The government is planning a new legal framework for VPN Regulation in India. The concerns that VPN is being misused, posing challenges to national security and law enforcement. Read here to learn more.
The Union Government is preparing a comprehensive legal framework to regulate Virtual Private Network (VPN) providers in India.
The proposed law seeks to require VPN companies to establish a local presence, appoint compliance officers, and facilitate government enforcement of lawful blocking orders.
The move comes amid growing concerns that VPNs are increasingly being used to bypass geo-blocking orders, evade censorship, and maintain online anonymity, posing challenges to national security and law enforcement.
What is a Virtual Private Network (VPN)?
A Virtual Private Network (VPN) is a technology that creates a secure, encrypted connection between a user’s device and the internet by routing internet traffic through remote servers.
It performs two key functions:
- Masks the user’s IP address, hiding their actual location.
- Encrypts internet traffic, enhancing online privacy and security.
As a result, websites perceive the user as browsing from the location of the VPN server rather than the user’s actual country.
How Does a VPN Work?
- User connects to a VPN application.
- Internet traffic is encrypted.
- Traffic is routed through a VPN server located in another country.
- Websites receive the VPN server’s IP address instead of the user’s original IP.
This enables users to:
- browse anonymously,
- access geo-restricted content,
- secure data over public Wi-Fi,
- bypass internet censorship.
Why Government wants VPN Regulation?
- Circumvention of Blocking Orders
- The Government issues blocking orders under the Information Technology Act, requiring online platforms to restrict access within India.
- However, users can simply connect to VPN servers located abroad and continue accessing blocked websites, applications, or services.
- Example: When certain applications are blocked in India, users can connect through a US or Singapore server and continue using them.
- Online Anonymity
Virtual Private Networks conceal:
- IP addresses,
- browsing locations,
- user identity.
While this protects privacy, authorities argue that it also makes investigations more difficult:
- cybercrime investigations,
- terrorism-related investigations,
- financial fraud investigations,
- Rising Content Blocking
Government blocking orders have increased significantly.
- Over 12,000 blocking orders in 2024.
- More than 24,000 blocking orders in 2025.
During the temporary blocking of Telegram around the NEET-UG retest, Virtual Private Network usage reportedly surged, illustrating how users bypass restrictions.
What Does the Proposed VPN Framework Include?
The proposed legislation may require Virtual Private Network providers to:
- establish registered offices in India,
- appoint designated compliance officers,
- respond promptly to government requests,
- cooperate with lawful investigations,
- comply with blocking directions.
Failure to comply could attract:
- financial penalties,
- legal action,
- possible criminal liability for responsible officers.
The framework is expected to resemble obligations already imposed on intermediaries under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
The 2022 CERT-In Directive
The present proposal follows the CERT-In Directions (2022) issued under the Information Technology Act, 2000.
The directive required VPN providers to maintain customer records for five years, including:
- names,
- email addresses,
- contact numbers,
- IP addresses,
- usage details.
The objective was to strengthen cyber incident investigations.
Industry Response
- Several leading VPN providers declined to comply.
- Major companies, including Proton VPN, NordVPN, ExpressVPN, and Surfshark, have removed their physical servers from India and shifted operations to nearby countries such as Singapore.
- These providers argued that mandatory data retention compromised user privacy and amounted to mass surveillance.
- The Government now believes that a stronger statutory framework with mandatory local presence is necessary for effective enforcement.
Legal Framework Governing VPNs in India
Information Technology Act, 2000
Provides the legal basis for:
- cybersecurity,
- digital governance,
- blocking online content,
- regulation of intermediaries.
CERT-In Directions, 2022
Require specified entities, including VPN providers, to:
- retain customer information,
- maintain cybersecurity logs,
- report cyber incidents.
Information Technology Rules, 2021
Require significant social media intermediaries to appoint:
- Chief Compliance Officer,
- Nodal Contact Person,
- Resident Grievance Officer.
The proposed VPN framework may adopt similar compliance requirements.
Government’s Rationale
The Government argues that regulation is necessary because VPNs:
- undermine lawful blocking orders,
- facilitate cybercrime,
- conceal digital identities,
- complicate investigations,
- Weaken national security.
Local offices would provide an accountable entity for implementing government directives.
Concerns Raised by Privacy Advocates
Critics argue that VPNs serve many legitimate purposes. These include:
Privacy Protection
VPNs protect citizens against:
- data theft,
- identity theft,
- online surveillance,
- insecure public Wi-Fi.
Freedom of Expression
VPNs enable access to:
- blocked information,
- research resources,
- global educational platforms.
Excessive regulation may restrict digital freedoms.
Cybersecurity
Businesses rely on VPNs for:
- secure remote work,
- encrypted corporate communication,
- protection of confidential data.
Strict regulations could increase compliance costs and discourage investment.
Data Privacy
Mandatory data retention raises concerns regarding:
- surveillance,
- misuse of personal data,
- cybersecurity risks arising from centralised storage.
Challenges in Regulating VPNs
- Most VPN providers operate outside Indian jurisdiction.
- Servers can easily be relocated abroad.
- Enforcement against foreign companies remains difficult.
- Excessive regulation may discourage technology investment.
- Balancing privacy with security remains challenging.
Way Forward
Risk-Based Regulation
Differentiate between:
- commercial VPN providers,
- enterprise VPNs,
- personal privacy services.
Avoid a one-size-fits-all approach.
Strong Privacy Safeguards
Any data retention framework should include:
- judicial oversight,
- proportionality,
- necessity,
- transparency.
International Cooperation
Strengthen cross-border cooperation on cybercrime through:
- Mutual Legal Assistance Treaties (MLATs),
- international cybercrime agreements,
- CERT-to-CERT collaboration.
Accountability with Due Process
Compliance mechanisms should ensure:
- legal certainty,
- protection of fundamental rights,
- independent oversight,
- appeal mechanisms against arbitrary blocking orders.
Promote Cybersecurity
Encourage:
- cybersecurity audits,
- encryption standards,
- responsible VPN use,
- public awareness regarding digital safety.
Conclusion
The proposed VPN regulation marks India’s second major attempt to regulate a technology that sits at the intersection of cybersecurity, privacy, and digital governance.
While the Government seeks to strengthen enforcement of lawful blocking orders and improve accountability through local compliance mechanisms, Virtual Private Networks also remain essential tools for protecting privacy, securing communications, and enabling legitimate internet access.
Going forward, the effectiveness of the proposed framework will depend on striking a careful balance between national security, cyber resilience, and the constitutional values of privacy, proportionality, and due process, as recognised in the Justice K.S. Puttaswamy (2017) judgment.





Leave a Reply