In a Westminster Hall debate this week, the UK’s Minister for Digital Government and Data, Ian Murray, responded to mounting pressure from lawmakers on the role of Virtual Private Networks (VPNs) in bypassing the Online Safety Act’s enforcement regime. Murray, speaking for the government, made clear that the review of the Act will consider VPNs and that “we will not hesitate to go further if necessary” to address circumvention of the UK’s online censorship law.
Murray’s full quote:
The Government continues to monitor the impact of circumvention techniques such as VPNs and the effectiveness of the Act in protecting children. We will not hesitate to go further if necessary, but we are due that report in July 2026, which will be 12 months from the implementation of the measures.
It’s not the first time the UK government has refused to rule out statutory restrictions on VPNs, a measure which would put the country in a club of authoritarian nations that include China, North Korea, Iran, Russia, and Belarus. It’s also not the first time that UK MPs have demanded action on the matter.
Parliamentarians pressing the minister framed their questions around the rapid rise in VPN usage in the UK, particularly since age verification rules under the Online Safety Act took effect. MP Jim McMahon, addressing Murray directly, argued that the law’s current scope leaves a gap. “It cannot be beyond the wit of man to find a way for these VPN companies to bridge between the service user and the ultimate website or platform that they are viewing, so why are VPNs not in scope of the legislation to ensure that they are compliant with the age verification measures?” he asked.
McMahon continued, pressing that responsibility should extend beyond websites themselves. “Surely the onus should be on the VPN company to comply with the law also,” he said, underscoring a growing sentiment among some MPs that privacy tools themselves should fall within the regulatory perimeter.
The minister’s response reflected the government’s broader defense of the Online Safety Act. Murray emphasized that the legislation is designed to protect children online and insisted that it “does not limit freedom of speech,” in the same breath touting the duties the Act imposes on platforms to address “harmful” content.
Far from Murray’s claim that the OSA doesn’t impact freedom of speech, it demands tech platforms target and address “disinformation” and “racially aggravated” material. Penalties for non-compliant companies can reach up to 10 percent of a company’s global revenues — a similar enforcement mechanism to the EU’s Digital Services Act, recently employed to fine Elon Musk’s X to the tune of $140 million.
The goal is not just to regulate UK tech companies, but American ones, with UK regulators authorized to target a platform’s commercial partners (such as advertisers and webhosts) in the event of repeated noncompliance. The law even enables UK authorities to criminally penalize and jail tech executives who don’t comply.
Murray’s remarks come amid escalating backlash against the Online Safety Act from civil liberties groups. The Electronic Frontier Foundation, Open Rights Group, Big Brother Watch, and Index on Censorship recently submitted a joint briefing to Parliament urging repeal or significant reform of the law. They warn that the Act threatens privacy and free expression, particularly as age‑assurance requirements expand and policymakers openly discuss regulating tools designed to protect anonymity.
Since enforcement began, VPN applications surged to the top of UK app store charts, a signal that many users are unwilling to submit identity data simply to access lawful content. More than half a million people signed an official government petition calling for repeal or major changes to the Act, reflecting public concern that the law has gone too far.
