How Blocking Creates the Problem It Tries to Solve
When Indian authorities invoked Section 69A of the Information Technology Act to block Telegram for six days in June 2026 — acting on National Testing Agency recommendations after fraudulent channels allegedly sold fake NEET-UG exam papers — the second-order effect was swift and predictable. VPN downloads in India surged 49 percent on the day the ban was announced. The government had removed a communication tool; the market routed around the removal.
This is the environment in which the Ministry of Electronics and Information Technology is now drafting a new legal framework for VPN providers. According to a MediaNama report published July 3, 2026 citing The Indian Express, the proposal would require VPN operators to establish physical offices in India, appoint local compliance officers, and face potential jail terms for employees who fail to comply with government directives. A senior MeitY official stated the rationale plainly:
"The 2022 Cert-In directives requiring VPN providers to store certain usage data have failed to rein in these companies, as they have simply refused to comply. So, the need for a full-fledged law is being felt."
The proposed framework would largely mirror the compliance architecture already imposed on major social media platforms under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 — the same structure that requires platforms to appoint resident chief compliance officers, nodal contacts, and grievance officers.
What CERT-In Required — and How the Industry Responded
The CERT-In Directions No. 20(3)/2022, issued April 28, 2022 under Section 70B(6) of the Information Technology Act, 2000, were India's first direct attempt to bring VPN providers inside a domestic compliance architecture. They required operators to collect and retain for a minimum of five years: customer names, email addresses, IP addresses allocated to each subscriber, and the stated purpose of service hire — even after cancellation. Cybersecurity incidents had to be reported to CERT-In within six hours, a tighter window than the EU's 72-hour NIS2 standard.
The industry's response was swift and entirely rational from a business standpoint. NordVPN removed its physical servers from India on June 26, 2022 — one day before the directives took effect. ExpressVPN and Surfshark followed within days. Rather than comply with requirements that fundamentally contradict their core privacy proposition — no-log policies are the product, not an optional feature — the major providers shifted to virtual server arrangements: physical hardware in Singapore, the UK, or the Netherlands serving Indian IP addresses, beyond Indian jurisdiction. The rules remained on the books; in practice, they applied to no one who mattered.
The Government's Case Deserves a Serious Reading
The frustration behind this proposal is understandable, and the government's concerns are genuine. When a VPN provider has no legal presence in India — no office, no employees, no local assets — there is no lever to pull. The IT Rules 2021 succeeded in compelling large social media platforms to appoint local representatives precisely because those companies had substantial India operations they were unwilling to forfeit. Officials are reasonably asking why infrastructure that enables circumvention of lawful blocking orders should face no equivalent accountability.
The concern about content evasion is not manufactured. During the June 2026 Telegram block, VPN traffic spiked sharply — meaning an order issued under due legal process was partially circumvented by the population most motivated to do so. Enforcement without local presence is weak enforcement.
Why Criminal Liability Will Accelerate the Offshore Migration
The problem is that the proposed remedy will produce the opposite of its intended effect. A compliance officer at a VPN company faces a stark choice: accept personal criminal exposure for every government directive the company declines, or advise the company to maintain no employees in India at all. For VPN providers whose product is software and whose infrastructure is relocatable within hours, the second option is straightforward. Unlike Meta or Google, they have no advertising-dependent India revenue to protect.
The result of mandatory officer requirements plus criminal sanctions will not be a cohort of newly compliant VPN firms. It will be faster, cleaner offshore migration — leaving Indian users dependent entirely on providers with no jurisdictional presence, making enforcement weaker than it already is. The regulation, as described, would eliminate what little enforcement surface currently exists.
There is also a category error in applying the IT Rules 2021 model to VPN providers. Social media platforms have affirmative content obligations — they publish and host material, and can be directed to remove specific content. VPN providers route encrypted packets; they have no content to moderate. An instruction to "not facilitate access to blocked content" is, technically, a demand to inspect or throttle encrypted traffic — which breaks the encryption the product depends on.
What Proportionate Regulation Would Look Like
The more productive conversation is about the underlying blocking regime, not VPN compliance. India's Section 69A process is administratively broad — blocks can be issued without judicial pre-authorisation, with limited appeal windows and opaque reasoning. Narrower, judicially supervised blocking orders with clearer legal standards would reduce structural demand for circumvention tools that no compliance mandate can reach.
Where law enforcement genuinely needs data from VPN providers in criminal investigations, the mechanism that works across jurisdictions is mutual legal assistance treaty requests and targeted court orders directed at parent companies wherever incorporated. Major VPN providers have complied with such orders in European jurisdictions. What they uniformly refuse is mass data retention that eliminates the product.
India is among the world's largest VPN markets by download volume, with millions of ordinary users — not just activists or circumventors — relying on VPNs for corporate security, journalism, and privacy on public networks. A framework that drives compliant providers offshore does not close the enforcement gap. It eliminates the remaining channel for cooperation while leaving the market fully served by providers now entirely beyond reach. The 2026 draft law, as currently described, is designed to repeat the 2022 failure — not fix it.