India Passes Law Forcing VPNs to Collect User Data

A new national directive seems to have rendered VPN technology - built on a lack of data collection - legally inoperable.

The Indian government recently passed a law that demands all companies collect and hold user data for up to five years, which stands at odds with the core mission statement of most VPNs.

VPNs are used by both businesses and consumers all over the world to encrypt their internet traffic and protect themselves with an enhanced level of online privacy.

But this new law may mean this privilege is no longer available to internet users in India, who already have to deal with their government’s intrusive approach to online life.

India Passes Data Retention Law

India has passed a new national directive that applies to VPN companies, as well cloud service providers, data centers, and crypto exchanges, which effectively makes it a legal requirement to collect specific, extensive customer data and hold onto it for at least five years. Companies will also have to report “unauthorized access to social media accounts” as part of the directive.

Instigated by the country’s Computer Emergency Response Team, known as CERT-in, ignoring the demands could lead to up to one year in jail.

VPN companies operating in India will have to hold on to customer names, data about usage patterns, validated physical and IP addresses, and other types of information that could be used to identify an individual.

Concerningly, even if a customer cancels their subscription with a VPN company and deletes their account, the data will still have to be held.

Why This Creates a Massive Problem for VPN Companies

The main selling point of every good VPN has been that it doesn’t hold, collect, or record any user data on the customers that use its services – this is the whole reason that people use VPNs when they head onto the internet. The core purpose of a Virtual Private Network is that the web addresses you visited are decoupled from your IP address – so the demand to collect customer information and activity-related data is completely at odds with this.

Some VPN companies have taken this a step further, deploying RAM-only servers that wipe themselves clean every time they’re powered down (which is regularly). This has been a trend in the industry for a year or so now and most of the big names you’ll recognize (ExpressVPN, NordVPN, Surfshark) all have RAM-only servers.

The prevalence of RAM-only servers in VPN infrastructure in India will cause providers of such services legal problems for just carrying on operating the same way as they have been.

What happens in countries where VPNs are illegal?

Importantly, India hasn’t passed a piece of legislation that says VPNs are outright illegal. Instead, they’ve made it a legal requirement to collect certain types of data – which VPNs deliberately don’t do – and have subsequently made VPNs illegal as a byproduct.

There are very few countries where VPNs are completely illegal – but this directive passed by the Indian Government may provide a pathway for countries that have struggled to crack down on VPN usage but would quite like to. There are a number of countries (like China) where, legally, VPNs are in a bit of a grey area.

With the technology completely illegal in so few countries, it will be interesting to see how the Indian government chooses to enforce this law and how it affects businesses that use VPNs – especially considering the state of their global economy.

In places like the US, business VPNs are very popular, and this makes it more difficult for countries like China to crack down on the technology because their commercial usage is so vital and important that it would be economically unwise to do so. Considering this, it wouldn’t be unsurprising if there were some unforeseen effects of the ban in India.

One thing is for certain though – internet freedom in the world’s second-most populous country has been dealt a massive blow.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at

Written by:
Aaron Drapkin is a Lead Writer at He has been researching and writing about technology, politics, and society in print and online publications since graduating with a Philosophy degree from the University of Bristol five years ago. As a writer, Aaron takes a special interest in VPNs, cybersecurity, and project management software. He has been quoted in the Daily Mirror, Daily Express, The Daily Mail, Computer Weekly, Cybernews, and the Silicon Republic speaking on various privacy and cybersecurity issues, and has articles published in Wired, Vice, Metro, ProPrivacy, The Week, and covering a wide range of topics.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is's top-rated VPN service See Deals