The Indian government’s Ministry of Electronics and Information Technology (MeitY) has issued a strong warning to VPN (Virtual Private Network) service providers and digital intermediaries over allowing access to websites that are reportedly leaking Indian citizens’ personal data without consent. The advisory underscores growing concern about online privacy and data security as digital threats escalate.
🚨 Government Issues Advisory to Protect Personal Data
In a directive dated December 11, 2025, MeitY flagged several websites — including proxyearth.org and leakdata.org — that allegedly expose sensitive personal information like names, phone numbers, email IDs, and residential addresses linked to Indian mobile numbers.
The ministry highlighted that such content violates Indian privacy laws and poses a serious risk to citizens if left accessible, including through the use of VPN services.
🛡️ What VPN Providers Are Being Asked to Do
The advisory specifically asks VPN firms and other online intermediaries to:
- Block access to sites that publish personal data without consent.
- Ensure their services are not used to reach these risky platforms, including when accessed via VPN connections.
- Comply with Indian cyber and data protection laws, including due diligence obligations under the Information Technology Act, 2000 and the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
MeitY reiterated that failure to take “reasonable efforts” to curb such access could lead to legal consequences and affect safe-harbour protections under the IT Act
📊 Why This Matters: Risks to Privacy and Security
Sites that publish personal data without proper consent are seen as significant threats — enabling identity theft, phishing, scams, and other cyber crimes. MeitY’s warning points to a broader push by Indian authorities to strengthen data protection measures and clamp down on unauthorized dissemination of personal information.
VPN services are widely used for privacy and security online, but allowing access to sites that disseminate personal data puts providers under scrutiny and raises questions about balancing user privacy with legal compliance.
⚖️ Legal Context and Ongoing Cyber Policy
Under Indian law, intermediaries like VPN providers must follow due diligence duties that prohibit hosting or transmitting personal information that violates privacy or public order. These rules are part of a broader regulatory framework meant to protect the digital ecosystem. Moneycontrol
Earlier cybersecurity directions, such as those from the Indian Computer Emergency Response Team (CERT-In), also focused on VPN service compliance — including data retention requirements — which prompted some major VPN firms to remove servers from India to preserve privacy practices.
🔍 What’s Next?
The industry is watching how VPN providers will respond to MeitY’s advisory. With privacy pressures rising globally, this move could shape how digital privacy tools operate in one of the world’s largest internet markets. Compliance could mean tighter restrictions on access to certain sites, while non-compliance may invite enforcement actions.
