Government's Legal Framework for VPN Regulation
The Indian government is devising a comprehensive legal framework to regulate Virtual Private Network (VPN) providers. The initiative aims to compel VPN operators to establish a local presence in India and appoint key personnel to liaise with the government.
Background and Need for New Framework
- In 2022, the Indian Computer Emergency Response Team (Cert-In) issued a directive requiring VPN service providers to store extensive customer data, including names, email IDs, contact numbers, and IP addresses.
- The 2022 directives were considered ineffective, prompting the need for a robust legal structure.
- VPNs are commonly used to bypass the blocking of apps and online content by masking IP addresses, allowing anonymous browsing.
New Legal Requirements
- VPN operators may be required to set up offices in India and hire compliance officers to handle government grievances.
- Possible penal consequences, including jail terms for local employees, are under consideration for non-compliance.
- These requirements mirror those for large social media companies under India’s IT Rules, 2021.
Government's Observations and Actions
- Users are reportedly bypassing government content blocking using VPN services, indicating the inadequacy of the 2022 Cert-In directives.
- Local points of contact for VPN companies are deemed necessary to enforce content blocking effectively.
Content Blocking and VPN Usage
- India has intensified its content blocking efforts, issuing over 24,000 orders in 2025, a significant increase from the previous year.
- When Telegram was temporarily blocked, Proton VPN reported a 120% increase in daily registrations from India.
VPN Providers' Response to 2022 Directive
- VPN providers like Proton VPN, NordVPN, ExpressVPN, and Surfshark removed their Indian servers in response to the 2022 directive.
- These providers have rerouted Indian traffic through servers in Singapore to avoid compliance with what they consider invasive surveillance laws.