Boundaries of Invasion: Exploring the Lines That Should Not Be Crossed
In the evolving digital landscape, the Income Tax Bill 2025 aims to replace the Income Tax Act, 1961, with a focus on simplifying the tax structure and easing compliance. However, concerns about privacy breaches and the balance between enforcement powers and individual rights have surfaced.
The bill's provisions for search and seizure in both physical and virtual digital spaces have raised questions, particularly in light of the Digital Personal Data Protection Act (DPDPA), 2023. The committee reviewing the Bill seems to have erred in not mitigating a potential inconsistency between the two pieces of legislation.
The DPDPA, initiated due to the Supreme Court's 2017 judgment declaring privacy as a fundamental right, imposes duties on data fiduciaries, including the Income Tax Department, to protect personal data, apply reasonable security safeguards, and comply with privacy norms prescribed under the Act.
Under the DPDPA, data fiduciaries are required to implement data minimization and accuracy principles, erase data once its purpose is fulfilled, and notify the Data Protection Board of India (DPBI) and affected users in case of data breaches. The DPDPA also requires significant data fiduciaries to have a Data Protection Officer (DPO) based in India, conduct periodic Data Protection Impact Assessments (DPIAs), and undergo independent data audits.
Despite these safeguards, the Parliamentary Select Committee reviewing the Income Tax Bill 2025 has chosen not to recommend any changes to the provisions regarding digital data access. This decision was based on incidents of incriminating evidence found in digital domains and the general reluctance of those in possession of such digital data to grant access.
However, concerns remain about the balance between enforcement powers and privacy due to broad search and seizure authorities retained in the Bill. Sufficient safeguards are necessary to prevent unauthorized collection, storage, or processing of personal data in the new Income Tax Act.
The committee has refrained from getting into areas of serious policy debate, such as the taxation of the digital economy and securing the country's sovereign revenue rights. Incidentally exposed private data during investigations should be summarily redacted, and those who function in the investigations should do so under strict confidentiality protocols.
The Income Tax Department, acting as a data fiduciary under the DPDPA, must adhere to these safeguards to mitigate potential privacy breaches. The committee's decision not to recommend changes to the digital data access provisions raises questions about the balance between tax enforcement and absolute privacy in the digital age.
- In the digital economy, the Income Tax Department, as a data fiduciary, must adhere to the privacy norms prescribed under the Digital Personal Data Protection Act (DPDPA) when accessing digital data, such as implementing data minimization and accuracy principles, and undergoing independent data audits.
- The Income Tax Bill 2025, with its broad search and seizure authorities, has raised concerns about the balance between enforcement powers and privacy, particularly as it relates to the collection, storage, or processing of personal data in the new Income Tax Act.
- The committee's decision not to recommend changes to the digital data access provisions in the Income Tax Bill 2025 has been based on incidents of incriminating evidence found in digital domains, but questions remain about the balance between tax enforcement and absolute privacy in the digital age.
- The Income Tax Bill 2025, as it aims to replace the Income Tax Act, 1961, should also address the taxation of decentralized finance (DeFi) and other digital assets like cryptocurrencies (coin), in order to ensure that the country's sovereign revenue rights are secure in the evolving market and technology landscape.
