The Supreme Court of India asked Ministry of Electronics and Information Technology to examine a PIL seeking mechanisms for recovery or destruction of Indians’ stolen personal data allegedly stored on foreign servers amid rising concerns over cybercrime and sensitive information misuse.
The Supreme Court of India asked the Ministry of Electronics and Information Technology (MeitY) to examine a public interest litigation seeking the creation of a strong mechanism for recovering or destroying personal data of Indian citizens allegedly stolen and stored on servers located abroad.
A Bench comprising Chief Justice Surya Kant and Justices Joymalya Bagchi and Vipul M Pancholi was hearing the plea filed by Nitish Kumar, who raised concerns over increasing incidents of cybercrime, data theft and misuse of sensitive personal information belonging to Indian citizens.
The Court, however, declined to directly entertain the petition, observing that the issues involved were largely technical and administrative in nature. The Bench indicated that such matters would be more appropriately handled by the government and relevant technical authorities rather than through immediate judicial intervention.
ALSO READ: Digital Personal Data Protection Rules 2025: Centre Officially Notifies Privacy Framework
During the hearing, the petitioner urged the Court to intervene in order to operationalise provisions of the Digital Personal Data Protection Act, 2023 and address emerging cyber threats linked to large-scale data breaches and online extortion schemes.
The plea highlighted concerns regarding so-called “digital arrests,” cyber frauds and extortion attempts allegedly being carried out using stolen personal information of Indian citizens.
According to the petitioner, sensitive data stolen by entities operating in at least five foreign countries was allegedly being used for transnational criminal activities targeting individuals in India. The petition claimed that personal details such as fingerprints, identity records and other confidential information were being exploited by cybercriminals.
While acknowledging the gravity of the concerns raised, the Bench emphasised that the matter involved complex technological and administrative dimensions.
The bench said,
“The issue being highly technical in nature, it seems to us that an effective course will be to approach the Ministry of Electronics and IT. Let this plea be given as a supplementary representation. They shall consider it,”
The Court thereafter granted liberty to the petitioner to submit the PIL as a supplementary representation before MeitY for appropriate consideration.
Factual Backgrounds:
The petition drew attention to the growing global concern surrounding cyberattacks, illegal data collection and cross-border digital crimes involving personal information of citizens.
In recent years, India has witnessed a sharp increase in online financial frauds, identity theft, phishing attacks and scams involving leaked or compromised personal data. Cybersecurity experts have repeatedly warned that large-scale breaches of government and private databases can expose citizens to serious financial and privacy risks.
The issue has become particularly significant with the rapid digitisation of services, including banking, healthcare, telecommunications and governance platforms, all of which store vast amounts of sensitive user information.
The petitioner argued that despite enactment of the Digital Personal Data Protection Act, 2023, concerns remained regarding enforcement mechanisms and the ability of Indian authorities to respond effectively when stolen data is transferred to foreign jurisdictions.
Apart from seeking implementation of the DPDP Act, the plea also requested the constitution of a Special Investigation Team (SIT) to supervise investigations into large-scale data theft and cybercrime cases.
The petition further sought directions to the Union government to initiate steps for recovery or destruction of allegedly stolen personal data stored on overseas servers.
However, the Bench indicated practical limitations in pursuing accused individuals located outside India, particularly in the absence of international legal arrangements. On the issue of prosecuting accused persons based abroad, the Court observed: “Unless there’s an extradition treaty,” the accused cannot be brought here to face the law.
ALSO READ: Is WhatsApp Violating Your Rights?: Big Legal Battle Over Privacy Explained
The observation highlighted the jurisdictional and diplomatic challenges frequently faced in tackling international cybercrime, where perpetrators often operate across multiple countries using encrypted networks and foreign digital infrastructure.
Background of the DPDP Act, 2023
The Digital Personal Data Protection Act, 2023 was enacted to establish a legal framework governing the collection, storage and processing of digital personal data in India.
The legislation aims to strengthen privacy protections, impose obligations on entities handling personal data and provide citizens with rights regarding the use of their information. The law also empowers the government to prescribe rules concerning data protection standards, grievance redressal and penalties for violations.
However, implementation of several operational provisions under the Act continues to evolve, especially in relation to cross-border data transfers, data localisation and enforcement mechanisms against international actors involved in cybercrime.
With the Supreme Court now directing the petitioner to approach MeitY, the matter is expected to be considered by the government from a policy and technical standpoint rather than through continued judicial proceedings at this stage.
FOLLOW US FOR MORE LEGAL UPDATES ON YOUTUBE