Overriding Access Codes: Constitutional Limits of Clause 247, Income Tax Bill 2025

Overriding The Access Code: The Constitutional Limits of Clause 247 of The Income Tax Bill, 2025 On Virtual Digital Space Access And Compelled Decryption In India

ABSTRACT

Clause 247 of the Income Tax Bill, 2025, the most constitutionally controversial provision in the legislation, empowers authorised income tax officers to override access codes and gain entry into a taxpayer’s ‘virtual digital space,’ defined broadly to encompass email servers, social media accounts, cloud storage, trading accounts, banking accounts, and digital application platforms. The power is exercisable without prior judicial authorisation and with a ‘reason to believe’ standard that remains subjectively defined. This article undertakes the first comprehensive constitutional examination of Clause 247 from the perspective of the three-fold proportionality test articulated by the nine-judge bench in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017), the right against self-incrimination under Article 20(3) as developed in Selvi v. State of Karnataka (2010), and the substantive due process requirements of Article 21 as applied in Maneka Gandhi v. Union of India (1978). The article argues that the compelled disclosure of a decryption key or access code is a testimonial act that attracts the Article 20(3) protection in any proceeding that carries criminal or quasi-criminal consequences, a category that encompasses income tax penalty and prosecution proceedings. It further argues that Clause 247 fails the proportionality test at the necessity stage because less restrictive alternatives, including a prior judicial authorisation requirement modelled on the UK’s Schedule 36, Finance Act 2008, and the PMLA’s Section 17 framework, are both available and effective. Drawing on the United States Supreme Court’s decisions in Riley v. California (2014) and Carpenter v. United States (2018), and the European Court of Human Rights’ decision in Funke v. France (1993), the article proposes a constitutional implementation framework comprising: a mandatory prior authorisation requirement before a Tax Tribunal or designated Magistrate; a targeted access requirement limiting digital intrusion to categories of data rationally connected to the subject matter of the investigation; a legal privilege sift protocol; a mandatory post-access disclosure obligation; and a statutory exclusionary rule for evidence obtained in material breach of the framework.

Keywords: Clause 247; Income Tax Bill 2025; Virtual Digital Space; Compelled Decryption; Article 20(3); Article 21; Puttaswamy; Proportionality; Right to Privacy; Self-Incrimination; Tax Search and Seizure; Digital Evidence; Schedule 36 Finance Act 2008.

I. Introduction

On February 13, 2025, the Finance Minister of India introduced the Income Tax Bill, 2025, in the Lok Sabha, a legislation intended to replace the sixty-four-year-old Income-Tax Act, 1961, with a simpler, more legible framework.[1] The Bill has 536 clauses, 23 chapters, and, by the government’s account, roughly half the word count of its predecessor. Commentators have noted its structural clarity and commendable consolidation of a statute that, over six decades, had accumulated provisions, provisos, explanations, and schedules of bewildering complexity. But Clause 247, a single provision dealing with search and seizure in the context of digital assets and virtual digital spaces, has generated more constitutional controversy than the rest of the Bill combined.

The clause is deceptively compact. It empowers an authorised officer who has ‘reason to believe’ that a taxpayer possesses undisclosed income or assets to ‘gain access by overriding the access code to any said computer system, or virtual digital space, where the access code thereof is not available.’[2] The phrase ‘virtual digital space’ is defined with deliberate breadth in Clause 261(i) to encompass email servers, social media accounts, online investment and trading accounts, banking accounts, cloud servers, and digital application platforms.[3] In a single clause, the Indian tax administration has claimed the power to enter and search the most intimate repositories of personal, professional, and financial information that contemporary digital life generates, without a warrant, without prior judicial authorisation, and without any obligation to limit the scope of access to information that is demonstrably relevant to the subject matter of the investigation.

The constitutional stakes are high, and the doctrinal questions are novel. The nine-judge bench decision in Puttaswamy[4] established, in 2017, that informational privacy, the right of an individual to control information about herself, is a fundamental right protected by Articles 14, 19, and 21 of the Constitution. The Supreme Court’s proportionality framework requires that any state intrusion on this right be: (i) sanctioned by a valid law; (ii) directed at a legitimate aim; and (iii) proportionate, meaning that the means adopted do not exceed what is necessary to achieve the aim.[5] The question of whether Clause 247 satisfies all three conditions, particularly the proportionality condition, is the central analytical problem this article addresses.

A secondary but equally important constitutional question concerns the right against self-incrimination under Article 20(3). The Supreme Court in Selvi v. State of Karnataka[6] held that the protection against ‘testimonial compulsion’ extends to the investigative stage and encompasses any communication of personal knowledge that is likely to have an incriminating impact. The compelled disclosure of a decryption key or access code, which communicates knowledge of the key, possession of the account, and authentication of the contents, is, this article argues, a paradigmatic testimonial act.[7] Where the exercise of Clause 247 is connected, even indirectly, to proceedings carrying criminal or quasi-criminal consequences, including income tax penalty proceedings under Chapter XXI of the Bill, Article 20(3) is engaged.

A third dimension concerns the interaction of Clause 247 with the Digital Personal Data Protection Act, 2023 (DPDP Act),[8] and the absence of any provision protecting third-party personal data that may be accessed incidentally when tax authorities enter a taxpayer’s email server or cloud storage containing communications with persons who are not themselves the subject of any investigation. The Bill creates a regulatory conflict that its drafters do not appear to have considered.

The article proceeds as follows. Part II maps the statutory architecture of Clause 247 against its predecessor provision under Section 132 of the IT Act, 1961, and situates the provision in the broader legislative context of the IT Bill, 2025. Part III examines the constitutional framework, with particular attention to the Puttaswamy privacy doctrine and its three-fold proportionality standard. Part IV analyses the Article 20(3) dimension: whether compelled decryption constitutes testimonial compulsion, and whether the tax-penalty nexus is sufficient to engage the protection. Part V examines the interaction between Clause 247 and the DPDP Act, 2023. Part VI undertakes a comparative analysis of digital search powers in the United Kingdom and the United States. Part VII proposes a constitutional implementation framework for Clause 247 that preserves its legitimate enforcement objectives while satisfying the requirements of Articles 14, 19, 20(3), and 21. Part VIII concludes.

II. The Statutory Architecture: Clause 247 and the Radical Expansion of Tax Search Powers

A. The Pre-Bill Position: Section 132 of the Income-Tax Act, 1961

Section 132 of the Income-Tax Act, 1961 conferred on authorised officers a comprehensive package of physical search and seizure powers: entry into and search of buildings, places, vehicles, and vessels; the opening of locks on doors, boxes, lockers, safes, and almirahs; and the seizure of books of account, documents, money, jewellery, and other valuable articles.[9] The provision also permitted the inspection of ‘electronic records’ as defined in the Information Technology Act, 2000, a concession to the digital age that was incorporated by amendment without reconsidering the provision’s underlying procedural architecture, which was designed for the physical world.

The key characteristic of Section 132’s digital regime was that it relied on taxpayer cooperation: an officer could require the production of electronic records and inspect them, but the provision did not expressly confer the power to override access codes or bypass encryption without the account-holder’s assistance. The Delhi High Court, in S.R. Batliboi & Co. LLP v. Department of Income Tax,[10] held that Section 132(1)(iib) imposed a compulsion on the owner of seized laptops to provide the password to enable inspection. But the court immediately circumscribed this power, holding that such compulsion could only be exercised in the context of a validly executed, specifically targeted search warrant, and ordered the return of the laptops in that case because the search amounted to a ‘roving inquiry.’

The jurisprudence on the pre-Bill framework therefore rested on two principles: (i) that digital compulsion (password disclosure) was a lawful incidence of a validly issued search warrant; and (ii) that the warrant must be specifically targeted, with a rational nexus between the information in the officer’s possession and the assets or income sought, a standard confirmed by the Supreme Court in M/S Techspan India Pvt. Ltd.[11] and Laljibhai Kanjibhai Mandalia.[12] Clause 247 of the IT Bill, 2025, is designed to supersede both limitations.

B. Clause 247: The New Statutory Framework

Clause 247(1)(b)(iii) of the IT Bill, 2025 empowers an authorised officer, who has reason to believe on the basis of information in his possession, to ‘gain access by overriding the access code to any said computer system, or virtual digital space, where the access code thereof is not available.’[13] The condition precedent is a two-part test: (i) the officer must possess information, and (ii) that information must give rise to a reason to believe that the taxpayer has failed or omitted to produce required documents or information in any electronic media or computer system as required by a summons or notice issued under the Bill.

Four features of the provision demand immediate constitutional attention. First, the provision does not define the standard of information required to establish the ‘reason to believe’ threshold, leaving its content entirely to the subjective assessment of the authorised officer, a deficiency identified in the IFF Submission to the Select Committee.[14] and one that is in direct tension with the Supreme Court’s holding in Techspan[15] that the reason to believe must be rational, non-arbitrary, and judicially reviewable.

Second, the provision requires no prior judicial authorisation. The officer who forms the reason to believe is the same officer who executes the override, a structural conflation of the investigative and authorising functions that the Supreme Court has, in other contexts, treated as a marker of constitutional invalidity.[16]

Third, the scope of access is uncircumscribed. Once an officer overrides the access code to a taxpayer’s email server or social media account, there is no provision in Clause 247, or anywhere else in the IT Bill, 2025, that limits the officer’s inspection to material that is demonstrably relevant to the subject matter of the investigation. The officer may, in principle, inspect every email, private message, and stored document on the server, regardless of its relevance to any particular income concealment.

Fourth, and most critically from the perspective of third-party rights, the ‘virtual digital spaces’ accessible under Clause 247 are not exclusive to the taxpayer’s private information. An email server contains communications with legal advisers (engaging legal professional privilege),[17] family members, business partners, employees, and co-investors. A social media account may contain private messages from persons having no connection to the taxpayer’s tax affairs. The IT Bill, 2025, contains no provision for protecting the personal data of these third parties, no privilege sift mechanism, and no post-access disclosure obligation informing affected third parties that their data has been accessed.

C. The Select Committee Review

Acknowledging the controversy surrounding Clause 247 and related provisions, the Lok Sabha referred the IT Bill, 2025, to a thirty-one-member Select Committee for examination.[18] The Committee, headed by Shri Baijayant Panda, received representations from digital rights organisations, professional bodies, and legal experts urging amendments to Clause 247. The Internet Freedom Foundation, in its submission, urged the Committee to: (i) insert express proportionality language requiring the adoption of the least invasive means; (ii) require prior judicial or tribunal authorisation before any override; (iii) introduce mandatory data minimisation requirements; and (iv) establish a post-access disclosure obligation. As of the date of this article, the Committee had not published its report, and the constitutional questions examined below thus remain live.

III. The Constitutional Framework: Privacy, Dignity, and Proportionality

A. The Puttaswamy Doctrine: Informational Privacy as a Fundamental Right

The constitutional analysis of Clause 247 begins with the nine-judge bench decision in Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors.[19] , the most important constitutional judgment in India since the Kesavananda Bharati decision in 1973. The bench unanimously held that ‘the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution,’ explicitly overruling the eight-judge bench in M.P. Sharma[20] and the majority in Kharak Singh to the extent that those decisions denied a constitutional right to privacy.

For the present analysis, three aspects of Puttaswamy are foundational. First, Justice Chandrachud’s holding that ‘Privacy includes at its core the preservation of personal intimacies, the sanctity of family life, marriage, procreation, the home and sexual orientation. Privacy also connotes a right to be left alone.’[21] The content of the right, ‘personal intimacies,’ ‘the home,’ and the broader right to be ‘left alone, ‘ encompasses with equal force the digital home: the email account, the personal cloud, the private messages stored on a social media platform.

Second, the specific holding on informational privacy: Justice Chandrachud observed that ‘the right to privacy is a fundamental right’ that ‘protects the inner sphere of the individual from interference from both State and non-State actors and allows the individuals to make autonomous life choices,’ and that ‘informational privacy’, the capacity to control information about oneself, is ‘intrinsically linked to the dignity, self-respect and sense of personhood of an individual.’[22] A virtual digital space is, pre-eminently, a repository of informational privacy: it holds the taxpayer’s thoughts, plans, health information, financial strategies, family communications, and professional relationships. The state’s power to access it at will, without independent oversight, strikes at the core of what the nine-judge bench recognised as a constitutionally protected right.

Third, and of immediate doctrinal relevance, the three-fold proportionality test. Puttaswamy held, and the subsequent five-judge bench in Puttaswamy II (Aadhaar)[23] confirmed that ‘an invasion of life or personal liberty must meet the three-fold requirement of (i) legality, which postulates the existence of law; (ii) need, defined in terms of a legitimate state aim; and (iii) proportionality, which ensures a rational nexus between the objects and the means adopted to achieve them.’[24] Each of these three conditions presents a distinct constitutional problem for Clause 247.

B. Applying the Three-Fold Test to Clause 247

1. Legality

The first condition, legality, requires that the intrusion be sanctioned by a valid law. Clause 247, once the IT Bill, 2025, is enacted, will satisfy the formal legality requirement: it is a provision of primary legislation introduced by the executive and passed by Parliament, which is precisely the kind of ‘procedure established by law’ contemplated by Article 21. However, Maneka Gandhi[25] established that the procedure established by law must be ‘right, just, and fair, not arbitrary, fanciful, or oppressive.’ A procedure that gives a single administrative officer unbounded discretion to access all categories of a taxpayer’s digital life , without defining the standard of ‘reason to believe,’ without requiring prior judicial oversight, and without limiting the scope of access to relevant material , is a procedure that is, in the Maneka Gandhi sense, arbitrary and therefore constitutionally infirm at the legality stage itself.

2. Legitimate Aim

The second condition , a legitimate aim , is the easiest for the Revenue to satisfy. The detection and prevention of tax evasion is a recognised state interest of the highest order: it funds public services, maintains fiscal integrity, and sustains the constitutional commitments of the welfare state enshrined in Part IV of the Constitution. No serious constitutional challenge can deny that Clause 247 serves a legitimate aim.

However, the legitimate aim of tax enforcement does not operate without limit. The Supreme Court in Gobind v. State of Madhya Pradesh[26] held that even where the state has a legitimate enforcement interest, the individual’s privacy interest must be weighed in the balance, and the state’s right to regulate must be ‘less than complete’ where the personal privacy interest is substantial. The virtual digital space of an individual taxpayer is not merely a store of financial records: it is a repository of the totality of the taxpayer’s personal, professional, and relational life. The weight of the privacy interest engaged by Clause 247’s access power is not proportionate to the fiscal enforcement interest that it is designed to serve, at least in the absence of the targeted-access and prior-authorisation safeguards proposed in Part VII.

3. Proportionality: The Decisive Condition

The proportionality condition is where Clause 247 is most constitutionally vulnerable. The Puttaswamy II[27] bench held that proportionality required the identification and adoption of the least restrictive means: where an equally effective alternative measure exists that is less invasive of the fundamental right, the more invasive measure fails the proportionality standard. Clause 247 fails this analysis on three grounds.

First, a prior judicial authorisation requirement , mandating that the authorised officer obtain approval from a Tax Tribunal or designated Magistrate before executing any digital override , would be at least as effective in achieving the aim of tax enforcement, while materially reducing the privacy intrusion. The existence of such mechanisms in comparable jurisdictions , the UK’s Schedule 36 and Section 20C framework,[28][29] and the US’s warrant requirement under 18 U.S.C. § 2703[30] , demonstrates that prior judicial oversight is not only feasible but is the international standard for this category of state power. The PMLA’s own Section 17 requires recording of reasons in writing and disclosure to the Adjudicating Authority.[31] Clause 247 requires neither.

Second, a targeted access requirement , limiting the officer’s inspection to categories of data (e.g., financial transaction records, asset-related communications) that are demonstrably relevant to the specific subject matter of the investigation, and excluding communications of a personal, medical, or legally privileged nature , would be a materially less invasive means of achieving the same enforcement objective. Clause 247 is unrestricted in scope; no such requirement appears anywhere in the IT Bill, 2025.[32]

Third, a data minimisation requirement , specifying that only data necessary to the investigation may be accessed, copied, or retained , would align Clause 247 with the data protection obligations already enshrined in the DPDP Act, 2023 and reduce the collateral invasion of third-party privacy rights. The DPDP Act’s own framework is of no assistance here because the State’s exemption under Section 17(2)(a) is self-granted and is not independently supervised.[33]

IV. Article 20(3) and the Testimonial Character of Compelled Decryption

A. The Scope of Article 20(3): The Selvi Framework

Article 20(3) of the Constitution provides that ‘No person accused of any offence shall be compelled to be a witness against himself.’[34] Its protective scope, as authoritatively settled by the Supreme Court in Selvi & Ors. v. State of Karnataka,[35] extends to any act , whether oral, written, or otherwise , that constitutes ‘testimonial compulsion’: the involuntary communication of personal knowledge that is likely to have an incriminating impact on the person compelled.

The foundational three-judge bench decision in Selvi held that the right against self-incrimination applies at every stage of the criminal justice process , from the earliest phase of police investigation to trial , and is not confined to the moment of courtroom testimony. The Court held that ‘any giving of evidence, any furnishing of information, if likely to have an incriminating impact, answers the description of being a witness against oneself. Not being limited to the forensic stage by express words in Article 20(3) of the Constitution, the expression has to be construed to apply to every stage where furnishing of information and collection of materials takes place.’[36]

The Court drew the critical distinction between: (i) testimonial compulsion , compelling a person to communicate personal knowledge, which is prohibited by Article 20(3); and (ii) physical compulsion , compelling a person to submit to physical examination or produce physical objects, which is not prohibited. In the former category, the protection is absolute: ‘the results obtained through the involuntary administration of either of the impugned tests come within the scope of “testimonial compulsion”, thereby attracting the protective shield of Article 20(3) of the Constitution.’[37] The test was derived from the constitutional bench’s earlier analysis in State of Bombay v. Kathi Kalu Oghad,[38] which distinguished between the compelled production of pre-existing documents and the compelled active communication of personal knowledge from the accused’s mind.

B. Compelled Decryption as Testimonial Act

The central analytical question for Clause 247 is whether the compelled disclosure of a decryption key or access code constitutes a ‘testimonial act’ within the meaning of the Selvi framework. The answer, this article argues, is yes , for the following reasons.

Disclosing a decryption key or access code communicates three separate pieces of personal knowledge: (i) that the key or code exists and has a particular content; (ii) that the person disclosing it knows the key or code , meaning that they have possession of and access to the account it protects; and (iii) that the account whose access code is disclosed exists and contains accessible data. Each of these communications is a testimonial act of personal knowledge: none of them is a physical act like the production of a blood sample or a handwriting exemplar. The United States Supreme Court reached an equivalent conclusion in Fisher v. United States,[39] holding that the ‘act of production’ of documents in response to a subpoena can be testimonial where it implicitly communicates authentication of the documents , and in United States v. Hubbell,[40] where the Court extended this principle to bar the subsequent use of compelled production in a criminal prosecution.

The Indian doctrinal architecture , as developed in Kathi Kalu Oghad[41] and Selvi[42] , arrives at the same conclusion through the testimonial/physical distinction. When a taxpayer is compelled under Clause 247 to disclose the password to their cloud server or email account, they are communicating to the authorised officer: ‘I know this password, I have access to this account, and this account contains information.’ That is precisely the kind of ‘furnishing of personal knowledge of a relevant fact’ that Selvi held falls within Article 20(3)’s protection.

C. The Tax-Penalty Nexus: When Does Article 20(3) Engage?

Article 20(3) applies to a ‘person accused of any offence.’ The provision is strictly limited to persons who have been formally accused of an offence in a court of law, and not to every person subject to investigation , a limitation confirmed by Kathi Kalu Oghad.[43] However, Selvi held that the protection also extends to persons being investigated in circumstances where the results of the investigation are likely to be used against them in prosecution proceedings, and the Supreme Court has recognised that tax penalty proceedings under the IT Act , which carry the character of quasi-criminal proceedings , bring the taxpayer within the zone of constitutional protection.

The critical connection is between the information gathered through Clause 247’s digital access power and its subsequent use in penalty or prosecution proceedings. Chapter XXI of the IT Bill, 2025 contains provisions for the imposition of penalties for concealment of income and for prosecution for wilful evasion. Where information obtained through a compelled digital access , including a compelled password disclosure , is subsequently used to establish the fact of concealment for the purpose of a penalty proceeding, the nexus between the compulsion and the criminal or quasi-criminal consequence is established, and Article 20(3) is directly engaged.

The European Court of Human Rights reached an equivalent conclusion , through the lens of Article 6(1) of the ECHR, which encompasses the right against self-incrimination , in Funke v. France,[44] holding that compelling a taxpayer to produce documents in a tax investigation, under threat of criminal penalty for non-compliance, violated the right not to incriminate oneself even though the primary purpose was tax enforcement rather than criminal prosecution. The Indian position, post-Selvi, is broadly consistent with this analysis, and the ECHR jurisprudence is instructive as to the outer boundaries of the state’s enforcement power.

V. The Intersection of Clause 247 with the Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act, 2023 (DPDP Act) creates a consent-based framework for the processing of digital personal data by fiduciaries , entities that determine the purpose and means of processing.[45] The tax authority, when exercising the powers under Clause 247, is a data fiduciary for the purposes of the DPDP Act: it determines the purpose (tax investigation) and the means (digital override) of processing the taxpayer’s personal data.

The DPDP Act’s consent requirement is displaced where processing is ‘necessary for compliance with any law for the time being in force in India’ (Section 7(d)) or where the Central Government has notified a specific exemption under Section 17(2)(a).[46] If and when the IT Bill, 2025 is enacted, Clause 247 will constitute ‘law’ for the purposes of Section 7(d), providing a basis for processing the taxpayer’s own personal data without consent. However, three critical gaps remain.

First, Section 7(d) covers only processing ‘necessary’ for the legal obligation , a necessity standard that maps directly onto the proportionality condition in Puttaswamy.[47] To the extent that Clause 247 grants access beyond what is ‘necessary’ , for example, by allowing inspection of personal and medical communications alongside financial records , the Section 7(d) exemption is itself limited and will not cover the excess.

Second , and most acutely , Section 7(d) applies only to the taxpayer’s own personal data. The email server and social media account of a typical taxpayer contain vast quantities of personal data of third parties: co-investors, employees, family members, business correspondents. These third parties have not consented to the processing of their data by tax authorities. They are not the subject of any investigation. And the DPDP Act provides no basis on which tax authorities can process their data without consent: the Section 7(d) exemption is personal to the legal obligation owed by the data fiduciary to the taxpayer-subject, not to unconnected third parties.[48]

Third, the extraterritorial dimension raises a separate conflict. A significant proportion of the ‘virtual digital spaces’ within the definition of Clause 261(i) are hosted on servers located outside India , AWS servers in the United States, Google Cloud in the European Union, Alibaba Cloud in Singapore. Where data is stored in the European Union, the GDPR[49] imposes restrictions on cross-border data transfers to India (which does not currently hold an adequacy decision from the European Commission) that may render the transfer of data accessed under Clause 247 to Indian tax authorities in India itself a violation of the GDPR. The Microsoft Ireland case[50] in the United States raised identical jurisdictional conflicts, which were ultimately resolved only through specific federal legislation (the CLOUD Act). India has not enacted equivalent legislation, and Clause 247 does not address extraterritorial enforcement at all.

VI. Comparative Analysis: Digital Search Power in the United Kingdom and the United States

A. United Kingdom: The Schedule 36 Framework and the Judicial Warrant Requirement

Schedule 36 of the Finance Act 2008 confers HMRC with the power to issue ‘information notices’ requiring taxpayers and third parties to provide information and produce documents.[51] The taxpayer has a right to appeal to the First-Tier Tax Tribunal against both the issuance of the notice and any specific requirement within it , meaning that a judicial body must assess the proportionality of each information demand before the taxpayer is required to comply. For the most intrusive categories of access , entry into premises, physical search, and seizure of documents , HMRC must obtain a judicial warrant under Section 20C of the Taxes Management Act 1970, issued by a Circuit Judge on the basis of specified jurisdictional conditions.[52]

Crucially, Schedule 36 does not confer on HMRC any power to override digital access codes or bypass encryption without the taxpayer’s cooperation. The UK position , which reflects a considered policy choice by the Parliament at Westminster , is that the compelled override of digital protections requires a level of judicial authorisation that the standard HMRC information notice does not provide. The contrast with Clause 247’s administrative override power, exercisable without prior judicial involvement, is stark and constitutionally significant.

The United Kingdom’s framework also contains a privilege sift mechanism: information notices under Schedule 36 explicitly exclude legally privileged material, and HMRC cannot compel the production of communications protected by legal professional privilege without specific judicial authorisation. The IT Bill, 2025 contains no equivalent protection.[53]

B. United States: The Warrant Requirement and the Compelled Decryption Jurisprudence

The United States Constitution’s Fourth Amendment , which prohibits unreasonable searches and seizures and generally requires a warrant supported by probable cause for the search of digital information , was applied by the Supreme Court to digital search in the landmark case of Riley v. California,[54] decided unanimously in 2014. Chief Justice Roberts, writing for the Court, held: ‘Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans “the privacies of life.” The fact that technology now allows an individual to carry such information in his hand does not make the information any less worthy of the protection for which the Founders fought.’

The Court’s conclusion , ‘get a warrant’ , reflects a bright-line rule that prior judicial authorisation is constitutionally mandatory for digital content searches. The Stored Communications Act[55] applies this requirement at the statutory level to compelled disclosure by service providers. Four years later, in Carpenter v. United States,[56] the Supreme Court held that even the aggregation of digital data , in that case, historical cell-site location records held by a third-party carrier , constituted a search requiring a warrant, because the accumulation of digital information across categories over time revealed ‘the privacies of life’ in a manner that attracted the highest constitutional protection.

The US Fifth Amendment dimension , the right against self-incrimination , has been engaged by the compelled decryption question through the ‘act of production’ doctrine developed in Fisher v. United States[57] and refined in United States v. Hubbell.[58] The act of producing a decryption key communicates to the government that: (i) the defendant knows the key; (ii) the key decrypts the material sought; and (iii) the material is authentic , each of which is a testimonial communication of personal knowledge. The parallels with the Indian Selvi framework are direct, and the US jurisprudence provides a developed analytical toolkit for extending the Indian Article 20(3) analysis to the digital decryption context.

VII. A Constitutional Implementation Framework for Clause 247

The analysis in Parts III through VI demonstrates that Clause 247, in its current form, is constitutionally infirm in three distinct respects: it fails the proportionality condition of the Puttaswamy three-fold test at the necessity stage; it is structurally vulnerable to Article 20(3) challenge where the compelled disclosure of access codes is subsequently used in penalty or prosecution proceedings; and it creates an unresolved conflict with the DPDP Act, 2023 in respect of third-party personal data. The article proposes the following five-element constitutional implementation framework, drawn from the best practice of the UK, US, and Indian statutory architecture.[59]

First, a mandatory prior authorisation requirement. Before any authorised officer exercises the override power under Clause 247, the officer must obtain prior authorisation from a Tax Tribunal (at the First-Tier Tax Tribunal level) or a designated Judicial Magistrate. The application for authorisation must set out: (i) the specific taxpayer and the specific investigation; (ii) the categories of virtual digital spaces to be accessed, with reasons for each; (iii) the specific ‘reason to believe’ on which the application is based, including the information in the officer’s possession and its rational connection to the belief; and (iv) the reasons why less intrusive means (such as a formal information notice or summons) would not achieve the same investigative objective. The authorising authority must independently assess the sufficiency of the grounds and the proportionality of the proposed access before granting authorisation. This model draws on Section 20C of the UK Taxes Management Act 1970,[60] Section 17 of the PMLA,[61] and Section 97 of the BNSS.[62]

Second, a targeted access requirement. Any authorisation granted under the first element must specify the categories of virtual digital spaces to be accessed and the specific categories of information to be inspected , limiting access to financial records, asset-related communications, and transactional data demonstrably relevant to the investigation, and expressly excluding communications of a medical, personal, or privileged nature. Officers must be prohibited from inspecting material outside the authorised categories. This requirement corresponds to the particularity requirement of the US Fourth Amendment warrant framework as applied in Riley.[63]

Third, a legal privilege sift protocol. All material accessed under Clause 247 must, before inspection by the investigating officer, be reviewed by a designated privilege sift officer (comparable to the US ‘taint team’) who is independent of the investigating team and is charged with identifying and segregating legally privileged material.[64] Legally privileged material must be returned to the taxpayer or sealed pending challenge, and must not be adduced in evidence in any proceedings. This requirement draws on the UK’s legal professional privilege protections under Schedule 36 of the Finance Act 2008.[65]

Fourth, a mandatory post-access disclosure obligation. Within 48 hours of the conclusion of any digital access operation under Clause 247, the authorised officer must: (i) file a post-access report with the authorising Tribunal or Magistrate specifying the categories of virtual digital spaces accessed, the duration of access, and a description of the information accessed; (ii) provide a copy of the post-access report to the taxpayer; and (iii) notify any identifiable third parties whose personal data was accessed. This obligation corresponds to the PMLA’s Section 17(4) post-search disclosure requirement[66] and ensures that the authorising authority retains oversight of whether the access was conducted within the scope of the authorisation.

Fifth, a statutory exclusionary rule. Evidence obtained in material breach of any of the first four elements , access without prior authorisation, access exceeding the authorised scope, failure to conduct a privilege sift, or failure to make the mandatory post-access disclosure , must be inadmissible in any penalty, assessment, or prosecution proceeding against the taxpayer from whose virtual digital space the evidence was obtained. The adoption of a limited statutory exclusionary rule in the tax context would represent a measured but significant constitutional development, addressing the doctrinal gap left by Pooran Mal[67] in the post-Puttaswamy constitutional landscape.

VIII. Conclusion

The Indian tax administration’s decision to extend its search and seizure powers to virtual digital spaces is a legitimate and, given the reality of digital-era income concealment, a necessary response to modern tax evasion. The problem is not the objective; it is the instrument. Clause 247 of the Income Tax Bill, 2025 is an instrument of extraordinary breadth , empowering a single administrative officer to override the digital locks protecting the most intimate repositories of personal, professional, and financial information in a taxpayer’s life , and it has been fashioned without the constitutional discipline that the nine-judge bench in Puttaswamy made mandatory for all state intrusions on informational privacy.

The proportionality analysis is, on the evidence of this article’s examination, adverse to Clause 247 in its present form. The first condition , legality , is formally satisfied but is substantively infirm because the procedure is arbitrary in the Maneka Gandhi sense. The second condition , legitimate aim , is satisfied. The third condition , proportionality , is not: there exist less intrusive, equally effective alternatives (prior judicial authorisation, targeted access, privilege sift, and post-access disclosure) whose absence from Clause 247 is constitutionally fatal. The Article 20(3) analysis, grounded in Selvi’s testimonial compulsion doctrine, further bars the use of compelled password disclosures in proceedings carrying criminal or quasi-criminal consequences. And the conflict with the DPDP Act in respect of third-party personal data is a regulatory oversight of the first order.

The Select Committee review of the IT Bill, 2025 is the immediate legislative opportunity to remedy these deficiencies. The five-element framework proposed in Part VII of this article , prior authorisation, targeted access, privilege sift, post-access disclosure, and a statutory exclusionary rule , would bring Clause 247 into constitutional conformity with the Puttaswamy proportionality standard, align Indian practice with the international best practice represented by the UK’s Schedule 36 and the US’s Fourth Amendment warrant requirement, and ensure that the constitutionally-mandated balance between effective tax enforcement and the fundamental right to privacy is struck at the design stage rather than resolved, as is so often the case, by litigation after the damage has already been done.

Notes:

[1]Income Tax Bill, 2025, cl. 247(1)(b)(iii) (India) [hereinafter IT Bill, 2025]. The Bill was introduced in the Lok Sabha on February 13, 2025 by the Hon’ble Finance Minister Smt. Nirmala Sitharaman. It seeks to replace the Income-Tax Act, 1961, No. 43, Acts of Parliament, 1961 (India). As of the date of this article, the Bill had been referred to a thirty-one-member Select Committee of the Lok Sabha (headed by Shri Baijayant Panda) for examination and report. The Bill is projected to come into effect on April 1, 2026.

[2]IT Bill, 2025, cl. 247(1)(b)(iii). The operative text authorises an authorised officer, consequent upon possessing information and having reason to believe the prescribed conditions are met, to “gain access by overriding the access code to any said computer system, or virtual digital space, where the access code thereof is not available.”

[3]IT Bill, 2025, cl. 261(i). The full statutory definition reads: “‘virtual digital space’ means an environment, area or realm, that is constructed and experienced through computer technology and not the physical, tangible world which encompasses any digital realm that allows users to interact, communicate and perform activities using computer systems, computer networks, computer resources, communication devices, cyberspace, internet, worldwide web and emerging technologies, using data and information in the electronic form for creation or storage or exchange and includes, (i) email servers; (ii) social media account; (iii) online investment account, trading account, banking account, etc.; (iv) any website used for storing details of ownership of any asset; (v) remote server or cloud servers; (vi) digital application platforms; and (vii) any other space of similar nature.”

[4]Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors., (2017) 10 SCC 1 (India) [hereinafter Puttaswamy]. The case was decided by a nine-judge constitutional bench on August 24, 2017. The bench comprised C.J.I. J.S. Khehar and JJ. J. Chelameswar, S.A. Bobde, R.K. Agrawal, R.F. Nariman, A.M. Sapre, D.Y. Chandrachud, S.K. Kaul, and S.A. Nazeer. The bench unanimously held that “the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.” The judgment overruled M.P. Sharma v. Satish Chandra, AIR 1954 SC 300 (India) (eight-judge bench), and the majority opinion in Kharak Singh v. State of Uttar Pradesh, AIR 1963 SC 1295 (India), to the extent those decisions denied a constitutional right to privacy.

[5]Puttaswamy, (2017) 10 SCC 1 (India). The three-fold test for State intrusion on privacy, as synthesised from Justice Chandrachud’s lead judgment, requires: (i) legality, the action must be sanctioned by a valid law; (ii) need, the action must serve a legitimate State aim; and (iii) proportionality, there must be a rational nexus between the means adopted and the aim pursued, and the means must not exceed what is necessary. In terms confirmed by the Supreme Court’s own headnote at (2017) 10 SCC 1, ¶ (iii): “An invasion of life or personal liberty must meet the three-fold requirement of, (i) legality, which postulates the existence of law; (ii) need, defined in terms of a legitimate state aim; and (iii) proportionality which ensures a rational nexus between the objects and the means adopted to achieve them.”

[6]Selvi & Ors. v. State of Karnataka & Anr., (2010) 7 SCC 263 (India) [hereinafter Selvi]. Decided on May 5, 2010 by a three-judge bench comprising C.J.I. K.G. Balakrishnan, and JJ. R.V. Raveendran and J.M. Panchal. The case arose from challenges to the compulsory administration of narco-analysis, polygraph examination, and Brain Electrical Activation Profile (BEAP) tests on accused persons, suspects, and witnesses in criminal investigations across multiple states. The Court considered whether such administration constituted “testimonial compulsion” within the meaning of Article 20(3).

[7]Selvi, (2010) 7 SCC 263 (India). The Supreme Court held: “Any giving of evidence, any furnishing of information, if likely to have an incriminating impact, answers the description of being a witness against oneself. Not being limited to the forensic stage by express words in Article 20(3) of the Constitution, the expression has to be construed to apply to every stage where furnishing of information and collection of materials takes place. That is to say, even the investigation at the police level is embraced by Article 20(3).” This formulation extended the Article 20(3) protection beyond the courtroom and into the investigative stage, a holding of direct relevance to tax search and seizure proceedings.

[8]Digital Personal Data Protection Act, 2023, No. 22, Acts of Parliament, 2023 (India) [hereinafter DPDP Act]. The DPDP Act establishes a consent-based framework for the processing of digital personal data. Section 7(d) provides a legitimate use exemption permitting a data fiduciary to process personal data without the data principal’s consent for the purpose of “fulfilling any obligation under any law for the time being in force in India.” Section 17(2)(a) permits the Central Government to exempt, by notification, the processing of personal data by any instrumentality of the State “in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognisable offence.”

[9]The Income-Tax Act, 1961, No. 43, Acts of Parliament, 1961, § 132(1) (India). Section 132(1) empowers an authorised officer to enter and search any building, place, vessel, vehicle or aircraft; break open the lock of any door, box, locker, safe, almirah or other receptacle where keys are unavailable; seize any books of account, documents, money, bullion, jewellery or other valuable articles; and place marks of identification on and take extracts from books of account and other documents. Crucially, while the provision permitted inspection of “electronic records” under amendment, it did not confer the power to override digital access codes or bypass encryption without the account-holder’s cooperation.

[10]See S.R. Batliboi & Co. LLP v. Dep’t of Income Tax, W.P. (C) 5338/2009 (Del. H.C. 2009) (India). The Delhi High Court held that Section 132(1)(iib) of the IT Act, 1961, as it then stood, imposed a compulsion on the owner of seized laptops to provide the Department with the password to enable inspection of books of account. However, the Court found that the exercise of such power in that case constituted a “roving inquiry” and directed: “The Respondents [tax authorities] are directed to forthwith return the laptops to the Petitioner.” The decision establishes that even under the pre-2025 regime, password-compulsion was treated as a lawful incidence of a validly-executed search warrant — but subject to the requirement that the search itself be specifically targeted and not arbitrary. Clause 247 of the IT Bill, 2025 now expressly codifies and extends this compulsion to all virtual digital spaces.

[11]See Income Tax Officer Ward No. 16(2) v. M/S Techspan India Pvt. Ltd., (2018) 5 SCC 748 (India). The Supreme Court held, in the context of Section 132 of the IT Act, 1961, that the requirement of “reason to believe” imposes a genuine threshold of rational nexus: there must be a rational connection between the information in the officer’s possession and the conclusion that the person has failed to disclose income or assets, and the “reason to believe” must not be actuated by mala fides, pretence, or extraneous considerations. The Court held that while courts cannot assess the adequacy of the grounds, they can examine whether the grounds are rational, non-arbitrary, and untainted.

[12]See Pr. DIT (Inv.) v. Laljibhai Kanjibhai Mandalia, (2022) 3 SCC 562 (India). The Supreme Court reinforced the principle that search and seizure powers under Section 132 of the IT Act, 1961, are exceptional in character and must be strictly construed, with the jurisdictional precondition of “reason to believe” forming a genuine, judicially reviewable threshold and not a mere administrative formality.

[14]See Internet Freedom Foundation, Submission to the Select Committee to Examine the Income Tax Bill, 2025 (Mar. 11, 2025) [hereinafter IFF Submission]. The IFF submission urged the Select Committee to: (i) insert express proportionality language requiring the least invasive means; (ii) require independent judicial oversight prior to override; (iii) introduce data minimisation requirements to protect third-party personal data accessed incidentally; and (iv) provide a mandatory post-search disclosure obligation analogous to PMLA Section 17(4). As of the date of this article, the Select Committee had not published its report.

[16]See DGIT v. Spacewood Furnishers Pvt. Ltd., (2015) 12 SCC 179 (India). The Supreme Court held that the power to search and seize under Section 132 of the IT Act, 1961, is a drastic power, must be based on tangible information, and cannot be exercised on the basis of mere suspicion or conjecture. The Court directed that information relied upon must have a nexus with the belief of concealment.

[17]The Advocates Act, 1961, No. 25, Acts of Parliament, 1961, § 126 (India); Bharatiya Sakshya Adhiniyam, 2023, No. 47, Acts of Parliament, 2023, §§ 130-134 (India). Section 126 of the Advocates Act prohibits an advocate from disclosing communications made to him in the course and for the purpose of his employment as an advocate. Sections 130-134 of the BSA preserve legal professional privilege, prohibiting compelled disclosure of confidential communications between a legal adviser and his client. Clause 247’s power to override access codes and access “all” content within virtual digital spaces, including email servers, without any provision for privilege review creates a risk of inadvertent compelled disclosure of privileged communications. The absence of a privilege sift mechanism analogous to the “taint team” procedure used in US federal criminal investigations is a structural deficiency in the IT Bill, 2025’s digital access framework.

[20]M.P. Sharma v. Satish Chandra, District Magistrate, Delhi, AIR 1954 SC 300 (India). An eight-judge bench held that the power of search and seizure under the Code of Criminal Procedure did not violate Article 20(3), on the ground that the provision was limited to compelling an accused to be a witness against himself in the courtroom sense, and did not extend to the seizure of documents. The Court further held, an observation that has been overruled in part by Puttaswamy, that the Indian Constitution did not recognise a constitutional right to privacy analogous to the Fourth Amendment of the United States Constitution. To the extent that M.P. Sharma denied a fundamental right to privacy, it has been explicitly overruled by the nine-judge bench in Puttaswamy. Its holding on Article 20(3) and search/seizure, however, survives as a qualified precedent.

[21]Puttaswamy, (2017) 10 SCC 1, ¶ 648 (per Chandrachud, J.) (India). Justice Chandrachud, writing for four members of the nine-judge bench, held: “Privacy includes at its core the preservation of personal intimacies, the sanctity of family life, marriage, procreation, the home and sexual orientation. Privacy also connotes a right to be left alone.” The same paragraph characterised privacy as having both normative and descriptive dimensions: normatively, privacy sub-serves the eternal values of life, liberty, and freedom; descriptively, privacy postulates a bundle of entitlements and interests which lie at the foundation of ordered liberty.

[22]Puttaswamy, (2017) 10 SCC 1, ¶¶ 263-265 (per Chandrachud, J.) (India). The majority observed: “The right to privacy is a fundamental right. It is a right which protects the inner sphere of the individual from interference from both State and non-State actors and allows the individuals to make autonomous life choices.” Justice Chandrachud further held that “informational privacy”, the right of an individual to control information about herself, is an essential aspect of the fundamental right to privacy: “The ability to control information about oneself is intrinsically linked to the dignity, self-respect and sense of personhood of an individual.”

[23]Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors. (Aadhaar-5J), (2019) 1 SCC 1 (India) [hereinafter Puttaswamy II]. The five-judge bench applied the three-fold proportionality test to assess the validity of various provisions of the Aadhaar Act, 2016, in light of the fundamental right to privacy recognised in Puttaswamy I. The majority held that Aadhaar-PAN linking satisfied the proportionality test, but struck down mandatory Aadhaar-bank account and SIM card linking as disproportionate, stating that “such a requirement does not satisfy the test of proportionality” because compelling biometric linkage as a condition of accessing basic financial and communication services exceeded what was necessary to achieve the stated aim. The proportionality analysis in Puttaswamy II is the leading authority for the application of the three-fold test to digital data collection by the State.

[25]Maneka Gandhi v. Union of India, (1978) 1 SCC 248, 284 (India) (per Bhagwati, J.). The Court held: “The expression ‘personal liberty’ in Article 21 is of the widest amplitude and it covers a variety of rights which go to constitute the personal liberty of man and some of them have been raised to the status of distinct fundamental rights and given additional protection under Article 19.” The Court further held that any procedure that deprives a person of their personal liberty must satisfy three requirements: (i) it must be prescribed by law; (ii) the law must be valid; and (iii) the procedure must be right, just, and fair. This tripartite test effectively imported a substantive due process standard into Article 21 and laid the doctrinal foundation upon which Puttaswamy’s proportionality analysis was later constructed.

[26]See Gobind v. State of Madhya Pradesh, (1975) 2 SCC 148, ¶ 33 (India) (per Mathew, J.). The Supreme Court held, in a pre-Puttaswamy privacy case, that any claimed right to privacy must be examined with reference to a spectrum of rights and interests: the individual’s interest in personal autonomy must be balanced against the legitimate state interest in enforcement of law. The Court observed that the state’s right to regulate should be “less than complete” where the personal privacy interest is substantial, and that the burden falls on the state to justify an intrusion. This proportionality-adjacent framework was explicitly endorsed and refined by the nine-judge bench in Puttaswamy.

[28]Finance Act 2008, c. 9, sch. 36, ¶¶ 1-3 (UK). Schedule 36 of the Finance Act 2008 confers Her Majesty’s Revenue and Customs (HMRC) with the power to issue “information notices” requiring taxpayers and third parties to provide information and produce documents relevant to a tax investigation. Paragraph 1 requires a valid information notice; paragraph 3 permits the taxpayer to appeal to the First-Tier Tax Tribunal against the notice or any requirement within it. Crucially, Schedule 36 does not confer on HMRC any power to physically override digital access codes or compel decryption without the taxpayer’s cooperation. For access to protected digital material, HMRC must rely either on the taxpayer’s voluntary compliance, or on a judicial warrant obtained under Section 20C of the Taxes Management Act 1970 (as amended). The requirement for prior judicial authorisation,  absent from Clause 247 of the IT Bill, 2025, is the fundamental procedural safeguard that renders the UK framework constitutionally coherent.

[29]Taxes Management Act 1970, c. 9, § 20C (UK). Section 20C provides that HMRC may apply to a Circuit Judge (or, in Scotland, a Sheriff) for a warrant authorising entry into premises, search, and seizure of documents. The warrant application must satisfy the judge that the officer has reasonable grounds for believing that the conditions prescribed by the section are met, a prior judicial assessment of the sufficiency of grounds that is wholly absent from Clause 247 of the IT Bill, 2025.

[30]18 U.S.C. § 2703 (2018). The Stored Communications Act requires law enforcement authorities in the United States to obtain a warrant issued under the Federal Rules of Criminal Procedure, supported by probable cause, before compelling a service provider to disclose the content of stored electronic communications, including email, cloud storage, and social media messages. The warrant requirement was confirmed as constitutionally mandated by the Fourth Amendment in Carpenter v. United States, 585 U.S. 296 (2018). The contrast with Clause 247’s absence of any warrant or prior judicial authorisation requirement is instructive.

[31]Prevention of Money Laundering Act, 2002, No. 15, Acts of Parliament, 2003, § 17 (India). Section 17 of the PMLA empowers the Director or an authorised officer to conduct a search where the officer has “reason to believe” that a person has committed money laundering or possesses records or property relevant to a money laundering investigation. Critically, Section 17(1) requires that the grounds for the belief must be recorded in writing before the search, and Section 17(4) requires that these records be forwarded to the Adjudicating Authority immediately after the search is concluded. The procedural architecture of Section 17 — advance recording of reasons, and immediate post-search judicial disclosure — provides a directly analogous, and superior, procedural model for Clause 247 of the IT Bill, 2025.

[32]INDIA CONST. art. 14. The provision guarantees equality before the law and equal protection of the laws. In the tax search context, Article 14 requires that the threshold for exercising digital access powers — the “reason to believe” standard in Clause 247 — must not be applied in an arbitrary, discriminatory, or otherwise constitutionally impermissible manner. The breadth of the “virtual digital space” definition, combined with the absence of a targeted access requirement, creates a structural risk of Article 14 violation where access to one account (e.g., a trading account) is used to access all accounts within the scope of Clause 261(i) without any independent assessment of whether each category of account is relevant to the subject matter of the investigation.

[33]DPDP Act, 2023, §§ 7(d), 17(2)(a). The tension between the DPDP Act’s consent architecture and Clause 247’s warrantless access power is acute. A taxpayer’s email server and social media account contain personal data of the taxpayer and, critically, of third parties (correspondents, co-investors, professional advisers) who have no connection to the tax investigation. The DPDP Act does not contain a general override permitting tax authorities to access third-party personal data without the consent of those third parties; Section 17(2)(a) applies only to exemptions that are notified by the Central Government, and no notification specifically exempting income tax search and seizure proceedings from the DPDP Act’s requirements had been issued as of the date of this article. The legislative gap is a significant oversight that the Select Committee has been urged to remedy.

[34]INDIA CONST. art. 20, cl. 3. The provision reads: “No person accused of any offence shall be compelled to be a witness against himself.” The provision imposes an absolute prohibition — there are no exceptions — and applies at the investigative as well as trial stage of criminal proceedings.

[37]Selvi, (2010) 7 SCC 263 (India). The Court further held that the compulsory administration of the impugned techniques amounted to “an unjustified intrusion into the mental privacy of an individual” and would constitute “‘cruel, inhuman or degrading treatment'” with regard to the persons subjected to them. The Court held: “The results obtained through the involuntary administration of either of the impugned tests come within the scope of ‘testimonial compulsion’, thereby attracting the protective shield of Article 20(3) of the Constitution.”

[38]State of Bombay v. Kathi Kalu Oghad, AIR 1961 SC 1808 (India). An eleven-judge constitutional bench of the Supreme Court examined the scope of Article 20(3). The Court held that “to be a witness” against oneself means to impart knowledge in respect of relevant facts by means of oral statements or statements in writing — in other words, the provision protects against compelled testimonial disclosure of personal knowledge. The Court drew a critical distinction between the compelled production of existing pre-existing documents (which, in certain circumstances, may not attract Article 20(3)) and the compelled active testimonial communication of information from the accused’s mind (which always does). While Kathi Kalu Oghad was decided before the recognition of informational privacy in Puttaswamy, its core testimonial/physical distinction remains the analytical framework for Article 20(3) analysis.

[39]Fisher v. United States, 425 U.S. 391 (1976). The United States Supreme Court articulated the “act of production” doctrine: while the Fifth Amendment does not protect documents (which are pre-existing and not testimonial in themselves), the act of producing those documents in response to a subpoena can be testimonial where it implicitly communicates that the documents exist, are in the person’s possession, and are authentic. This doctrine is directly applicable to compelled decryption: providing the decryption key or password communicates (i) that the person knows the key (demonstrating possession of the account), (ii) that the encrypted data exists, and (iii) that the person has the capacity to access it — each of which is a testimonial communication of personal knowledge.

[40]See also United States v. Hubbell, 530 U.S. 27 (2000). The United States Supreme Court held that where a person was compelled by subpoena to produce documents, and the act of production itself involved testimonial self-incrimination (because the person had to identify and authenticate documents from a broad category), the Fifth Amendment barred the use of those documents and the information derived from them in a subsequent criminal prosecution. The decision strengthened the Fisher act-of-production doctrine and is directly relevant to the question of whether compelling a taxpayer to disclose decryption keys under Clause 247 attracts Article 20(3) protection in subsequent penalty or prosecution proceedings.

[44]Funke v. France, App. No. 10828/84, 16 Eur. Ct. H.R. 297 (1993). The European Court of Human Rights held that France violated Article 6(1) of the European Convention on Human Rights (the right to a fair trial, which encompasses the right not to incriminate oneself) by compelling a taxpayer, through the threat of criminal penalties, to produce bank statements and other documents suspected to reveal foreign financial dealings. The Court held: “The special features of customs law cannot justify such an infringement of the right of anyone ‘charged with a criminal offence,’ within the autonomous meaning of this expression in Article 6, to remain silent and not to contribute to incriminating himself.” The decision was the genesis of the self-incrimination doctrine under the ECHR in tax investigation contexts and remains the leading authority for the proposition that compelled disclosure in the tax enforcement context can violate the right against self-incrimination.

[49]General Data Protection Regulation, art. 6(1)(c), 2016 O.J. (L 119) 1 (EU) [hereinafter GDPR]. Article 6(1)(c) of the GDPR permits the processing of personal data without consent where it is “necessary for compliance with a legal obligation to which the controller is subject.” However, for Indian tax authorities to rely on this basis in compelled access to data of EU residents or data stored in the EU, the Indian legal obligation must be recognised under the EU’s adequacy framework. India does not have an adequacy decision from the European Commission, meaning that cross-border data access by Indian tax authorities will not automatically be recognised as a lawful basis under the GDPR. The conflict between Clause 247’s access powers and the GDPR is a material practical impediment for taxpayers operating across India-EU data flows.

[50]In the Matter of a Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., 829 F.3d 197 (2d Cir. 2016), vacated as moot, 584 U.S. 236 (2018). The Second Circuit held that a federal warrant could not compel Microsoft to produce emails stored on servers located in Ireland under the Stored Communications Act — a decision that prompted Congress to enact the Clarifying Lawful Overseas Use of Data (CLOUD) Act, Pub. L. No. 115-141, 132 Stat. 348 (2018). The extraterritorial dimension of Clause 247 — where an Indian taxpayer’s data is stored on servers located in the United States (AWS, Google, Microsoft Azure) or the European Union — raises identical jurisdictional questions that the IT Bill, 2025 does not address.

[54]Riley v. California, 573 U.S. 373 (2014). The United States Supreme Court held unanimously (9-0) that police officers require a warrant before searching the digital contents of a cell phone seized incident to arrest. Chief Justice Roberts, writing for the Court, held: “Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans ‘the privacies of life.’ The fact that technology now allows an individual to carry such information in his hand does not make the information any less worthy of the protection for which the Founders fought.” The Court further held: “Our answer to the question of what police must do before searching a cell phone seized incident to an arrest is accordingly simple — get a warrant.” The Court’s characterisation of a cell phone as a device that could be “cameras, video players, rolodexes, calendars, tape recorders, libraries, diaries, albums, televisions, maps, or newspapers” is directly instructive for the characterisation of virtual digital spaces within the meaning of Clause 247.

[56]Carpenter v. United States, 585 U.S. 296 (2018). The United States Supreme Court held (5-4) that the government’s acquisition, without a warrant, of historical cell-site location information (CSLI) spanning approximately seven months constituted a Fourth Amendment search requiring a warrant supported by probable cause. Chief Justice Roberts, writing for the majority, held that the accumulation of digital data — even data held by third-party carriers — could reveal “the privacies of life” in a manner that required constitutional protection extending beyond the scope of the traditional third-party doctrine. The decision is significant for the Clause 247 analysis because it establishes that digital data aggregation — precisely what access to email servers, cloud storage, trading accounts, and social media simultaneously achieves — attracts a heightened standard of constitutional protection, not a diminished one.

[59]Proposed implementation framework, drawn from: (i) Finance Act 2008, c. 9, sch. 36 (UK) (information notice and tribunal appeal model); (ii) 18 U.S.C. § 2703 (warrant requirement); (iii) PMLA, 2002, § 17(1), (4) (reasons in writing and immediate disclosure to Adjudicating Authority); (iv) BNSS, 2023, § 97 (Magistrate’s warrant); and (v) Puttaswamy, (2017) 10 SCC 1 (proportionality). The proposed composite model is described in Part VII of this article.

[62]See Bharatiya Nagarik Suraksha Sanhita, 2023, No. 46, Acts of Parliament, 2023, § 97 (India). Section 97 of the BNSS (which replaces Section 100 of the Code of Criminal Procedure, 1973) requires that searches of premises be conducted only pursuant to a warrant granted by a Magistrate on specified grounds. Section 97 provides a procedural model — prior judicial authorisation with recorded reasons — that the IT Bill, 2025 should incorporate by reference for digital access operations under Clause 247.

[67]Pooran Mal v. Director of Inspection (Investigation), (1974) 1 SCC 345 (India). The Supreme Court held that documents seized during a search under Section 132 of the IT Act, 1961, are admissible in evidence in income tax proceedings even if the search was conducted without strict compliance with procedural requirements, adopting the position that the Indian law of evidence does not recognise an exclusionary rule analogous to the Fourth Amendment exclusionary rule developed under Mapp v. Ohio, 367 U.S. 643 (1961). However, Pooran Mal was decided before the recognition of the fundamental right to privacy in Puttaswamy and before the proportionality framework was articulated. Its continued authority as a blanket rejection of the exclusionary rule in tax search contexts is subject to re-examination in light of the constitutional developments since 2017.