In a significant development with implications for VPN privacy, security, and regulation, India’s Ministry of Electronics and Information Technology (MeitY) has issued an advisory directing virtual private network (VPN) providers and digital intermediaries to block access to websites that unlawfully disclose personal data of Indian citizens(Directs VPN ). The advisory, released on December 11, 2025, identifies specific sites and stresses the legal responsibilities of VPN services under Indian law — a move that has triggered debate among privacy advocates, cybersecurity experts, and users alike.
What the MeitY Advisory Says
According to the official MeitY advisory document, several third-party websites such as proxyearth.org and leakdata.org have been flagged for publicly exposing names, mobile numbers, addresses, email IDs, and other sensitive personal information without user authorization. The ministry describes these platforms as posing a “significant risk” to user privacy and safety.
The directive explicitly calls on VPN services and other intermediaries to take immediate and effective action under the Information Technology Act, 2000 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 to ensure that users cannot access these sites — even through VPN tunnelling that is designed to bypass regional restrictions.
The Regulatory Context
Under Indian law, intermediaries like VPN providers enjoy safe-harbour protections under Section 79 of the IT Act — but these protections are contingent on due diligence. If providers fail to prevent unlawful access or transmission of personal data, they could lose those protections and face legal liability. MeitY’s advisory reiterates this legal framework, warning that non-compliance could bring legal consequences.
Furthermore, the advisory underscores that intermediaries must not host, display, or transmit personal information that could breach privacy rights, affect public order, or jeopardize national security and sovereignty. What makes this particularly notable is the government’s concern that VPNs by nature may allow data-leaking sites to remain reachable, potentially neutralizing domestic blocking efforts.
Impact on VPN Services
MeitY’s directive places VPN providers in a challenging position. VPNs are widely marketed for privacy and anonymity, especially services that follow a no-logs policy — meaning they don’t collect or retain user activity data. This principle is central to how providers like NordVPN, ExpressVPN, Proton VPN, and Surfshark build trust with users.
However, enforcing blocks on specific websites at the provider level could require providers to monitor traffic or implement filtering rules that some argue conflict with the core ethos of VPN privacy. Moreover, many major VPN providers had already withdrawn physical servers from India years ago in response to previous regulatory changes demanding data retention and assistance in investigations. (TechRadar)
This history highlights how VPN companies have navigated Indian regulatory pressure. Previous cybersecurity mandates by India’s CERT-In required data logging that many privacy-focused VPNs could not support without compromising user trust, prompting some services to relocate infrastructure offshore.
User Privacy Versus Government Protection Goals
The heart of the debate centers on balancing individual privacy rights and government efforts to protect citizens from harmful data leaks. MeitY’s narrative frames the advisory as a protective measure, aiming to mitigate risks of identity theft, targeted fraud, and other abuses that can occur when personal information is publicly exposed.
Privacy advocates, however, are concerned that compelling VPN services to enforce blocks or potentially gather data undermines the very purpose of encryption tools designed to keep user activities confidential. This tension reflects broader global conversations about how privacy technologies should be regulated without eroding user freedoms.
earn more about Proton VPN & Proton Pass Bundle Holiday Offers
Conclusion
India’s directive to VPN providers to block access to sites leaking personal data represents a pivotal moment at the intersection of data privacy, cybersecurity policy, and digital sovereignty. While the government seeks to safeguard citizens against unlawful data exposure, the directive also ignites concerns about the future of online privacy and the role of encryption tools like VPNs in an increasingly regulated internet landscape.
As VPN providers assess how to respond to MeitY’s advisory, users and industry stakeholders will be watching closely — because the implications extend far beyond India’s borders, touching on universal principles of digital privacy and the trust that underpins modern internet security.
