Introduction: Digital search and threat to privacy
In the field of networking, mobile phones, laptops, and computers are no longer merely devices that facilitate access to and processing of information. They have become an extension of “the self”, containing personal information and infiltrating personal identities, romantic and social relationships, professional settings, financial status, etc. Access to one’s phone is perceived to be access to one’s personal data.
Digital search and seizure refer to the process by which law enforcement agencies examine and confiscate electronic devices (such as computers, smartphones, and servers) and the data stored on them, as part of a criminal investigation. In digital search and seizure, as there is a lack of legislation protecting the personal information of the individual from being revealed, the right to privacy is under threat. Privacy of the person under investigation is not alone threatened, but the privacy of the individual they communicated with, who neither consented to the search nor has knowledge of this, is also endangered. All of these call for an imminent need for legislation protecting the right to privacy of individuals during digital searches.
Right to Privacy in the Digital Era
The Supreme Court of India in 2017 recognized the right to privacy as a fundamental right under Article 21 of the Constitution, overruling all the previous judgments through the landmark judgment K.S. Puttaswamy v. Union of India.[1]. This judgment established the principle that any state action infringing upon privacy must satisfy strict constitutional scrutiny by demonstrating legality, necessity, and proportionality, protecting human dignity and autonomy.
The Digital Personal Data Protection Act, also known as the DPDP Act, was passed in 2023 and is the country’s first comprehensive legislation on digital privacy. The Act requires informed consent for data collection, emphasizes data minimization, and enforces purpose limitation, ensuring that entities only collect data that is necessary. It also imposes significant penalties of up to ₹250 crore for data breaches and establishes a Data Protection Board to oversee compliance. The Act applies to both government and private entities, addressing concerns about unregulated data practices.[2].
The Information Technology Act 2000 also aims to protect digital privacy by penalizing actions that invade the privacy of individuals, such as
- Section 66E[3] punishes invading privacy with imprisonment extending to three years with 2 lakh rupees fine or both.
- Section 72[4] punishes for breach of confidentiality or privacy with a penalty of Rs. 5 lakhs
- Section 43[5] extends civil liability on individuals for doing acts such as downloading data, installing software, altering or removing information, etc., without the permission of the device holder.
Digital Search and the legislation governing it
As explained earlier, digital search involves the confiscation and examination of the electronic devices of the person and the data stored in them. Digital search and seizure by police and other law-enforcing bodies inflict harm on the privacy of individuals, including individuals who do not know that the data is being scrutinized by police without their consent.
There are no proper laws that govern digital search and seizure, ensuring the privacy of individuals is protected, like Section 93 CrPC.[6], which requires a warrant to conduct a physical search and seizure of evidence, but the courts have extended the provision to include search and seizure of digital evidence, too.
The Supreme Court has directed the Central Government to take measures to protect the privacy of the accused persons and lay down comprehensive guidelines governing digital search and seizure in the case of Foundation for Media Professionals v Union of India.[7], which is pending in the Supreme Court. In this case, FMP, through a writ petition, highlighted the use of personal chat messages of the accused persons for investigation purposes without obtaining the proper consent of both parties involved in the communication. Through the writ petition, the petitioners sought the Court to declare that the contents on a person’s digital device, including passwords, passcodes, patterns, PINs, etc., are protected under Article 20(3)[8][9].
Two courts in India recently tried the cases under the issue of digital search and the protection of the privacy of the accused. The Karnataka High Court in the case of Virendra Khanna vs State of Karnataka[10] Ruled that forcing someone to share their mobile phone or email password does not violate Article 20(3) of the Constitution. According to the court, a password is not considered a personal statement; instead, it is more akin to physical evidence, such as fingerprints, blood samples, or handwriting. Therefore, requesting a password is deemed legally acceptable.[11]
The High Court recognized that granting law enforcement access to digital devices could expose a person’s entire life, as these devices contain vast amounts of personal data. However, the court concluded that such access would not violate the right to privacy, as it fell under specific legal exceptions. It did note that penalties could be imposed if the police unlawfully shared this data with third parties. While investigations may necessitate some compromises on privacy, unrestricted access to personal devices undermines this fundamental right. The judgment granted the police extensive powers but lacked safeguards, such as limitations on the duration or scope of access. Although the court acknowledged the risks of third-party disclosures, it provided no clear remedies or protections for individuals.[12]
But in the case of CBI VS Mahesh Kumar Sharma & Anrs[13] The Delhi High Court held that the consent of the accused’s personnel is important before their digital devices are accessed and information is shared for investigation purposes with any third party. Similarly, in the case of Amazon Seller Services Private v Directorate of Enforcement[14] The Supreme Court stayed the direction issued by the EB for producing the electronic devices of the Amazon employees because of privacy concerns.
Hazards of Digital Search
Due to the absence of legislation that safeguards personal data, there are significant concerns regarding the extent to which law enforcement may access this data, thereby posing a threat to individual privacy. Most notably, the Data Protection Board of India lacks enforcement authority compared to the European Union’s General Data Protection Regulation (GDPR), implemented in 2018, which represents the globally recognized “gold standard” for data protection legislation. The GDPR grants independent data protection authorities broad power to create regulations and impose binding enforcement mechanisms.
A significant shortcoming in India’s data protection framework is the broad exemptions granted to government agencies. The government agencies are given the power to seize and search the data in these devices of individuals under Section 17 of the DPDP Act.[15], on the grounds of ‘national security’, ‘ prevention of crime’, which are defined vaguely, creating expansive surveillance by the government.
Another critical problem of the retention of electronic devices by the investigating agency is present with the investigating agency throughout the investigation process, and copies of all the data are created. This is called an ‘ongoing seizure’, leading to private information not falling under the realm of investigation being exposed. The US Supreme Court in the case of Riley v. California[16] Established that the seizure of digital data not relating to the investigation is against the Fourth Amendment. In India, there are no laws protecting the same.
Way Forward
- One major way to protect the privacy of individuals during a digital search is by making the requirement of a warrant a prerequisite before conducting such a search.
- The warrant must contain “filter terms” of “privileged terms”. These terms are ethical walls that protect the information or data not relevant to the investigation from being examined.
- A set of guidelines must be laid down on the retrieval and storage of the data retrieved from the device.
- Strict punishment must be laid down for unauthorized sharing of data to third parties and the media without the consent of the accused.
Conclusion
The right to privacy in the digital age is increasingly at risk due to inadequate legislative protections surrounding digital search and seizure. The current lack of comprehensive laws specifically governing digital search and seizure continues to pose a threat to individual privacy despite the landmark judgement of the K.S. Puttaswamy case and the DPDP Act. As legal interpretations evolve and cases addressing these issues are examined, lawmakers and judicial authorities need to develop comprehensive guidelines that uphold privacy rights while facilitating legitimate law enforcement activities. Balancing these interests is critical to maintaining public trust in both technology and the legal systems that govern its use.
Author(s) Name: Aishwarya Sambasivan (SASTRA DEEMED University Thanjavur)
References:
[1] Justice KS Puttaswamy (Retd) v Union of India (2017) 10 SCC 1
[2] Drishti Singh, ‘The Right to Privacy in India’s Digital Era: A Post Puttaswamy Perspective’ (2025) IJLSSS 3(3) 57
[3] Information Technology Act 2000, s 66E
[4] Information Technology Act 2000, s 72
[5] Information Technology Act 2000, s 43
[6] Code of Criminal Procedure 1973, s 93
[7] Foundation for Media Professionals v Union of India Writ Petition (Criminal) No 395 of 2022 (Supreme Court of India)
[8] Constitution of India 1950, art 20(3)
[9] Virendra Khanna vs State of Karnataka: Phone Privacy Ruling’ (Juryscan, 2 September 2025) https://www.juryscan.in/virendra-khanna-vs-state-of-karnataka-phone-privacy-ruling/ accessed 10 January 2026
[10] Virendra Khanna v State of Karnataka AIRONLINE 2021 KAR 525
[11] Virendra Khanna (n )
[12] Virendra Khanna (n)
[13] CBI v Mahesh Kumar Sharma 2022 SCC OnLine Dis Crt (Del) 48
[14] Amazon Seller Services Pvt Ltd v Directorate of Enforcement Writ Petition (Criminal) No 679 of 2023 (Delhi High Court)
[15] Digital Personal Data Protection Act 2023, s 17
[16] Riley v California 573 US 373 (2014)
