Is a VPN Legal in India? Current Status and Data Rules

Is a VPN legal in India?

Yes. Using a virtual private network (VPN) is legal in India. There is no law that bans individuals from installing or using VPN software, and VPNs are widely used by businesses, remote workers, and travelers for security and privacy. As with any tool, the legality depends on what you do with it: a VPN does not make otherwise-illegal activity (such as fraud, accessing banned content, or copyright infringement) lawful.

The regulatory attention in India is aimed mainly at VPN service providers, not at end users.

The CERT-In 2022 directions for providers

The most significant rules come from the Indian Computer Emergency Response Team (CERT-In). Its Directions No. 20(3)/2022, issued on 28 April 2022 and effective from 28 June 2022, require VPN providers (along with data centers, cloud providers, and VPS providers) to:

• Collect and validate subscriber details such as full name, address, email, phone number, the purpose of use, IP addresses allotted, and ownership pattern.
• Retain that subscriber information for at least five years after a user cancels the service.
• Maintain ICT system logs for at least 180 days within Indian jurisdiction.
• Report listed cyber incidents to CERT-In within six hours of detection.

These obligations effectively conflict with strict no-logs policies. In response, several major international VPN providers removed their physical servers from India and now offer Indian IP addresses through “virtual” servers hosted in other countries.

What this means for users

For an ordinary user, these rules change how providers operate but do not make personal VPN use illegal. Foreign visitors and business travelers can use VPNs in India under the same principle that applies to everyone: do not use them to commit unlawful acts.

If logging and jurisdiction matter to you, check whether a provider keeps physical or only virtual servers in India and review its published logging and transparency practices.

Data protection: the DPDP Act

India’s Digital Personal Data Protection Act, 2023 governs how organizations handle personal data. The Act and its 2025 Rules were notified on 13 November 2025, with most substantive compliance obligations phasing in over roughly 18 months (targeted around 2027). It addresses data processing by organizations rather than restricting individual VPN use, but it is part of the broader data-rules landscape that may affect how providers operate.

Important caveats

This guide summarizes publicly available information and is not legal advice. Laws, directions, and enforcement practices change, and details can be interpreted differently in specific situations. Before relying on any point here, verify the current text of the CERT-In directions and the DPDP Act with official Indian government sources, or consult a qualified Indian lawyer for your circumstances.