Absence of Accused’s Postal Address Not a Ground to Reject Cyber Crime Complaint: Kerala High Court

In Anagh v. State of Kerala & Ors., 2026:KER:16819, the Kerala High Court set aside an order of the Magistrate returning a private complaint solely on the ground that the complainant had not furnished the postal address of the accused.

The case arose from a private complaint filed by the petitioner alleging that the accused had circulated defamatory and malicious content against him through various social media platforms and messaging services. The complaint invoked Sections 356(2), 351, 61 and 77 of the Bharatiya Nyaya Sanhita, 2023 as well as Section 66 of the Information Technology Act, 2000. While the complainant had disclosed several electronic identifiers of the accused, including phone numbers and social media handles, the Judicial First Class Magistrate returned the complaint on the sole ground that the postal address of the accused had not been provided.

Aggrieved by the said order, the petitioner approached the High Court contending that in cases involving cyber offences, victims often possess only digital identifiers of the offender, such as phone numbers, email IDs or social media accounts, and insisting on a physical address at the threshold stage would make prosecution of cyber offences virtually impossible.

The High Court examined the statutory framework governing private complaints and noted that the definition of a “complaint” under the Bharatiya Nagarik Suraksha Sanhita, 2023 does not require disclosure of the postal address of the accused as a condition precedent for entertaining the complaint. The Court observed that the law itself recognises that allegations may be made against persons who may be known or even unknown at the stage of initiation of proceedings.

The Court also noted that modern criminal procedure increasingly recognises electronic modes of communication and service. In the context of cyber offences, offenders frequently operate under pseudonymous identities and victims may only have access to digital footprints. In such circumstances, the insistence on a physical address at the stage of filing a complaint would defeat access to justice and enable offenders to evade the law through anonymity.

While dealing with the Magistrate’s reasoning, the Court emphasised that procedural requirements cannot be interpreted in a manner that frustrates substantive justice, observing:

“To return a complaint solely for want of a postal address is to subordinate substantive justice to procedural rigidity.”

The Court further highlighted that the statutory framework governing intermediaries under the Information Technology Act obligates service providers to preserve and disclose user information when required by law, thereby enabling investigative authorities to trace offenders operating through concealed digital identities. Although the Court noted that such disclosure mechanisms may not automatically apply in defamation cases initiated through private complaints without police investigation or executive authorisation, it clarified that the Court nonetheless possesses powers under Section 94 of the Bharatiya Nagarik Suraksha Sanhita to direct any person, including intermediaries, to produce documents or information necessary for the proceedings.

The Court also made significant observations on the changing nature of crime in the digital era. It noted that offences such as cyberbullying, online impersonation, digital stalking, identity theft and social media defamation have become increasingly rampant. In many such cases, offenders operate through fake or anonymous digital identities, and the complainant may only possess electronic identifiers of the accused. The postal address of the offender often becomes ascertainable only through technical investigation.

In such circumstances, the Court observed that insisting on disclosure of a postal address at the threshold stage would deny access to justice, render victims remediless, encourage deliberate anonymity and frustrate effective criminal law enforcement. The Court emphasised that until specific regulations or standard operating procedures are formulated to address such situations, the criminal justice system cannot remain anchored in procedural formalism that is unsuited to the technological realities of the digital age.

Significantly, the Court observed that the absence of a postal address cannot become a ground for judicial helplessness. Where a complaint discloses the commission of an offence, the law already recognises that proceedings can be initiated even against unknown persons. Therefore, it would be incongruous to insist upon disclosure of a postal address as a jurisdictional prerequisite for private complaints, particularly when the law itself permits registration of criminal cases against unidentified offenders.

In this backdrop, the Court held that the Magistrate erred in returning the complaint at the threshold stage. Instead, once a complaint discloses the commission of an offence, the Magistrate may proceed in accordance with law, including issuing process through the disclosed electronic communication details and directing appropriate investigation to ascertain the identity and location of the accused.

Accordingly, the High Court set aside the order returning the complaint and directed the Magistrate to accept the complaint on file and proceed in accordance with law, including issuance of process through the available electronic communication details. The Court further directed the Registrar (District Judiciary) to place the matter before the competent authority of the High Court to examine whether suitable amendments to the Criminal Rules of Practice may be required to effectively deal with complaints relating to cyber offences.

Authored By
Rajat Jain, Advocate
Email: [email protected]
Mobile No. 9953887311

Freezing of Bank Accounts by Police under the Code of Criminal Procedure, 1973/ Bharatiya Nagarik Suraksha Sanhita, 2023: Power, Parameters and Remedies

I. Introduction

Freezing of bank accounts has emerged as one of the most frequently invoked investigative measures, particularly in cases involving cyber fraud, financial misappropriation and economic offences. While the stated objective is the preservation of suspected proceeds of crime, the practical consequences are immediate and far-reaching, crippling day-to-day operations, paralyzing business activity, preventing payment of statutory dues and essential expenses, disrupting digital transactions, and in many cases, seriously impairing livelihood

The power to freeze bank accounts was historically exercised under Section 102 of the Code of Criminal Procedure, 1973 (“CrPC”), and now finds place in Section 106 of the Bharatiya Nagarik Suraksha Sanhita, 2023 (“BNSS”), subject to the scheme of Section 107 BNSS.

II. Statutory Power under Section 102 CrPC/ 106 BNSS

Section 102(1) CrPC/ 106(1) BNSS empowers a police officer to:

“seize any property which may be alleged or suspected to have been stolen, or which may be found under circumstances which create suspicion of the commission of any offence.”

Section 102(3) / 106(3) BNSS mandates:

“Every police officer acting under sub-section (1) shall forthwith report the seizure to the Magistrate having jurisdiction…”

The provision did not expressly mention bank accounts, which led to interpretational challenges.

III. Whether Bank Accounts Fall Within “Any Property”

The issue was conclusively settled by the Supreme Court in
State of Maharashtra v. Tapas D. Neogy, (1999) 7 SCC 685.

While considering whether ‘bank accounts’ fall within the scope of Section 102 CrPC, the Court held that even bank accounts fall within the phrase “any property” and could therefore be frozen by investigating authorities, if found to have direct links with the commission of an offence.

The Supreme Court clarified that the property must have a connection with the commission of a crime. For the purpose of Section 102 CrPC, the property must be either:

• Alleged or suspected to have been stolen; or
• Have a nexus between the property and the commission of the crime.

Therefore, investigating authorities can only freeze bank accounts if the deposit in the account is stolen money or the account is connected with an alleged offence under investigation. This judgment remains the foundational authority legitimising freezing of bank accounts in criminal investigations.

IV. Mandatory Reporting to Magistrate

Section 102(3) CrPC/ 106(3) BNSS mandates that seizure must be reported “forthwith” to the Magistrate.

The scope and consequence of non-reporting were examined by the Supreme Court in Shento Varghese v. Julfikar Husen, 2024 INSC 407/ MANU/SC/0423/2024

The Court considered:

• What is the implication of non-reporting of seizure forthwith to the jurisdictional Magistrate under Section 102(3) CrPC?
• Whether delayed reporting vitiates the seizure altogether?

In that case, although a seizure report was submitted to the Magistrate, it was not done immediately. The High Court set aside the freezing on the ground of delay. On appeal, the Supreme Court clarified that the term “forthwith” must be interpreted as “as soon as reasonably possible,” recognising that procedural compliance must be prompt but allowing reasonable flexibility depending on circumstances.

The Court held that unless a strict timeframe is prescribed, actions must be completed within a reasonable period without rigid formulae. Therefore, delayed submission of the seizure report did not automatically vitiate the freezing order.

V. Limits on Blanket Freezing: The Principle of Proportionality

A recurring judicial concern has been indiscriminate freezing of entire bank accounts, particularly in cybercrime cases where merchants or intermediaries receive funds unknowingly.

In Dr. Sajeer v. Reserve Bank of India, MANU/KE/3854/2023, the Kerala High Court addressed blanket freezing of bank accounts during cybercrime investigations and held that the freezing must be proportionate and confined only to the specific amounts indicated in police requisitions.

In Mohammed Saifullah v. RBI, MANU/TN/5406/2024, the Madras High Court while setting aside the indiscriminate freezing of the entire account balance, held as under:

“Under the guise of investigation, order freezing the entire account without quantifying the amount and period cannot be passed. Such order will be construed as violation of the fundamental rights of trade and business as well as violation of livelihood.”

Time and again, the Courts have reiterated the doctrine of proportionality, emphasizing that any restraint must be confined to the specific amount allegedly involved in the offence and not extend to freezing the entire account balance. This calibrated approach preserves the interests of investigation while simultaneously safeguarding the legitimate business operations and livelihood of the account holder.

VI. Remedies Available to the Aggrieved Person

A. Representation before Investigating Officer

An account holder can make a representation before the Investigating officer who has given instructions for freezing of bank account and may submit material demonstrating absence of nexus or explaining the transaction trail.

If satisfied, the Investigating Officer has the power to issue instructions for de-freezing of the bank account.

B. Application before Magistrate

An account holder can also file an application before the jurisdictional Magistrate under Sections 451 & 457 CrPC / 497 & 503 BNSS for releasing of the bank account.

In appropriate cases, courts can permit:

• Complete de-freezing;
• Partial operation;
• Withdrawal subject to bond; and
• Restriction limited to disputed amount.

Such jurisdiction acts as a safeguard against arbitrary executive action.

C. Writ Jurisdiction of High Court

Where freezing is patently illegal, disproportionate, or violative of statutory mandate, Writ jurisdiction under Article 226 of the Constitution of India can also be invoked for setting aside the freezing order.

High Courts have consistently intervened where:

• There is absence of nexus;
• Mandatory reporting requirements are violated;
• Freeze is mechanical or indefinite;
• Entire accounts are frozen despite limited suspicion.

VII. Principles enumerated by Allahabad High Court

In Khalsa Medical Store v. Reserve Bank of India, 2026 AHC LKO 3701 (DB), the Division Bench of the Allahabad High Court perused various judgments relating to freezing of a bank account under a suspicion of cybercrime and enumerated the following principles:

A. Reasonable Belief, Not Mere Suspicion

Section 106 of the BNSS cannot be interpreted as conferring unfettered authority upon police officers to intervene in monetary disputes or commercial transactions merely on the basis of suspicion. The exercise of power must be supported by reasonable belief.

B. Immediate and Proper Intimation to the Bank / Payment System Operator

Where freezing or marking of lien is considered necessary, the Investigating Officer must immediately communicate the request to the Nodal Officer of the concerned bank or beneficiary bank, or to the relevant Payment System Operator (PSO), including a payment aggregator.

Such communication must:

• Clearly set out the particulars of the alleged offence; and
• Be accompanied by a copy of the FIR or the complaint forming the basis of action.

A bank or PSO is within its rights to decline any freezing request that is unsupported by a copy of the FIR or formal complaint.

C. No Blanket Freezing: Lien Must Be Confined to the Specific Alleged Amount

A notice under Section 106 BNSS, if issued, may require marking of a lien only on the specific amount allegedly transferred from or to the concerned account.
Under no circumstances can the police direct or request a bank or PSO to block, suspend, or freeze the entire financial account when suspicion pertains only to a defined quantum. Blanket freezing is impermissible and violative of proportionality.

D. Simultaneous Intimation to Jurisdictional Magistrate Within 24 Hours

Once information seeking blocking, holding, or marking of lien is forwarded to a bank or financial intermediary (including a PSO), the same must simultaneously be forwarded to the jurisdictional Judicial Magistrate within 24 hours.
Failure to inform the Magistrate within this timeframe may render such action as void.

E. Liability of Banks for Non-Compliant Freezing

If a bank freezes or places a hold on a bank account or escrow account at the mere request of the police, without ensuring compliance with statutory procedure and safeguards, the bank may incur personal civil and criminal liability.

Such liability may extend to compensation for financial loss, business disruption, and reputational damage suffered by the affected entity or individual.

VIII. Interplay between Sections 106 and 107 of BNSS

A significant clarification under the BNSS regime was rendered in
Malabar Gold & Diamonds Ltd. v. Union of India, W.P.(C) 4198/2025. While setting aside the impugned freezing order, the Hon’ble Court undertook a detailed examination of the distinction between Sections 106 and 107 of the BNSS and held:

“Thus, it is fairly trite now that Section 106 of the BNSS empowers the police only to seize property for evidentiary purposes and does not confer any authority to attach or debit-freeze bank accounts. Attachment or freezing of bank accounts, being measures directed at securing alleged proceeds of crime, can be undertaken only under Section 107 of the BNSS and strictly upon orders of a competent Magistrate, after following the prescribed procedural safeguards.”

The Court further held that any blanket or disproportionate freezing of bank accounts, particularly where the account holder is neither an accused nor even a suspect in the offence under investigation, is manifestly arbitrary, and in the teeth of the fundamental rights under Article 19(1)(g) and 21 and of the Constitution of India.

The ruling, therefore, crystallises the legal position as follows:

• Section 106 BNSS is confined to seizure for evidentiary purposes.
• Attachment or debit-freezing intended to secure alleged proceeds of crime must be undertaken under Section 107 BNSS.

In effect, the judgment removes unilateral executive discretion in matters of freezing bank accounts and subjects such action to prior judicial scrutiny.

IX. Conclusion

Freezing of bank accounts is a powerful investigative tool designed to preserve suspected proceeds of crime and prevent dissipation of funds. However, its impact on trade, livelihood and digital financial systems is profound.

Judicial jurisprudence now firmly establishes that:

• There must be a clear nexus between the account and the offence.
• Suspicion must be founded on material.
• Reporting to the Magistrate must be prompt, though reasonable flexibility exists.
• Freezing must be proportionate and confined to suspected amounts.
• Mechanical and blanket freezing is impermissible.
• Under the BNSS, any attachment or debit-freezing of a bank account intended to secure alleged proceeds of crime must strictly conform to Section 107 and can be affected only pursuant to an order of a competent Court, in compliance with the prescribed judicial safeguards.

The evolving jurisprudence reflects a careful balance enabling effective investigation while safeguarding economic liberty and procedural fairness.

Authored By
Rajat Jain, Advocate
Email: [email protected]
Mobile No. 9953887311

Is Consent Required to Process Employees’ Personal Data under the DPDP Act?

The Digital Personal Data Protection Act, 2023 (“DPDP Act”) establishes a comprehensive framework governing the processing of digital personal data in India.

A common question that arises for employers is whether consent is required to process the personal data of employees, or whether such processing may be undertaken under another lawful basis recognised by the statute.

Under the DPDP Act, “personal data” means any data about an individual who is identifiable by or in relation to such data.

The definition of “processing” is broad and includes operations such as collection, recording, storage, organisation, retrieval, use, disclosure and erasure. Consequently, virtually every activity undertaken by an employer in relation to employee’s personal information constitutes processing under the Act.

A “Data Fiduciary” is any person who determines the purpose and means of processing personal data. In the employment context, the employer acts as the Data Fiduciary. The employer may process the data directly or through a third party, known as a “Data Processor,” but remains responsible for compliance with the DPDP Act and the Digital Personal Data Protection Rules (“DPDP Rules”). The individual to whom the personal data relates is referred to as the “Data Principal.”

The DPDP Act permits processing of personal data only for a lawful purpose and only in two circumstances:

• where the Data Principal has given her consent, or
• where the processing falls within one of the recognised “legitimate uses” set out in the DPDP Act.

Consent as a Lawful Basis for Processing

Where a Data Fiduciary intends to rely on consent, the statutory requirements are detailed and stringent. Consent must be free, specific, informed, unconditional and unambiguous. The request for consent must be accompanied by a notice informing the Data Principal of the personal data proposed to be processed, the purpose of such processing, the right to withdraw consent, the availability of grievance redressal, and the manner in which a complaint may be made to the Data Protection Board of India.

The notice must also provide clear mechanisms through which the Data Principal may withdraw consent, exercise her rights under the Act, and lodge a complaint. These procedural safeguards make consent a structured and compliance intensive basis for processing.

Legitimate Use in the Employment Context

Section 7 of the DPDP Act recognises certain “legitimate uses” pursuant to which personal data may be processed without obtaining consent.

The clause (a) of Section 7 of the DPDP Act states as under:

“(a) for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data.”

The clause (i) of Section 7 of the DPDP Act states as under:

“(i) for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee.”

Clause (a) provides that where a Data Principal has voluntarily provided her personal data for a specified purpose and has not indicated that she does not consent to its use, processing for that specified purpose constitutes a legitimate use. This provision may be relevant to recruitment scenarios where job applicants voluntarily submit resumes and related information for the purpose of being considered for employment. Further, it can extend to situations where employees provide personal data during the course of employment for a clearly specified purpose, even if such purpose is not strictly intrinsic to core employment functions, provided the processing remains confined to that specified purpose.

More significantly, clause (i) of Section 7 permits processing “for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee.”

This clause expressly recognises employment related processing as a lawful ground independent of consent. The DPDP Act and the DPDP Rules do not prescribe additional conditions or limitations restricting the scope of this legitimate use.

In my view, the expression “purposes of employment” should be interpreted broadly to encompass not only the processing of personal data of existing employees but also processing undertaken in connection with recruitment, evaluation of candidates, background verification, onboarding, payroll and tax compliance, performance management, disciplinary proceedings, internal investigations, and measures necessary to safeguard the employer from loss or liability. It would also extend to processing required for administering or providing services and benefits sought by an employee in the course of employment, such as medical insurance, car related benefits, or other employment linked facilities.

Accordingly, where processing of employees’ personal data is undertaken for purposes falling within Section 7 of the DPDP Act, consent is not required. Employers are not legally obligated to obtain consent for routine employment related processing that is reasonably necessary for managing the employment relationship.

Other Compliance Obligations of the Employer

Reliance on legitimate use does not dilute the employer’s broader statutory obligations. Processing must be limited to personal data that is relevant and reasonably necessary for the employment purpose. The employer must comply with transparency requirements, implement reasonable security safeguards, provide mechanisms for the exercise of Data Principal rights and grievance redressal, and adhere to applicable retention and erasure obligations under the DPDP Act and the DPDP Rules.

Any processing that goes beyond employment related purposes or involves unrelated secondary uses would require an independent lawful basis, which may include consent.

In conclusion, the DPDP Act adopts a dual framework for lawful processing, i.e., consent or legitimate use. In the employment context, the statute expressly recognises employment related processing as a legitimate use. Therefore, consent is not required for processing employees’ personal data where such processing is reasonably necessary for employment purposes. However, employers must ensure that such processing remains proportionate, purpose specific and fully compliant with the overarching obligations under the DPDP Act and the DPDP Rules.

Authored By
Rajat Jain, Advocate
Email: [email protected]
Mobile No. 9953887311