The new Income Tax Act, 2025 provides for digital search and seizure, empowering income tax authorities to seize digital devices and seek production of passwords and access codes. The law applies prospectively to proceedings for tax years beginning after April 1, 2026 [Section 536 of the 2025 Act].

Asking an accused to provide passwords to their own device or account is, arguably, hit by the fundamental right against self-incrimination under Article 20(3) of the Constitution. Faced with this challenge, lawmakers have found a workaround by going directly to the digital service provider instead.

Unlike the Income Tax Act, 1961 (or for that matter, the Customs, GST or Prevention of Money Laundering Acts), the 2025 Act allows an income tax officer to take “reasonable technical and other assistance” from third parties to inspect electronic documents and books of accounts. This includes retrieving the “access code, by whatever name called” [Section 247(1)(ii)] and the power to override access codes [Section 247(1)(iii)]. To facilitate this, the Act also allows income tax officers to requisition the services of a person or entity approved by senior Income Tax authorities [Section 247(5)(b); Section 248]. Clearly, these requisitions could be made from intermediaries, who are service providers under the Information Technology Act, 2000 (IT Act), and data fiduciaries, the parties who process personal data under the Digital Personal Data Protection Act, 2023 (DPDPA).

Further, the 2025 Act allows tax authorities to access “virtual digital spaces” [Section 261(j)]. These include virtual desktops, email, social media, online investments and cloud servers. These spaces contain materials – email, photographs, messages - having nothing to do with an income tax assessment. The 2025 Act has no inbuilt guardrails that protect an assessee’s right to privacy under Article 21 of the Constitution. The Income Tax Department’s Search and Seizure Manual, 2025 notes that the Income Tax Department should adhere to the DPDPA for digital data obtained in a fiduciary capacity. However, the manual is silent about deleting data which is irrelevant for law enforcement purposes.

Tax authorities can share this information with authorities notified by the Central government [Section 258 of the 2025 Act, similar to Section 138 of the 1961 Act]. The Central Board of Direct Taxes can also disclose such information in the public interest; the decision of the Commissioner is protected from judicial scrutiny [Sections 258(2)(a) and (b)].

The “reason to believe” that an assessee will not comply with a summons or notice is the prerequisite for search proceedings. Section 249 disregards ITO v. Seth Brothers (1969), which held that disclosing reasons is essential for proper judicial oversight of tax authorities. While Section 249 requires an officer to seek authorisation from a senior officer to obtain a password or access code, he or she cannot disclose the “reason to believe” to any person or authority - including the Appellate Authority – and, authorities will argue, the assessee themselves. A similar provision, the explanation to Section 132 of the Income Tax Act, 1961, was introduced by the Finance Act, 2017 with retrospective effect from April 1, 1962. The Supreme Court enforced the provision in Principal Director of Income Tax (Investigation) & Ors v. Laljibhai Kanjibhai Mandalia (2022).

By contrast, police officers conducting a search without a warrant must inform a magistrate of their reasons for the search within 48 hours [Section 185(5) BNSS]. Similarly, Section 19 PMLA requires the “reasons to believe” that the accused is involved in money-laundering to be recorded and communicated to the Adjudicating Authority and the accused. In Vijay Madanlal Choudhary v. Union of India [2022], the Supreme Court declared Section 19 to be constitutional precisely because of these inbuilt safeguards, observing that recording and forwarding reasons ensures that ED officers exercise their powers fairly, objectively and with accountability.

For tech companies, non-compliance with a request under the 2025 Act can result in loss of safe harbour protections. Losing safe harbour exposes intermediaries to liability for content hosted on their platform which they have no role in creating or even access to, if the communication is end-to-end encrypted.

Rule 3(1)(j) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 [Intermediaries Rules] requires an intermediary to assist and provide information to any government agency for investigative and protective activities. Moreover, the draft Second Amendment Rules, 2026 seek to introduce a new Rule 3(4), explicitly linking compliance with guidelines and advisories – including those issued in the future – to safe harbour protections under Section 79 of the IT Act.

As a result, intermediaries are constrained to comply with law enforcement requests, instead of protecting a user’s freedom of speech or privacy. In 2024, Apple reportedly denied the Enforcement Directorate access to Arvind Kejriwal’s phone after his arrest in the excise policy case. Today, the phone manufacturer – which is an intermediary in relation to internet-based services like iMessage or iCloud – could face loss of safe harbour protections if it refuses to comply with an income-tax request under the Income Tax Act 2025.

In Puttaswamy v. Union of India (2017), the Supreme Court recognised that Indian citizens have the right to privacy against the State. The DPDPA, however, provides wide exemptions for data disclosed to or available with the State. Under Section 7(c) and (d), the Act allows personal data to be processed for “certain legitimate uses”, including allowing the State to perform its functions under law, and for a person to meet their obligations to disclose information to the State. When a data fiduciary (such as a tech company) is asked for taxpayer's data under the Income Tax Act, 2025, they are bound to share it without having to comply with requirements of consent, notice, or other protections [Section 4 read with 7]. Data fiduciaries do not even need to inform taxpayers while sharing their data with tax authorities.

The State has no responsibility to protect the data it obtains; in fact, it has the benefit of exemptions under Section 17 of the DPDPA. It has no obligation to delete data if an inquiry reveals no unlawful activity, or to delete private photographs or messages that have nothing to do with an inquiry.

The DPDPA gives government authorities access to user’s personal information without conforming to the reasonable restrictions on free speech envisaged under Article 19(2) of the Constitution. It allows the right to privacy to be infringed, without any guiding principles for proportionality, legitimate state interest, or legality, as held in Puttaswamy.

In the digital age, Section 247 gives the government information about assessees far beyond the remit of income tax. Access to emails, social media and virtual desktops enables fishing inquiries by tax authorities and investigating agencies. At the same time, by keeping reasons out of the public domain, Section 249 promotes arbitrariness. For tech companies, non-compliance with income-tax requests now carries the risk of loss of safe harbour, particularly if MEITY introduces the proposed Rule 3(4) of the Intermediaries Rules. Data privacy law does not protect taxpayers from these incursions into their privacy; to the contrary, once shared with one agency, personal data is available to all. The new income tax provisions are an experiment. If successful, similar powers will no doubt proliferate in other tax and criminal statutes.

Arundhati Katju is a Senior Advocate practicing in Delhi.

Spriha Pachauri provided research assistance.