Resources › Current Affairs

Fundamental Rights, DPSP & Duties

Polity

24,000 Blocking Orders and the Tunnel Around Them: India Moves on VPNs

24,000 Blocking Orders and the Tunnel Around Them: India Moves on VPNs

A proposed framework would require local offices, resident compliance officers and five-year logs — the same demand providers walked out of the country to avoid in 2022

3 July 2026·PolityFundamental Rights, DPSP & Duties◆ High Yield·TechRadar·7 min read

What happened

This is not really a technology story, and answering it as one misses the point. It is a jurisdiction story: a state can regulate what is physically present within its borders, and a service whose entire architecture is designed to have no such presence tests the limits of that power. The proposed remedy — compel presence — is the interesting move, and its consequences run straight into Puttaswamy's proportionality test.

Two Attempts at the Same Rule

VPN Regulation in India

APRIL 2022
CERT-In directions under Sec 70B(6), IT Act — VPN providers to retain subscriber data for 5 years.
SEPT 2022 — DEADLINE
Proton VPN, NordVPN, ExpressVPN, Surfshark pull servers out of India rather than comply.
2024 → 2025
Content-blocking orders rise from 12,000+ to 24,000+ in a single year.
3 JULY 2026
New framework proposed — adds local office, resident compliance officer and criminal liability to the same retention rule.
 20222026 proposal
5-year data retentionYesYes
Local office requiredNoYes
Resident compliance officerNoYes
Personal criminal liabilityNoYes
Test to satisfy: Puttaswamy (2017) proportionality — legality, legitimate aim, necessity, proportionality. The EU's Data Retention Directive was invalidated in 2014 for indiscriminate retention.

Source: CERT-In directions, 2022; TechRadar; Justice K.S. Puttaswamy v. Union of India (2017)

Smart Gravity Note

A virtual private network (VPN) routes a user's internet traffic through an encrypted tunnel to a server operated by the provider, so the destination sees the provider's IP address rather than the user's, and the user's internet service provider cannot see the destination.

This defeats both surveillance of browsing and network-level blocking.

The 2022 CERT-In directions, issued under Section 70B(6) of the Information Technology Act, 2000, required VPN providers, data centres and cloud services to register and retain subscriber information — validated names, addresses, contact details, IP addresses and usage patterns — for five years; the compliance deadline was extended from June to 25 September 2022.

Several major providers responded by withdrawing physical servers from India.

Section 69A of the same Act supplies the blocking power, exercised through the Blocking Rules, 2009: the government issued more than 24,000 blocking orders in 2025, up from more than 12,000 in 2024.

The new proposal would add a local office requirement, a resident compliance officer, five-year record retention and criminal liability including imprisonment — obligations parallel to those on significant social media intermediaries under the IT Rules, 2021.

Any such framework must satisfy the proportionality standard laid down in Justice K.S. Puttaswamy v.

Union of India (2017), which recognised informational privacy as part of Article 21.

The 2022 directive failed not because it was struck down but because the regulated parties left. Compelling a local presence is an attempt to remove that exit.

◎ In Simple Words

A VPN is a tool that hides which websites you visit and makes it look like you are connecting from another country. The government blocks certain websites and apps, and VPNs let people get around those blocks. India tried in 2022 to make VPN companies keep records of their users for five years; instead of agreeing, most of them simply moved their computers out of India. Now the government is considering rules that would force these companies to have an office and a responsible officer inside India, with jail terms possible if they refuse.

14PYQs on this sub-topic →POLITY · Fundamental Rights, DPSP & Duties

Factual Pointers

Practice · 2 questions

1Practice Question

With reference to the CERT-In directions of 2022 concerning VPN providers, consider the following statements:

1. They were issued under Section 70B of the Information Technology Act, 2000.

2. They required retention of subscriber information for five years.

3. All major international VPN providers complied by establishing local data storage in India.

Which of the statements given above are correct?

2Practice Question

The proportionality standard applicable to state restrictions on informational privacy in India was most authoritatively laid down in:

Mains Practice Questions

1

"Where a service can be provided without physical presence, regulation must first create one." Examine India's proposed VPN framework as an exercise in jurisdictional reach. (250 words, GS2)

2

Blanket data retention mandates sit uneasily with the proportionality standard in Puttaswamy. Critically examine. (250 words, GS2)

3

Regulation that drives a market underground achieves neither its security objective nor any privacy benefit. Discuss with reference to the 2022 CERT-In directions. (150 words, GS3)

Frequently Asked

· People also ask
What is India proposing for VPN providers?

A framework requiring VPN operators to establish physical offices in India, appoint resident compliance officers as government liaisons, retain subscriber records — names, addresses, contact details and IP addresses — for five years, with criminal penalties including imprisonment for non-compliance.

Prelims · GS2The obligations mirror those already applying to significant social media intermediaries under the IT Rules, 2021. Officials confirmed the framework was under development on 3 July 2026.

SOURCE TechRadar; MeitY

Why is the government targeting VPNs?

Because they defeat network-level blocking. The government issued more than 24,000 content-blocking orders in 2025, up from more than 12,000 in 2024, and VPN traffic is the principal route around them. When Telegram was briefly blocked before a NEET-UG retest, Proton VPN reported a 120 per cent spike in Indian sign-ups.

GS3 · Internal SecurityThere is a genuine investigative interest too: VPNs are used to evade lawful blocking of terrorism-related content, child sexual abuse material and organised fraud, and an offender whose provider keeps no logs cannot be traced.

SOURCE MeitY; TechRadar

What happened when India tried this in 2022?

CERT-In directions under Section 70B(6) of the IT Act required five-year retention of subscriber data, with the deadline extended from June to 25 September 2022. Rather than comply, Proton VPN, NordVPN, ExpressVPN and Surfshark relocated their servers out of India.

GS2 · GovernanceThat is precisely why compelled local presence is now being considered — a directive addressed to entities with no assets, staff or servers in the jurisdiction is unenforceable, and exit is the rational response.

SOURCE CERT-In directions, 2022

How does a VPN actually work?

It routes a user's internet traffic through an encrypted tunnel to a server the provider operates. The destination website sees the provider's IP address rather than the user's, and the user's internet service provider cannot see which destination was reached — defeating both browsing surveillance and network-level blocking.

SOURCE Technical documentation

What is the constitutional objection?

Proportionality. Under Puttaswamy (2017), informational privacy is protected by Article 21 and restrictions must satisfy legality, legitimate aim, necessity and proportionality. Mandatory five-year retention applies to every user regardless of suspicion, and courts elsewhere have struck down blanket retention because targeted preservation orders would achieve the same aim less intrusively.

GS2 · PolityThe European Union's Data Retention Directive was invalidated on exactly this reasoning in 2014. India would need to demonstrate why the less intrusive alternative is inadequate.

SOURCE Justice K.S. Puttaswamy v. Union of India (2017)

What is the likely practical outcome?

If major providers decline again, Indian users lose access to reputable audited services and migrate to smaller, unaudited or offshore alternatives with weaker security practices — leaving the state no better able to investigate while users are less safe.

GS3 · Cyber SecurityA mandated five-year database linking identity to IP address is also a concentrated target: breaches, insider access and function creep become possible only because the data exists, and the costs fall hardest on security professionals, journalists and rights defenders who use VPNs for legitimate protection.

SOURCE Analysis of the 2022 outcome