Centre warns VPNs over sites leaking Indians's personal data
12 Dec 2025

The Ministry of Electronics and Information Technology (MeitY) has issued a warning to virtual private network (VPN) service providers and online intermediaries.

The advisory cautioned against allowing access to websites that leak personal information of Indian citizens without their consent.

The move comes after MeitY flagged sites like proxyearth.org and leakdata.org for allegedly exposing sensitive details such as names, addresses, phone numbers, and email IDs through just an Indian mobile number search.

MeitY emphasizes user safety and privacy
Advisory details

MeitY's advisory stressed the serious risks these websites pose to user safety and privacy.

The ministry said that such platforms are operating against Indian law, as they allow public access to personal information without authorization.

It also noted that these sites can be accessed through VPN services, making it imperative for their providers to take action.

Intermediaries reminded of their obligations under IT Act
Compliance reminder

The advisory also reminded intermediaries of their obligations under the Information Technology Act, 2000 and the IT Rules, 2021.

These rules prohibit hosting or transmitting information belonging to another person without rights, invading someone's privacy, or threatening public order.

The ministry emphasized that intermediaries and VPN service providers must take immediate action to ensure no user is allowed to host/display/publish/transmit/store/update/share any information that belongs to another person and violates privacy laws.

VPNs face scrutiny over data retention policies
Data retention

In 2022, the Indian Computer Emergency Response Team issued directions mandating VPNs, cloud service providers, and VPS operators to collect and store verified customer information for five years.

This was even after a service was discontinued.

Major VPN companies like Proton VPN, ExpressVPN, NordVPN, and Surfshark had to remove their physical servers from India to avoid this data-retention mandate.

Non-compliance could lead to legal action
Legal implications

The ministry's latest directive highlights the serious nature of the situation and reiterates that VPN services and intermediaries must make reasonable efforts not to permit access to such websites.

It also warns that failure to comply could cost companies their safe-harbor protections under Section 79 of the Act, leading to action under it.