The enactment of the Income Tax Act, 2025, introduces provisions for digital search and seizure, granting tax authorities the power to confiscate digital devices and demand passwords and access codes. This law is applicable from tax years commencing after April 1, 2026, as outlined in Section 536 of the Act. Requesting an accused individual to disclose their passwords raises concerns about violating the right against self-incrimination under Article 20(3) of the Constitution. To circumvent this issue, lawmakers have devised a method to approach digital service providers directly.
Search and Seizure under the 2025 Act
Unlike its predecessor from 1961, along with the Customs, GST, and Prevention of Money Laundering Acts, the 2025 Act empowers tax officers to seek “reasonable technical and other assistance” from third parties for inspecting electronic records and accounts. This includes obtaining access codes, as stipulated in Section 247(1)(ii), and the authority to bypass these codes under Section 247(1)(iii). Tax officers are also authorized to enlist personnel or entities sanctioned by senior tax officials, as per Sections 247(5)(b) and 248. This requisition can extend to intermediaries under the Information Technology Act, 2000, and data fiduciaries under the Digital Personal Data Protection Act, 2023.
Moreover, Section 261(j) of the 2025 Act allows tax authorities to access “virtual digital spaces,” encompassing virtual desktops, emails, social media, online investments, and cloud servers. These areas may contain information unrelated to income tax assessments, raising concerns about a lack of privacy safeguards under Article 21 of the Constitution. The Income Tax Department’s 2025 manual highlights adherence to the DPDPA for data acquired in a fiduciary capacity but remains silent on the deletion of irrelevant data.
Disclosure and Judicial Oversight
Tax authorities can share information with other governmental bodies, as outlined in Section 258 of the 2025 Act, similar to Section 138 of the 1961 Act. The Central Board of Direct Taxes is empowered to release such information in the public interest, with the Commissioner’s decision being beyond judicial scrutiny, as per Sections 258(2)(a) and (b).
The “reason to believe” prerequisite for search proceedings has been diluted under Section 249, which contradicts the ruling in ITO v. Seth Brothers (1969), emphasizing the necessity of disclosing reasons for judicial oversight. Although authorisation from a senior officer is required to obtain passwords or access codes, the “reason to believe” remains undisclosed, even to the Appellate Authority and the assessee. This contrasts with provisions in other laws, where reasons for searches must be recorded and communicated, as demonstrated in Vijay Madanlal Choudhary v. Union of India (2022).
Impact on Intermediaries and Safe Harbour
For tech companies, non-compliance with requests under the 2025 Act could result in losing safe harbour protections, exposing them to potential liability for content on their platforms. According to Rule 3(1)(j) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, intermediaries must assist government agencies in investigations. The draft Second Amendment Rules, 2026, propose Rule 3(4), linking compliance with guidelines to safe harbour protections under Section 79 of the IT Act. This puts additional pressure on intermediaries, prioritizing law enforcement compliance over user privacy.
The Supreme Court’s decision in Puttaswamy v. Union of India (2017) affirmed the right to privacy against state intervention. However, the DPDPA allows the state to process personal data for legitimate uses, bypassing consent and notice requirements, thereby offering limited privacy protection to taxpayers. The state is not obligated to delete irrelevant data, perpetuating privacy infringements without proportionality or legality safeguards, contrary to the principles established in Puttaswamy.
Conclusion
The provisions of Section 247 in the 2025 Act extend government access to personal information well beyond tax matters, enabling potentially arbitrary inquiries. The lack of disclosure requirements in Section 249 fosters an environment of unchecked power. For tech entities, the risk of losing safe harbour protections looms large, especially with potential amendments to the Intermediaries Rules. The absence of robust data privacy laws leaves taxpayers vulnerable to privacy violations, as personal data becomes accessible to multiple agencies once shared. These new provisions may set a precedent, potentially expanding similar powers across other statutes.
Arundhati Katju is a Senior Advocate practicing in Delhi, with research assistance from Spriha Pachauri.
