Virtual Private Networks (VPNs) are software tools that encrypt your internet traffic and mask your IP address by routing your connection through servers in different locations. They are used globally for privacy protection, bypassing censorship, accessing geo-blocked content, and securing communications on public Wi-Fi. In India, the question of VPN legality has become increasingly complex following significant regulatory changes. Here is everything you need to know about VPN legality in India in 2026.
VPNs Are Legal in India — But With Important Caveats
Yes, using a VPN is legal in India. The Indian government has not issued a blanket ban on VPN usage. There is no law under the Information Technology Act, 2000, or any other statute that specifically criminalises downloading, installing, or using a VPN for lawful purposes. Millions of Indians use VPNs daily for privacy, remote work, secure banking, and accessing streaming content.
However, India’s regulatory environment around VPNs has significantly changed since 2022, and several caveats apply. Understanding these nuances is essential before you decide to use a VPN.
The 2022 CERT-In Data Logging Mandate: A Game Changer
In April 2022, India’s Computer Emergency Response Team (CERT-In) — the national cybersecurity agency under the Ministry of Electronics and Information Technology (MeitY) — issued a sweeping directive that fundamentally changed how VPN providers operate in India.
The CERT-In directions require all VPN service providers with physical servers in India to maintain detailed records of their customers for a period of five years or more, including: the names of all users and subscribers, the period of use and IP addresses assigned, the email address, IP address, and time stamp used at registration, the reason for using the service, and validated contact information.
This mandate effectively undermined the core value proposition of privacy-focused VPNs — the no-logs policy. If a VPN provider keeps logs, government agencies can request and obtain your browsing history and connection records in the course of law enforcement investigations.
How VPN Providers Responded
Leading global VPN companies responded to the CERT-In directive by pulling their physical servers out of India rather than complying with the logging requirements. Major providers including ExpressVPN, NordVPN, Surfshark, IPVanish, and others removed their India-based server infrastructure.
Instead, these providers now offer ‘virtual’ India servers — servers physically located in countries like Singapore or the United Kingdom but configured to provide an Indian IP address. These virtual servers operate outside Indian jurisdiction and are therefore not subject to the CERT-In logging mandate.
This approach allows users in India to continue using privacy-focused VPNs with minimal logging while technically side-stepping the mandate. The servers used for Indian traffic now reside in countries with stronger privacy protections.
Additionally, the government has instructed Google and Apple to remove 14 VPN apps from their respective app stores in India for non-compliance with the CERT-In directive. This means some VPN applications are no longer directly downloadable from official Indian app stores and must be obtained from the providers’ websites directly.
The Regulatory Tug-of-War: DoT vs MeitY
VPN regulation in India is also subject to a jurisdictional dispute between two government ministries. The Department of Telecommunications (DoT) and the Ministry of Electronics and Information Technology (MeitY) have both claimed regulatory authority over VPNs.
In June 2024, DoT asked the Telecom Regulatory Authority of India (TRAI) for recommendations on regulating VPNs under the Telecommunications Act, 2023. However, TRAI declined, stating that VPN applications fall under MeitY’s jurisdiction under the Information Technology Act. This regulatory confusion has left VPN oversight in a somewhat uncertain state, though enforcement of the CERT-In mandate has proceeded regardless.
VPNs for enterprise use — specifically corporate VPNs used within private company networks — have different treatment. The CERT-In directions acknowledge these, though businesses using VPN infrastructure for remote work must still register with applicable bodies.
The First Local Enforcement Action: Doda, J&K (May 2025)
The first concrete enforcement action against VPN users came in May 2025, when authorities in Doda district of Jammu & Kashmir implemented a two-month VPN ban under Section 163 of the Bharatiya Nagarik Suraksha Sanhita (BNSS). Reports emerged of users being detained for violations.
Legal experts widely criticised this as an unconstitutional overreach and a disproportionate interference with digital rights. This remains an isolated, localised enforcement action and not a national ban, but it signals that VPN restrictions can be enforced in sensitive security areas under emergency provisions.
The district is located in a region with ongoing security concerns, and the government invoked national security justifications. The action raised alarms among digital rights advocates about the potential for broader VPN restrictions in the future.
When VPN Use Becomes Illegal in India
While using a VPN is not itself illegal, what you do while connected to a VPN remains fully subject to Indian law. Using a VPN does not provide immunity from prosecution for any criminal activity. Activities that become illegal in combination with VPN use include: accessing or distributing child sexual abuse material (POCSO Act, 2012 and IT Act, 2000); accessing government-blocked websites for commercial distribution of copyright-infringing content; engaging in terrorism-related communications (UAPA); conducting financial fraud; purchasing illegal items on dark web marketplaces; and circumventing court orders.
Law enforcement agencies have successfully traced and prosecuted individuals who committed crimes using VPNs. Traffic analysis, exit node monitoring, cooperation with overseas VPN providers under mutual legal assistance treaties, and operational security mistakes by users have all enabled investigations despite VPN use.
The Right to Privacy and VPN Use
The Supreme Court of India’s landmark judgment in K.S. Puttaswamy v. Union of India (2017) recognised the right to privacy as a fundamental right under Article 21 of the Constitution. This ruling provides a constitutional backdrop against which VPN usage for privacy purposes can be seen as an exercise of a fundamental right.
The Digital Personal Data Protection Act, 2023 (DPDPA) further reinforces data privacy rights for Indian citizens. While it does not directly address VPN usage, it strengthens the principle that individuals have a right to control their personal data — a right that VPNs are designed to protect.
India’s approximately 31% of internet users who use VPNs occasionally represent a significant and growing constituency asserting their digital privacy rights. VPN adoption has grown by approximately 43% since 2022, suggesting that the regulatory changes have not significantly deterred usage.
Choosing a VPN That Protects Your Privacy in India
Given the CERT-In mandate, the safest approach is to use a VPN provider that does not have physical servers in India (to avoid the logging mandate), maintains an independently audited no-logs policy, uses RAM-only servers that cannot permanently store data, and has a transparent track record of protecting user privacy.
Providers like ExpressVPN, NordVPN, Surfshark, and ProtonVPN meet these criteria by using virtual India servers or by operating entirely outside India’s jurisdiction. Free VPNs, on the other hand, often monetise user data and are not a reliable privacy tool.
Final Thought
VPNs are legal in India for lawful purposes. The CERT-In mandate does not ban VPN use — it imposes logging requirements on providers with Indian servers. By using a VPN provider without Indian servers and with a strong no-logs policy, you can still exercise your digital privacy rights legally. Use VPNs responsibly for privacy, secure communications, and legitimate access. Never use a VPN as a tool to commit crimes — Indian law applies regardless of how anonymised your connection appears to be.
Frequently Asked Questions (FAQs)
Q1. Can I be arrested for using a VPN in India?
A: No. Using a VPN for lawful purposes is not a criminal offence in India. You can only face arrest if you use a VPN to commit an illegal act, such as accessing child abuse material, engaging in terrorism-related communications, or committing financial fraud. The VPN itself is not illegal.
Q2. Does the CERT-In mandate mean the government can see my VPN traffic?
A: If your VPN provider has physical servers in India and complies with the CERT-In mandate, the government can request your connection logs. However, most major VPN providers have removed their Indian servers to avoid this requirement. Using a provider with virtual India servers (hosted outside India) significantly reduces this risk, as foreign servers are outside CERT-In jurisdiction.
Q3. Is it safe to use a free VPN in India?
A: Free VPNs are generally not safe from a privacy standpoint. They often monetise user data through advertising and are unlikely to maintain robust no-logs policies. Some free VPN apps removed from Indian app stores for non-compliance have also raised security concerns. For genuine privacy, invest in a reputable paid VPN service with an independently audited no-logs policy.
Q4. Can I use a VPN for accessing streaming services like Netflix US or BBC iPlayer?
A: Using a VPN to access geo-blocked streaming content is technically a violation of the terms of service of those platforms, though it is not a criminal offence under Indian law. Streaming services do attempt to detect and block VPN usage. The legal risk lies primarily with the terms of service of the platform, not with Indian criminal law.
Q5. Are corporate VPNs legal in India?
A: Yes. Corporate or enterprise VPNs used for secure remote access to company networks are explicitly exempt from some of the more stringent individual-use restrictions and are a standard, accepted part of enterprise IT infrastructure. The CERT-In directions acknowledge enterprise VPN configurations as different from consumer VPN services, though some registration requirements may apply.
