactively strengthen data minimisation, breach response, and incident coordination protocols instead of waiting for formal mandates.

For compliance and risk teams, this development is a signal to map data flows—especially to foreign cloud and processing locations—review contractual safeguards with overseas processors, and prepare for more assertive expectations from MeitY and the future Data Protection Board. Aligning internal policies with the DPDP Act’s core principles now will reduce remediation costs and enforcement exposure once the Rules crystallise the government’s approach to international data transfers and remediation of large‑scale data theft.