Digital Dragnet Tightens: MeitY Orders VPNs To Slam Door On Data Breaches

Last Updated:December 13, 2025, 06:42 IST

The government warned that failure to comply with this directive could result in severe legal repercussions

This move is part of India's broader and increasingly rigorous push for data accountability. Representational image

The Ministry of Electronics and Information Technology (MeitY) has issued a significant advisory directing Virtual Private Network (VPN) service providers and other online intermediaries to immediately block access to websites found to be leaking the personal information of Indian citizens. This stern directive underscores the government’s escalating efforts to safeguard digital privacy and combat the growing threat of identity theft and financial fraud stemming from data breaches.

The advisory, issued on December 11, specifically flagged platforms such as proxyearth.org and leakdata.org, among others. These websites were found to be operating in violation of Indian law by allegedly exposing sensitive personal details—including names, mobile numbers, addresses, and email IDs—that could be retrieved simply by entering an Indian mobile number. MeitY stated that this unauthorised public access to private data poses a “significant risk" to user safety, enabling targeted scams and stalking.

A critical focus of the advisory is the role of VPN services. The ministry noted that despite official blocking attempts by Internet Service Providers (ISPs), these offending sites often remain accessible via VPNs, necessitating action directly from the providers themselves. The directive reminds all intermediaries—including VPN companies, cloud service providers, and social media platforms—of their due diligence obligations under the Information Technology (IT) Act, 2000, and the IT Rules, 2021. These rules mandate that intermediaries must take “immediate and effective action" to ensure that unlawful or privacy-violating content is not hosted or shared on their platforms.

Crucially, the government warned that failure to comply with this directive could result in severe legal repercussions. Non-compliant companies risk losing their safe-harbour protections under Section 79 of the IT Act, which generally shields them from liability for third-party content. Should this protection be revoked, intermediaries would be liable for consequential action under the IT Act and the newly enacted Bharatiya Nyaya Sanhita, 2023.

This move is part of India’s broader and increasingly rigorous push for data accountability. It follows the controversial 2022 mandate from the Indian Computer Emergency Response Team (CERT-In) that required VPN providers to collect and store verified customer information logs for five years. That earlier mandate led several major global VPN companies, including ExpressVPN and NordVPN, to remove their physical servers from India. The new advisory reinforces the message that all entities operating within the Indian digital ecosystem, regardless of their operational model, must actively ensure compliance with national data security and privacy standards.

News tech Digital Dragnet Tightens: MeitY Orders VPNs To Slam Door On Data Breaches

Read More