Digital Privacy Issues under Income Tax Act, 2025: Search Powers Explained

The final Income Tax Act, 2025 has removed the proposed power allowing the Income Tax Department to break into virtual digital spaces. This is a relief for those concerned about digital privacy.

However, a misconception is circulating that the department can barge into personal digital accounts such as emails and social media without consent or will take data of genuine taxpayers. This claim is false and misleading.

What is Virtual Digital Space

The new income tax act has explained the virtual digital space. As per Section 261(j) : “virtual digital space” means an environment, area or realm, that is constructed and experienced through computer technology and not the physical, tangible world which encompasses any digital realm that allows users to interact, communicate and perform activities using computer systems, computer networks, computer resources, communication devices, cyberspace, internet, worldwide web and emerging technologies, using data and information in the electronic form for creation or storage or exchange and includes-

(i) email servers;

(ii) social media account;

(iii) online investment account, trading account, banking account, etc.;

(iv) any website used for storing details of ownership of any asset;

(v) remote server or cloud servers; (vi) digital application platforms; and (vii) any other space of similar nature.”

Search and Seizure of ‘Computer System which include Virtual Digital Space’ - Section 247

The income tax act gives powers to the income tax department to access multiple digital spaces. Initially, the term ‘Virtual digital space’ was explicitly mentioned in the Section 247(1)(b)(iii). However, when the new act was released, the term was included in the definition of ‘Computer system’.

Whatever the search or breaking listed from S. 247(1)(b)(i) to (vii) applies is only to the limited area that if the person fails to disclose his/her assets or income.

As per Section 247(1)(b) “any person is in possession of any asset or information in relation to any asset and such asset represents either wholly or partly, income or property which has not been, or would not be, disclosed, for the purposes of the Income-tax Act, 1961 or the Black Money (Undisclosed Foreign Income and Assets) and Imposition of Tax Act, 2015 or this Act (hereinafter referred to as the undisclosed income or property)”

The wordings Section 247(1)(b)(iii) of the withdrawn bill related to the breaking into virtual digital space, reads as follows:

“ (iii) break open the lock of any door, box, locker, safe, almirah, or other receptacle for exercising the powers conferred by clause (1), to enter and search any building, place, etc., where the keys thereof or the access to such building, place, etc., is not available, or gain access by overriding the access code to any said computer system, or virtual digital space, where the access code thereof is not available;”

The wordings Section 247(1)(b)(iii) of the new Income Tax Act related to the breaking into virtual digital space, reads as follows:

“(iii) break open the lock of any door, box, locker, safe, almirah, or other receptacle or override the access code to any computer system for exercising the powers conferred by clause (i) where the keys thereof are, or the access to such building, place, etc., or the access code to such computer system, as the case may be, is not available;”

As per Section 261(e), Computer System means “means computers, computer networks, computer resources, communication devices, digital or electronic data storage devices, used on stand-alone mode or part of a computer system, linked through a network, or utilised through intermediaries for information creation or processing or storage or exchange, and includes the remote server or cloud server or virtual digital space.

Under the withdrawn Bill, clause (iii) expressly proposed to extend search and seizure powers into the “virtual digital space.” In addition to allowing officers to break open physical locks (doors, lockers, safes, almirahs, etc.), the provision authorised tax authorities to “gain access by overriding the access code” not only to computer systems but also to any “virtual digital space” where access credentials were unavailable.

The express inclusion of virtual digital space meant that officers could access cloud storage, email accounts, online databases, digital wallets, and other remotely hosted digital environments during search operations.

Why Digital Privacy talks came on the top of the Table when new Income Tax Bill was presented

For the first time, the law appeared to authorise tax authorities to override access codes and enter not only physical premises or local computer systems but also emails, cloud storage, social media accounts, online banking and investment platforms, many of which are deeply personal and often hosted on third-party or foreign servers. This raised immediate concerns about the scope and limits of State intrusion into an individual’s digital life.

The term "virtual digital space" was broad and unclear, which increased the worry. Without explicit legal protections on relevance, proportionality, or data minimization, the critics contended that the term was sufficiently broad to allow access to enormous volumes of data unrelated to tax procedures, including private communications, sensitive information, and third-party data. Digital access can reveal years of personal and professional history in a single action, which makes the potential intrusion far more serious than physical searches.

Another key reason digital privacy dominated the discussion was its constitutional dimension. Following the Supreme Court’s landmark ruling in K.S. Puttaswamy v. Union of India, privacy is a fundamental right under Article 21, and any State action infringing it must satisfy tests of legality, necessity, and proportionality.

Additionally, practical and cross-border issues fuelled the debate. Much digital data today is stored on foreign servers or controlled by global technology companies, raising questions of jurisdiction, conflict with international data-protection laws, and admissibility of evidence. Granting unilateral “break-in” powers into such spaces was seen as legally complex and potentially unworkable.

Finally, the debate gained traction because existing tax laws already provide wide powers to seek electronic records through notices, summons, and third-party disclosures. Many questioned whether an explicit power to forcibly access virtual spaces was necessary at all, or whether it tilted the balance too far in favour of enforcement at the cost of individual rights.

Reply of Ministry of Finance to Committee Review First Income Tax Bill

The committee has provided suggestions to exclude social media accounts in the definition of virtual digital space. However with regards to the e-mails and whatsapp, the committee said that “Various incriminating evidences and material are found/seized from electronic records including WhatsApp communications, emails, etc. In most of the cases of search operation the taxpayers do not share the password/login credential of online forums/portals/e-mail accounts, etc. This is because various encrypted communication modes are being used by tax payers to communicate and discuss their unaccounted transactions. The amendment has been rightly made to rationalise the provisions. Thus, the suggestion is not feasible.”

How Ministry of Finance is Responding to the Digital Privacy Issues

The Ministry explained that with the rapid growth of digital transactions and virtual platforms for both personal and business use, a substantial portion of financial information is now created, stored, and exchanged in digital and often encrypted form, residing on mobile phones, laptops, servers, cloud infrastructure, and even servers located outside India.

Due to this technological change, conventional enforcement techniques that primarily relied on tangible assets like cash or jewelry are no longer sufficient for identifying tax evasion. In response to this issue, the Finance Act of 2002 added Section 132(1)(iib) to the Income-tax Act of 1961, specifically giving tax authorities the authority to examine and confiscate electronic records during search operations.

The Ministry clarified that such inspection necessarily includes disclosure of passwords, as password-protected electronic records cannot otherwise be accessed. This position has also been upheld by the Delhi High Court in S.R. Batliboi & Co. v. Department of Income-tax (Investigation), which held that the provision casts an obligation on the owner of electronic devices to provide passwords to enable inspection of digitally maintained books of account.

The Ministry clarified that during search operations, taxpayers often refuse to share passwords or login credentials of emails, cloud accounts, messaging platforms, and online portals, even though critical incriminating evidence such as WhatsApp chats, emails, digital books of account, ERP data, and records of unaccounted transactions is found stored in encrypted digital form. As modern tax evasion increasingly relies on digital, cloud-based, and encrypted systems, investigations get frustrated if authorities are unable to access such data.

To address this practical difficulty, Clause 247 of the Income-tax Bill, 2025 proposed allowing authorised officers to override access codes to computer systems or virtual digital spaces only during duly approved search and seizure operations and only where the taxpayer is non-cooperative.

The Ministry said that this was not a new or additional power, but merely an explicit clarification of existing powers under Section 132, which already permits breaking open physical locks where keys are unavailable. In the digital context, passwords are treated as the modern equivalent of keys.

The Ministry further added that strong privacy safeguards already exist under Section 138 of the Income-tax Act (and corresponding provisions in the Bill), and that search powers satisfy the three-fold test of legality, necessity, and proportionality laid down by the Supreme Court in K.S. Puttaswamy.

According to the government, these provisions are aimed solely at combating tax evasion and black money, operate in rare and controlled circumstances, and do not permit indiscriminate intrusion into personal digital or social media accounts, thereby remaining constitutionally valid.

The Committee sought clarity on the procedural safeguards for digital searches, the risk of misinterpretation of digital evidence, and the overlap between personal and financial data during access to electronic records.

In response, the Ministry clarified that the existing law already recognises digital records. Section 132(1)(iib) of the Income-tax Act authorises inspection of books and documents maintained in electronic form under the Information Technology Act, 2000, and requires persons in control of such records to provide necessary access during a search.

The Ministry explained that the Bill merely updated terminology to reflect modern data realities by referring to “electronic systems” and “virtual digital spaces” and by explicitly mentioning mechanisms such as overriding passwords or access codes, which are the digital equivalent of breaking physical locks. These changes were intended to ensure enforcement parity in an economy where tax-relevant information increasingly exists in digital, cloud-based, and encrypted forms, rather than to introduce any new coercive powers.

Addressing privacy concerns, the Ministry added that the powers under Clause 247 operate only during an authorised search, commence with the execution of a valid warrant, and automatically cease once the search is concluded. They do not permit continuous monitoring or post-search surveillance.

Even where digital devices are seized, examination is limited strictly to information relating to prima facie undisclosed income, with searches conducted in the presence of independent witnesses, documented through panchnamas, and governed by CBDT manuals and a charter of rights.

The Ministry also said that established safeguards such as hash-value cloning of devices to preserve data integrity and judicial recognition that Section 132 provides adequate protections. Finally, it was explained that search and seizure actions are exceptional measures, affecting a minuscule fraction of taxpayers, and are initiated only on credible intelligence with high-level authorisation.

Section 247(1)(b)(iii) vs Justice Puttuwamy Case

The Supreme Court, in K. S. Puttaswamy, held that the right to privacy is not absolute and must be assessed in the context of its role in society and balanced against competing constitutional interests.

The Nine-Judge Bench laid down a three-fold test for any State action that infringes privacy: (i) legality, requiring the existence of a valid law authorising the intrusion; (ii) necessity, meaning the action must pursue a legitimate State aim; and (iii) proportionality, which mandates a rational and reasonable nexus between the objective sought to be achieved and the means adopted.

Applying this, the search and seizure provisions under the Income-tax Act, 1961 and the Income-tax Bill, 2025 are designed to meet all three requirements, said the Ministry of Finance.

According to the Ministry, first, the powers are clearly grounded in statute, satisfying the test of legality. Second, they serve a legitimate State objective curbing tax evasion, unearthing undisclosed income, and protecting public revenue, meeting the necessity requirement.

Third, the exercise of these powers is circumscribed by procedural safeguards, authorisation requirements, and limited operational scope, ensuring proportionality and preventing arbitrary or excessive intrusion.

The Supreme Court has recognised specific exceptions where restrictions on privacy are constitutionally permissible. Among these, prevention and investigation of crime and protection of revenue interests are directly relevant to tax enforcement actions.

While other exceptions such as national security, public health, and public order may not ordinarily apply to tax searches, investigations into large-scale tax evasion fall squarely within the recognised domains where privacy can be lawfully curtailed.

Search powers under the income-tax law so function within the constitutional balance envisioned by the Supreme Court, balancing individual privacy with the State's duty to enforce fiscal rules when carefully used in accordance with statutory safeguards, mentioned the Ministry.

The definition of “virtual digital space” in the Bill rightly captures the modern technological ecosystem, including email servers, social media accounts, cloud storage, digital wallets, and investment platforms. Without express legal authority to access them, a tax search would be ineffective, especially when data is encrypted or access is secured by digital authentication.

Income-Tax Act, 2025 and the DPDP Act

The introduction of the Income-Tax Bill, 2025 has brought the interaction between tax enforcement powers and personal data protection laws into sharp focus. When the bill was presented before the Lok Sabha, one of the most debated aspects of the Bill is Section 247, which expands search and seizure powers to explicitly include access to virtual digital spaces such as email servers, social media accounts, online investment and trading accounts, and cloud servers.

The rules immediately caused concerns regarding their consistency with the Digital Personal Data Protection (DPDP) Act, 2023, since these places invariably contain digital personal data.

Under the existing Income-tax Act, authorities already have powers to enter premises, search, seize documents, and inspect electronic records where summons are not complied with.

The new Income-Tax Act, however, goes a step further by clearly recognising that tax-relevant information today is no longer confined to physical books or local devices. Section 247 empowers authorised officers to seek technical assistance, demand access codes, and even override passwords to inspect electronic records and communications stored on computer systems or virtual digital spaces.

The Bill also introduces presumptions regarding ownership and authenticity of digital records found during a search, further strengthening enforcement capability.

To support this expanded scope, the act provides a detailed definition of “virtual digital space” under Section 261(e), covering a wide technological ecosystem email servers, social media accounts, online banking and trading platforms, websites storing ownership data, remote or cloud servers, and digital application platforms.

At the same time, these provisions intersect directly with the DPDP Act, 2023. The DPDP Act defines personal data broadly as any data relating to an identifiable individual and treats almost every operation on such data collection, storage, access, use, disclosure as “processing.”

When the Income Tax Department accesses or seizes data from virtual digital spaces, it determines the purpose and means of processing that data, assuming the role of a Data Fiduciary under the DPDP Act.

The DPDP Act generally requires consent for processing personal data, but it also recognises important State-function exemptions. In particular, Section 7(c) permits processing without consent where it is necessary for the performance of a State function under law, and Section 7(d) allows processing to fulfil legal obligations to disclose information to the State.

The tax searches and seizures fall squarely within these legitimate uses, enabling the Department to access personal data without prior consent when acting under statutory authority.

However, these exemptions do not grant absolute immunity. Even where consent and notice requirements are relaxed, the Department remains bound by core fiduciary obligations under Section 8 of the DPDP Act.

This includes the duty to implement appropriate technical and organisational safeguards, ensure data security, prevent breaches, and remain accountable for any data processors acting on its behalf.

Further exemptions under Section 17 for regulatory, investigative, or quasi-judicial functions continue to preserve critical obligations such as reasonable security safeguards and accountability.

Do Genuine Taxpayers have to Worry ?

First, it is essential to distinguish perception from legal reality. The stated objective of the newly introduced provisions is to combat tax evasion and unaccounted wealth. Where a taxpayer persistently fails to disclose income or assets despite statutory opportunities, the Income Tax Department may, as a measure of last resort, resort to search and seizure proceedings, including access to digital records.

From the Department’s perspective, the traditional system of maintaining physical records has largely given way to digitally stored information, making it necessary to equip enforcement authorities with appropriate legal tools to carry out effective investigations.

At the same time, the provisions raise legitimate concerns about misuse. Even though taxpayers retain the right to seek judicial redress, the intrusion into personal digital spaces during a search can impose pressure and hardship.

Digital devices frequently hold private, privileged, and completely unrelated personal information, the disclosure of which could have catastrophic effects. Therefore, strong safeguards and well-defined boundaries must be in place in addition to investigative capabilities in order to ensure the preservation of private and irrelevant data and to avoid overreach.

In the end, the entire search and seizure should be of concern. You shouldn't be concerned if you are a legitimate taxpayer. However, you might be asked to provide documentation if the department discovers throughout the examination that black money or any undeclared assets or income are involved. It would be beneficial if you could provide a clear explanation; if not, the department will take these last-resort measures.

Support our journalism by subscribing to Taxscan premium. Follow us on Telegram for quick updates