VPNs, WhatsApp Usernames and India’s Expanding Digital Control Architecture: What the Law Says
Two regulatory developments reported in early July 2026 illuminate a deepening tension at the heart of India’s digital governance framework. On one side: the government’s drive to assert jurisdiction over virtual private network (VPN) providers and to demand that messaging platforms roll back features it regards as risk-prone. On the other: the constitutional protections for privacy, speech and access to information that the Supreme Court has recognised as fundamental rights. For CLAT aspirants, these developments are a live stress-test of the Information Technology Act, 2000, the IT Rules, 2021, and the landmark right-to-privacy judgment — all standard components of the legal reasoning syllabus.
What Happened: Two Converging Stories
The VPN Crackdown
The Central government is working on an expansive legal framework that would require VPN providers to establish a physical presence in India — including local offices and designated compliance officers or liaison personnel. This initiative builds on a controversial 2022 directive issued by the Indian Computer Emergency Response Team (CERT-In), which required VPN service providers operating in India to maintain customer data for five years: names, email addresses, contact numbers, IP addresses assigned to users and the purpose of use.
Several major VPN providers refused to comply with the 2022 CERT-In directive and instead withdrew their physical servers from India, routing Indian users through servers abroad. The proposed new framework would close this workaround: if VPN providers must have a local presence, they become subject to domestic enforcement and court orders in a way they currently can evade.
The government’s stated justification is law enforcement: VPNs are increasingly used to circumvent the content-blocking regime that India has built over the past decade. India issued over 24,000 content-blocking orders in 2025 alone — double the approximately 12,000 orders issued in 2024. Without VPN regulation, a user can simply connect to an overseas server and access any website or app that has been blocked by Indian authorities.
The Messaging App Notices
Separately, the Ministry of Electronics and Information Technology (MeitY) sent notices to WhatsApp, Telegram and Signal regarding a proposed “username” feature — a system that would allow users to be identified by a chosen handle rather than their phone number. The government asked WhatsApp specifically not to roll out this feature, citing risks of impersonation, phishing, online fraud and what has come to be called “digital arrest” — a scam in which fraudsters, posing as law enforcement, extort victims by threatening fake arrests via video call.
The government’s concern is that usernames, by decoupling identity from phone numbers, would reduce traceability and make it harder to identify and prosecute individuals who use messaging platforms for criminal activity.
The Legal Framework: IT Act, Section 69A and Intermediary Liability
Section 69A: Blocking of Online Content
Section 69A of the Information Technology Act, 2000, empowers the Central government to block public access to any information in the interest of the sovereignty and integrity of India, defence, security of the state, friendly relations with foreign states, public order, or for preventing incitement to the commission of any cognisable offence. Blocking orders under Section 69A are issued without prior judicial scrutiny — they are executive orders reviewed only retrospectively by a Review Committee.
The Supreme Court upheld Section 69A in Shreya Singhal v Union of India (2015), but only with significant qualifications. The Court struck down Section 66A (which criminalised “offensive” online speech) as unconstitutionally vague, but upheld Section 69A on the ground that it was a narrower provision confined to specific heads, required reasons in writing, and had a review mechanism. Critically, the Court required that blocking orders be “proportionate” and linked to the identified grounds — they cannot be used as a blunt instrument to suppress inconvenient speech.
The exponential growth in blocking orders — from 12,000 in 2024 to 24,000 in 2025 — raises an obvious proportionality question: are all these orders individually reasoned and linked to a recognised ground, or has Section 69A evolved into a mechanism for administrative convenience?
Section 79: The Safe Harbour Doctrine
Section 79 of the IT Act provides a “safe harbour” for intermediaries — platforms like WhatsApp, Telegram, Google and Meta — shielding them from liability for third-party content hosted on their platforms, provided they observe due diligence and comply with takedown notices. This safe harbour is the legal basis on which social media platforms operate in India without being held responsible for every post by every user.
The IT Rules, 2021 (formally the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021) operationalise Section 79. They impose obligations on “significant social media intermediaries” (those with over five million users) to appoint a grievance officer, a nodal officer and a Chief Compliance Officer — all resident in India. They also require messaging platforms capable of transmitting messages to trace the “first originator” of a message when legally required. This traceability requirement is directly relevant to the government’s concern about untraceable usernames.
CERT-In and the 2022 Directive
CERT-In (the Indian Computer Emergency Response Team) operates under Section 70B of the IT Act. Its 2022 direction requiring VPN providers to maintain customer logs for five years was issued under its power to call for information from service providers for the purpose of cyber-incident analysis. Critics argued that this direction effectively required VPNs to destroy the core value they offer — anonymity — and that it had no statutory basis proportionate to the privacy intrusion it demanded.
The Right to Privacy and Article 19: A Constitutional Collision
K S Puttaswamy v Union of India (2017)
The nine-judge bench of the Supreme Court in Justice K S Puttaswamy (Retd) v Union of India (2017) unanimously held that the right to privacy is a fundamental right under Article 21 of the Constitution. The judgment established that privacy encompasses informational privacy — the right of individuals to control data about themselves — as well as the right to choose one’s mode of communication.
Any law that intrudes on informational privacy must satisfy a three-part test: (1) it must be sanctioned by law; (2) it must serve a legitimate state aim; and (3) the means used must be proportionate to the aim. Applied to the proposed VPN framework, the question is whether requiring local presence and data retention satisfies this proportionality standard — particularly when less intrusive alternatives (such as targeted court orders against specific users) may be available.
Article 19(1)(a) and Reasonable Restrictions
Article 19(1)(a) guarantees the right to freedom of speech and expression, which the Supreme Court has interpreted to include the right to receive information. Article 19(2) permits the state to impose reasonable restrictions on this right on grounds including public order, decency, morality, and the sovereignty and integrity of India. The content-blocking regime under Section 69A is an exercise of this Article 19(2) power.
However, the right to access information — and by extension, the use of tools like VPNs to access blocked content — sits in a complex constitutional space. If a blocking order is itself disproportionate or issued on impermissible grounds, then a citizen’s use of a VPN to circumvent it could arguably be an exercise of Article 19(1)(a) rather than an evasion of a lawful restriction.
The Digital Personal Data Protection Act, 2023
The DPDP Act, 2023, India’s first comprehensive data protection statute, imposes obligations on “data fiduciaries” — entities that process personal data — including data minimisation (collecting only what is necessary) and purpose limitation (using data only for stated purposes). The CERT-In directive requiring VPN providers to retain five years of user data sits uncomfortably with the DPDP Act’s data minimisation principle. Whether the national security and law enforcement exemptions in the DPDP Act are broad enough to shelter the CERT-In direction remains a live legal question.
The WhatsApp Username Controversy: Expression, Anonymity and Accountability
The government’s objection to messaging app usernames reflects a broader principle in Indian internet regulation: the preference for traceable identities. The IT Rules, 2021, already require messaging platforms to be able to trace the first originator of a message on court or government order. Usernames that replace phone numbers would complicate this traceability.
The counter-argument, made by digital rights advocates, is that anonymity is itself a component of the right to privacy and free expression. Whistleblowers, dissidents, journalists and abuse survivors often rely on non-identifying handles precisely because their safety depends on it. A regulatory framework that eliminates anonymity in the name of fraud prevention also eliminates the protection it affords to legitimate users. The Shreya Singhal judgment is instructive here: restrictions on speech must be narrowly tailored; broad prohibitions that catch protected expression along with harmful speech fail constitutional scrutiny.
Key CLAT Concepts to Note
- The Information Technology Act, 2000 — Section 69A (blocking powers) and Section 79 (safe harbour for intermediaries).
- The IT Rules, 2021, and the obligations they impose on significant social media intermediaries.
- The CERT-In 2022 directive and its legal basis under Section 70B.
- Shreya Singhal v Union of India (2015) — scope of Section 69A, striking down of Section 66A, and proportionality in speech restrictions.
- K S Puttaswamy v Union of India (2017) — right to privacy as a fundamental right; the three-part test for privacy intrusions.
- The Digital Personal Data Protection Act, 2023 — data minimisation, purpose limitation and national security exemptions.
- Article 19(1)(a) and Article 19(2) — the right to receive information and reasonable restrictions thereon.
Conclusion: Governance in the Age of Encrypted Networks
The twin developments around VPN regulation and messaging app features reveal a government navigating a genuine dilemma. On one side: the legitimate state interest in preventing fraud, maintaining public order and preserving the effectiveness of its content-blocking regime. On the other: constitutional rights to privacy, speech and access to information that the Supreme Court has made clear are not aspirational ideals but justiciable claims.
The legal framework India has built — the IT Act, the IT Rules, the DPDP Act — provides tools for both. The critical question, which courts will eventually be asked to resolve, is whether the proposed VPN framework and the pressure on messaging apps to abandon privacy-enhancing features satisfy the proportionality standard that Puttaswamy demands. For CLAT aspirants, the takeaway is that constitutional law does not stop at the boundaries of the physical world — it follows the user into the encrypted, anonymous spaces of the internet, and the state’s power to regulate those spaces is not unlimited.
Test Yourself — Daily Quiz
Practice Quiz — 10 CLAT-Style Questions
Click an option to reveal the answer and explanation.
