By Vikrant Rana, Anuradha Gandhi and Rachita Thakur
Introduction
The Income Tax Bill, 2025 (hereinafter referred to as the “Bill”), introduced in the Lok Sabha on February 13, 2025 is a modern reform which seeks to replace the Income-Tax Act, 1961 (hereinafter referred to as the “IT Act”). The Bill retains most of the provisions of the act and primarily aims to simplify tax laws with clearer language and logical reorganization. However, the Bill has also stirred controversy by incorporating a section which allows authorities to gain access of a personal virtual digital space during search and seizure proceedings, raising concerns about privacy, rights of the data principals and overreach.[1]
What does the Bill say?
Prior to the introduction of this Bill, the IT Act, permitted tax authorities to enter and search any building, place, vessel, vehicle or aircraft suspected of storing undisclosed books of account, documents, money, jewelry or other valuables and to break open locks on any door, box, locker, safe, almirah or other receptacle, when keys are not available leaving digital assets and documents out of its coverage.[2]
Now with the Amendment the Bill has introduced the concept of “Virtual Digital Spaces” which means an environment, area, or realm that is constructed and experienced through computer technology. It has empowered the authorities to inspect electronic documents including users interactions and communications using data and information in the electronic form. It includes email servers, social media accounts, online investment and trading accounts, websites for storing details of asset ownership, remote or cloud servers and any digital application platforms.[3]. The present provision is with the understanding of the current social as well as economic landscape of the reliance and usage of the digital spheres.
Additionally, Section 247 of the Bill provides for overriding powers of search and seizure which allows tax authorities to bypass passwords and access such virtual digital spaces during search and seizure operations when such access is not available, and if they have reason to believe that the taxpayer has failed or omitted to produce required documents or any information in any electronic media or a computer system as required by summons or notices issued under the Bill[4].
Concerns regarding Access to Digital Data
Although the integration of Information and Communication Technologies (ICT) in tax administration has enhanced the efficiency of tax compliances by providing readily accessible user data, these advancements raise serious concerns creating the risk of excessive and constant surveillance, privacy violations, and potential misuse by enforcement agencies.
In the current era where most large volumes data is digitally generated as well as digitally stored, Tax authorities rely on this high volume of personal data generated by tax payers and third-parties. These are available through various sources including public records, businesses, information gathered by other authorities, employers, financial institutions etc.[5] The major concern is the broad definition of virtual digital assets which not only includes financial records but also private communications and other unrelated information that might be exposed during such operations.
As passwords are treated as sensitive personal data under the Information Technology, (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, therefore, legally written and free consent is to be taken before their collection and usage.[6] Additionally, the Digital Personal Data Protection Act, 2023 (hereinafter referred to as “DPDP”) requires notices to be send to the Data Principal to inform them about the purpose of processing such data[7].
This requirement ensures that individuals are fully informed about the data processing activities, reinforcing the principle of explicit and informed consent. The overriding of legally mandated gated provisions may undermine the rule of law.
In view of these concerns, a 31-member select committee has been constituted to review the disputed sections and recommend amendments[8].
Intersection of Data Protection Laws and the Income Tax Bill, 2025
The Digital Personal Data Protection Act, 2023 (hereinafter referred to as “DPDP”) permits Data Fiduciaries (tax authorities in this case) to process personal data without explicit consent under certain legitimate uses. Specifically, Section 7(d) of the above Act allows processing for fulfilling any legal obligation to disclose information to the State or any of its instrumentalities, provided it complies with existing disclosure requirements under prevailing laws.
Furthermore, Section 17(2) (a) exempts processing of personal data by instrumentalities of state as notified by the Central Government in the interests of the country. In so far as this exception is concerned the DPDP Act has provided that the Data Fiduciary is still responsible to comply with the provisions of this act and the applicable rules in respect of processing undertaken by it [9]which may include taking prior consent.
Section 247 of the proposed Bill aligns with these provision by authorizing tax authorities to access digital data during search and seizure proceedings when necessary to meet legal obligations. Such obligation would only arise if there is a reasonable apprehension as to the act of hiding unaccounted income which would justify the intrusive search in to the digital realm.
Political Support and Rising Developments
Acknowledging the privacy concerns, the Finance Minister Smt. Nirmala Sitharaman upheld the Bill, citing recent tax investigations where digital data played a crucial role in tracing financial crimes. The Minister further stated that, Encrypted WhatsApp messages helped trace INR 200 crore of accounted money, Google Maps history was used to track locations where cash was hidden, and Instagram accounts were analyzed to identify benami property ownership.
The Bill has will allow the tax authorities to gain access to encrypted communication platforms like WhatsApp and Telegram as well as emails, software and storage servers that businesses use to conceal financial information. This is currently being done through methods like Open-Source Intelligence (OSINT), Device Forensics, Call Data Records and Metadata analysis to detect such transactions.[10]
Current Frameworks Authorizing Government Data Access
Currently the government has been empowered under the Information Technology Act, 2000 (hereinafter referred to as “IT Act”) and Telecommunications Act, 2023 to access and intercept digital data under specific circumstances which are termed as “reasonable restrictions”. For instance, Section 69A of the IT Act also allows the government to block public access of any information stored in a computer resource, while Section 20 of Telecommunications Act, 2023 allows the government to take temporary possession of any telecommunication service or network or direct interception or disclosure of messages in intelligible format on the occurrence of a public emergency or in the interest of public safety.
How does Platforms Respond to Government Data Requests?
WhatsApp has provided that it acknowledges government data requests only if they comply with applicable laws, its policies including privacy policy and, in some cases, the Mutual Legal Assistance Treaty (MLAT) process. In emergencies, limited data may be shared if there is a good belief of imminent harm. Users are notified about such requests before the data is disclosed unless in special circumstances such as child exploitation or threat to life. Delay notice may also be provided. WhatsApp may deny requests that are overly broad, legally deficient or violate international standards and can challenge the order if it undermines the encryption provided to protect privacy. Disclosures where permitted, may include basic subscriber information such as name, service start date, last seen date, IP address, device type, email and account information such as profile photos, contact list and group information.[11]
Similarly, Telegram’s privacy policy states that, upon receiving a valid order from relevant judicial authorities which confirms that a user is involved in criminal activities, it may disclose IP address and phone numbers to the relevant authorities after conducting a detailed legal analysis of such request[12].
Conclusion
Though the above development demonstrates the potential benefits of access to digital data in Income Tax Proceedings, there still exists reasonable apprehension to believe that such constant digital mass surveillance may be misused and set a wrong precedent for state intrusion into personal data without adequate oversight.
One of the most contentious aspects of the Tax bill is its potential conflict with the requirements under privacy laws. It is essential that every action of the State must be tested on the requirements mentioned in the Doctrine of Proportionality as laid down in the Puttaswamy case[13] to justify the violation of privacy with the exception provided in the DPDP Act. These requirements are:
- Action must be sanctioned by law
- Such action is necessary to substantiate a legitimate claim in a democratic society
- The degree of such interference should be proportional to the necessity of it
- There must be procedural safeguards in place to prevent misuse of such interference
Therefore, it is essential that the scope of such legitimate interest be limited to a certain extent and less invasive investigation methods be adopted to strike a balance between the Rights of Individual and Public at large.
Rishabh Gupta, Junior Associate Advocate at S.S.Rana & Co. has assisted in the research of this article.
[1] https://prsindia.org/billtrack/the-income-tax-bill-2025
[2] Section 132 of the Income Tax Act, 1961
[3] Section 261(i) of The Income Tax Bill, 2025
[4] Section 247 (1) (b) (iii) of The Income Tax Bill, 2025
[6] Rule 3 and 5 of Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
[7] Section 5 of Digital Personal Data Protection Act, 2023
[9] Section 17(1); Section 8(1) of Digital Personal Data Protection Act, 2023
[11] https://faq.whatsapp.com/808280033839222
[12] https://telegram.org/privacy?setln=fa
[13] JUSTICE KS PUTTASWAMY (RETD.) & Anr. vs. UOI, [2017] 10 S.C.R. 569?