ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

VPN Jurisdiction: Where's best place for a VPN to be based?

A VPN is an online subscription service that is designed to provide users with increased digital privacy. It does this in two ways - by concealing the user’s location (IP address) and by securely encrypting all their data.

VPN Jurisdiction map

Many people don't realise that where a VPN provider is headquartered can have a huge impact on the level of privacy the provider can actually offer. The best jurisdictions for VPN providers are locations where the government does not enforce any mandatory data retention. In addition, it is much safer for a VPN to be based in a country that has strong data protection laws.

While there are a number of locations that are considered "best for VPNs to be based” (and we will discuss these later), it is actually better to begin by looking at the places where it is worst for a VPN to be based. This is because understanding what is bad about those places sheds a lot of light on why certain places are better.

5-EYES nations

The Five Eyes (FVEY) is a surveillance agreement between the USA, the UK Canada, Australia, and New Zealand. All five countries have signed the multilateral UK - USA Agreement, a treaty for joint cooperation in signals intelligence. It is the most comprehensive espionage alliance in the world. Also troubling, most FVEY nations have at least some level of mandatory data retention, warrants - and even gag orders - that permit intelligence agencies to put tech firms (like VPNs) under pressure to hand over logs about their users.

9-EYES nations

This is an extension of FVEY that adds France, Denmark, the Netherlands and Norway into the signals intelligence agreement. While the extra four 9-Eye nations are not considered as problematic as FVEY, they can be considered strongly aligned with the invasive practices of the other nations.

14-EYES nations

This is the third and final extension of the FVEY surveillance treaty. It adds Belgium, Germany, Italy, Spain, and Sweden to the list of countries that should be regarded with suspicion when it comes to data privacy.

The European Union

Countries that are members of the European Union are sometimes considered less favorable for privacy. This is especially true if the country implements the 2006 EU DRD directive (now defunct, but enshrined in most EU countries local laws) against VPN providers. EU states that have closer ties to 14 Eyes nations, most likely cooperate with FVEY, and almost all perform some level of covert surveillance. Despite this, there are some EU countries that are known to outshine the rest when it comes to privacy (more on these later on).

Countries with mandatory data retention laws.

Mandatory data retention laws force ISPs (and sometimes other tech firms) to retain detailed logs of all the traffic that passes through their servers. Many EU nations have mandatory data retention laws that directly apply to VPNs as well as ISPs.

Warrants and gag orders.

Countries without mandatory data retention laws that apply directly to VPNs (such as the US) often enforce "gag orders.” A gag order stops a firm from disclosing to the public that it has begun retaining logs on behalf of the government. Even a zero-logs VPN could be compromised within a nation with warrants and gag orders, and subscribers would never know.

What are the best VPN jurisdictions?

Of all the known jurisdictions where VPNs are based, there are a few that stand out as "the best”. These locations are considered better for VPNs to be based for any one of a number of reasons: 

  • Better privacy laws
  • Fewer ties to Western governments and FVEY/14-EYES
  • Less economically able to devote money to large-scale surveillance

Here is a list of our favorite jurisdictions, with reasons why they are generally preferred:

Hong Kong

Despite its proximity to China and historical ties to the UK, Hong Kong now profits from economic and political independence. It also has strong privacy laws that make it a great location for a VPN to be based.

Romania.

Although it is a member of the EU, Romania is not a 14-EYES country. It does not enforce Mandatory Data Retention or the EU’s DRD (for ISPs or VPNs). This makes it one of the few European locations that are considered safe for VPN firms to be based.

Bulgaria

This is another country that does not enforce Mandatory Data Retention laws or the EU’s DRD against tech firms (including VPNs). Bulgaria also remains outside of the 14-EYES treaty.

Singapore

Despite having a lot of censorship, Singapore is a capitalist Mecca that is generally regarded as a tech-haven. It has strong data privacy laws that protect both businesses and individuals’ data. It is a good place for a VPN firm to be based because the government tends to leave international tech firms alone. Check out our Singapore VPN page for more details on services with servers in the country.

Panama

This country has no mandatory data retention laws, which is why it is believed to be good for privacy. However, its strong political ties to the US could allow it to be pressured by the US government. Better than a FVEY or 14-EYES country.

The British Virgin Islands

The BVI regulates its own internal affairs and has no mandatory data retention laws. However, since it lies under the jurisdiction and sovereignty of the UK government, it seems reasonable to assume that the UK could put pressure on the BVI government and businesses. So (and this is something of a guess, as the legal situation is very murky) being based in the BVI is thought to be safer than being based in a 14-EYES nation.

The Netherlands

This country has traditionally been considered strong for data privacy. Many privacy oriented firms are based in this country, including Start Page, the privacy-focused search engine endorsed by Edward Snowden. Sadly, the Netherlands is trying to pass new mass surveillance laws. For the time being, it remains in limbo following a referendum that rejected the invasive new policies. A member of 14-EYES.

Sweden

Although Sweden does have mandatory data retention laws, DRD is never enforced against VPNs. This makes Sweden one of the few countries considered to be safe for a VPN to be based. However, it does perform surveillance and is a member of 14-EYES.

Written by: Ray Walsh

Digital privacy expert with 5 years experience testing and reviewing VPNs. He's been quoted in The Express, The Times, The Washington Post, The Register, CNET & many more. 

14 Comments

Joe
on April 27, 2024
Hi I'm with VPN.ac who are based in Rumania, if I connect to a server in another country, eg USA, does that server abide by where it resides or Rumania law? Thanks
https://cdn.proprivacy.com/storage/images/2024/01/danka-delicpng-avatar_image-small.png
Danka Delić replied to Joe
on May 2, 2024
Hi Joe! When you connect to a VPN server in a different country, such as the USA, while using a service based in Romania like VPNs, the server generally operates under the laws of the country in which it is located. This means that the VPN server in the USA would be subject to US laws and regulations regarding data retention, surveillance, and other legal requirements.
Molnar Milan
on December 12, 2023
hello what is the best country to choose for dedicated ip or shared ip? im using nordvpn.
https://cdn.proprivacy.com/storage/images/2024/01/danka-delicpng-avatar_image-small.png
Danka Delić replied to Molnar Milan
on March 1, 2024
Hello MR. Molnar, thanks for your comment! The selection of the country, or precise IP address, depends on your specific needs. You can contact NordVPN customer support and tell them what you're planning to use the VPN for and from which country you're coming, and they'll give you the best suggestions, confidentially of course. I hope this was helpful.
Anonymous
on January 4, 2020
what about Norway?
https://cdn.proprivacy.com/storage/images/2024/01/douglas-crawfordpng-avatar_image-small.png
Douglas Crawford replied to Anonymous
on January 6, 2020
Hi Anomymous. Please see the Norway entry in our World Privacy Report
Foster
on December 27, 2019
Doesn’t Singapore have mandatory data retention laws?
https://cdn.proprivacy.com/storage/images/2024/01/douglas-crawfordpng-avatar_image-small.png
Douglas Crawford replied to Foster
on January 2, 2020
Hi Foster. As far as we can determine, no. Although ISPs are required to take “all reasonable steps” to filter content deemed “undesirable, harmful, or obscene.”

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

A large brand offering great value at a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service