ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

GDPR Report: The state of the VPN industry

Introduction

May 25, 2018, was a seminal moment in the fight for digital privacy as GDPR became enforceable across the European bloc. The new EU regulation replaces the existing Data Protection Directive, which was established before internet adoption was widespread and was doing little to protect the vast ocean of online data of European citizens.

Being a directive, the previous framework was flexible and open to regional interpretation. In stark contrast, GDPR is a regulation and sets out a series of precise requirements in order to ensure the protection of personal data. Companies found to be non-compliant are at risk of hefty fines. The maximum fine that can be imposed for the most serious infringements is 4% of annual global turnover or €20 million (whichever is greater). For less serious infringements, a fine of up to 2% of global annual turnover can apply. Either way, the threat of such significant fines has sent shockwaves through organizations of every shape and size.

At ProPrivacy.com, we believe that digital privacy is a fundamental human right. With state-funded mass-surveillance initiatives and multinationals collecting and analyzing yottabytes of personal data, our right to privacy in under direct threat. Any legislation which protects the right to privacy must be seen as a positive step. As a result, we fully support GDPR and believe that everyone in our industry should do the same.

ProPrivacy.com has produced this GDPR report in an effort to increase transparency and promote positive industry-wide change.

Methodology

To gain a comprehensive understanding of how VPN providers have handled the change in legislation, ProPrivacy.com adopted a two-phase approach to its research. First, we approached leading providers directly and asked if they'd be willing to document their policies and processes fully using a series of questions created by our third-party compliance advisers.

We then scrutinized the privacy policies and notices for each of the major providers, comparing them to the requirements stipulated in the regulation.

Audit Results

ProPrivacy.com contacted nine of the leading providers and asked them to conduct a voluntary audit of their GDPR processes and policies.

Click Here to see complete audit questions

  1. Have you installed a data protection management system in order to ensure and be able to prove that your processing is in compliance with the GDPR?
  2. Were you able to get rid of all unnecessary user information? (address, postal code, ZIP code, etc.)
  3. Were you able to get rid of all unnecessary user information in any 3rd party app you use?
  4. What personal data is processed? (e.g. name, address, telephone number etc.)
  5. Why is this personal data processed? For what purpose are they used?
  6. Were you able to get rid of all user data in every 3rd party software you’re not using anymore?
  7. Were you able to get rid of all tracker software on your website? * If not, which ones are you using at the moment and why?
  8. Users need to be able to download all their data. Are you able to do that?
  9. The right to rectification – if the information is wrong or incomplete the customer can ask for it to be changed. Do you have that option?
  10. Users need to be able to request the removal of their entire account and their user data. Can your users do that?
  11. Users need to have the right to be informed about any changes in our business that can affect them and their data. Do you have a protocol for that?
  12. The company’s GDPR statement needs to be presented in its:
    • End-User License Agreement
    • Terms of Service
    • Privacy Policy
    • Cookie Policy

Can you confirm this is the case?

  1. How does your company categorize personal data?
  2. Can you confirm you have the following?
    • Data Flow Chart
    • Data Protection Policy
    • Information Security Policy
    • Acceptable Use Policy
    • Confidential Data Policy
    • Password Policy
    • Physical Security Policy
    • Who has access to server information within the organization/outside the organization?
    • Who authorizes such access?
    • Network Security Policy
    • Wireless Network and Guest Access Policy
    • Remote Work Policy
    • Email Policy
    • Incident Response Policy
    • A signed Contract that states the policies mentioned above have been read and understood.
  3. Do you currently have a Data Protection Officer?
    • To whom does the Data Protection Officer report?
    • What responsibilities does the Data Protection Officer have?
    • Are written agreements in place between your organization and the data controller that outline how personal data should be processed?
    • How do you check that there has been no internal unauthorized access to personal data? What data audit facilities/mechanisms are in place?
    • How is personal information terminated?
    • Who authorizes termination? Who carries out termination?
  4. External Contractors and Involvement of third parties:
  5. Do you engage third parties for the execution of your activities (processors)?
  6. Are there clear instructions in the contract detailing what happens to the data at the end of the contract period?
  7. Under the contract with the data controller, are you responsible for the destruction of the data?
  8. What agreements are in place with contractors who provide shredding facilities/services?
  9. Do the sub-processors used by your organization use any other organization to perform that service on their behalf? If so, list the organization and any written arrangements in place in regard to the service these sub-contractors offer.
  10. How often do you have Security Audits?
  11. Do you have GDPR Educational Materials?
    • Do you have Educational Materials for the team?
    • Also, do you have separate Educational Materials for the Customer Support Team that contains relevant information for the customers?

Audit Participants

Invited to audit:

ProviderInvited?
PIAYES
CyberGhostYES
ExpressVPNYES
ProtonVPNYES
HotSpot ShieldYES
TunnelBearYES
PrivateVPNYES
BufferedYES
NordVPNYES

Able to demonstrate compliance?

ProviderCompliant?
PIAYES
CyberGhostYES
ExpressVPNNO
ProtonVPNNO
HotSpot ShieldNO
TunnelBearYES
PrivateVPNNO
BufferedYES
NordVPNNO

Privacy Policy Analysis

GDPR isn't just about being compliant, it's about demonstrating that compliance to both the regulators and to data subjects. As a result, terms of service and privacy policies are more important now than ever before. They are the first and last line of defense. Without communicating policies to customers, organizations are failing to meet the requirements of the legislation, regardless of whether or not their data handling policies are compliant. Article. 13 of GDPR states that data controllers should provide the following information:

  • the data controller's identity and contact details
  • details of your data protection officer (if they are required to have one)
  • the purpose and legal basis for data processing
  • where the legal basis for processing is legitimate interest, what that interest is
  • where the legal basis is consent, the right to withdraw consent at any time
  • the existence of an individual's rights (known as data subject rights)
  • with whom you will share personal data (named parties or categories of recipients)
  • whether you plan to transfer data to third countries and what safeguards will exist
  • how long they will keep the personal data for (or details of your retention criteria)
  • the right to lodge a complaint
  • if there is a statutory or contractual requirement for the data subject to provide personal data, and if so, the consequences of failing to provide data

Furthermore, Article. 12 states that this information should be communicated in a “concise, transparent, intelligible and easily accessible form, using clear and plain language”.

Using Article 12 and 13 as a template, ProPrivacy.com scrutinized the privacy policies of the top 14 providers in the industry looking for the following metrics:

  • Is GDPR explicitly mentioned in policy?
  • Does policy state:
    1. Who is collecting the data?
    2. What data is being collected?
    3. What is the legal basis for processing the data?
    4. How will the information be used?
    5. How long will the data be stored for?
    6. What rights does the data subject have?
    7. How can the data subject raise a complaint?
  • Is the policy easy to find?
  • Is the policy easy to understand?
  • Are there terms that are in contradiction to GDPR?

Privacy Policy Analysis: The Results

ExpressVPN

  1. Is GDPR mentioned in the privacy policy? NO
  2. Is the privacy policy easy to find? YES
  3. Is the privacy policy easy to understand? YES
  4. Do any terms contradict GDPR law? NO
  5. Does the privacy policy state:
    • Who is collecting the data? YES
    • What data is being collected? YES
    • The legal basis for processing the data? NO
    • How the information is used? YES
    • How long the data is stored for? NO
    • What rights does the individual has? NO
    • How the individual can raise a complaint? YES

Overall Score: 7/11, 64%

NordVPN

  1. Is GDPR mentioned in the privacy policy? NO
  2. Is the privacy policy easy to find? YES
  3. Is the privacy policy easy to understand? YES
  4. Do any terms contradict GDPR law? NO
  5. Does the privacy policy state:
    • Who is collecting the data? NO
    • What data is being collected? YES
    • The legal basis for processing the data? NO
    • How the information is used? NO
    • How long the data is stored for? NO
    • What rights does the individual has? NO
    • How the individual can raise a complaint? YES

Overall Score: 5/11, 45%

CyberGhost

  1. Is GDPR mentioned in the privacy policy? NO
  2. Is the privacy policy easy to find? YES
  3. Is the privacy policy easy to understand? YES
  4. Do any terms contradict GDPR law? NO
  5. Does the privacy policy state:
    • Who is collecting the data? YES
    • What data is being collected? YES
    • The legal basis for processing the data? MINIMAL
    • How the information is used? YES
    • How long the data is stored for? YES
    • What rights does the individual has? YES
    • How the individual can raise a complaint? YES

Overall Score: 9/11, 82%

IPVanish

  1. Is GDPR mentioned in the privacy policy? YES
  2. Is the privacy policy easy to find? YES
  3. Is the privacy policy easy to understand? YES
  4. Do any terms contradict GDPR law? YES
  5. Does the privacy policy state:
    • Who is collecting the data? YES
    • What data is being collected? YES
    • The legal basis for processing the data? NO
    • How the information is used? YES
    • How long the data is stored for? NO
    • What rights does the individual has? QUESTIONABLE
    • How the individual can raise a complaint? YES

Overall Score: 7/11, 64%

AirVPN

  1. Is GDPR mentioned in the privacy policy? YES
  2. Is the privacy policy easy to find? YES
  3. Is the privacy policy easy to understand? YES
  4. Do any terms contradict GDPR law? NO
  5. Does the privacy policy state:
    • Who is collecting the data? YES
    • What data is being collected? YES
    • The legal basis for processing the data? NO
    • How the information is used? YES
    • How long the data is stored for? NO
    • What rights does the individual has? YES
    • How the individual can raise a complaint? YES

Overall Score: 10/11, 90%

PrivateVPN

  1. Is GDPR mentioned in the privacy policy? NO
  2. Is the privacy policy easy to find? YES
  3. Is the privacy policy easy to understand? YES
  4. Do any terms contradict GDPR law? YES
  5. Does the privacy policy state:
    • Who is collecting the data? NO
    • What data is being collected? YES
    • The legal basis for processing the data? NO
    • How the information is used? YES
    • How long the data is stored for? NO
    • What rights does the individual has? NO
    • How the individual can raise a complaint? YES

Overall Score: 5/11, 45%

Buffered

  1. Is GDPR mentioned in the privacy policy? YES
  2. Is the privacy policy easy to find? YES
  3. Is the privacy policy easy to understand? YES
  4. Do any terms contradict GDPR law? NO
  5. Does the privacy policy state:
    • Who is collecting the data? YES
    • What data is being collected? YES
    • The legal basis for processing the data? YES
    • How the information is used? YES
    • How long the data is stored for? YES
    • What rights does the individual has? YES
    • How the individual can raise a complaint? YES

Overall Score: 11/11, 100%

Hotspot Shield

  1. Is GDPR mentioned in the privacy policy? NO
  2. Is the privacy policy easy to find? YES
  3. Is the privacy policy easy to understand? YES
  4. Do any terms contradict GDPR law? YES
  5. Does the privacy policy state:
    • Who is collecting the data? NO
    • What data is being collected? YES
    • The legal basis for processing the data? NO
    • How the information is used? YES
    • How long the data is stored for? NO
    • What rights does the individual has? NO
    • How the individual can raise a complaint? NO

Overall Score: 4/11, 37%

VyprVPN

  1. Is GDPR mentioned in the privacy policy? NO
  2. Is the privacy policy easy to find? YES
  3. Is the privacy policy easy to understand? YES
  4. Do any terms contradict GDPR law? NO
  5. Does the privacy policy state:
    • Who is collecting the data? YES
    • What data is being collected? YES
    • The legal basis for processing the data? NO
    • How the information is used? YES
    • How long the data is stored for? ONLY FOR LOGS
    • What rights does the individual has? YES
    • How the individual can raise a complaint? NO

Overall Score: 8/11, 73%

TunnelBear

  1. Is GDPR mentioned in the privacy policy? NO
  2. Is the privacy policy easy to find? YES
  3. Is the privacy policy easy to understand? YES
  4. Do any terms contradict GDPR law? NO
  5. Does the privacy policy state:
    • Who is collecting the data? YES
    • What data is being collected? YES
    • The legal basis for processing the data? YES
    • How the information is used? YES
    • How long the data is stored for? YES
    • What rights does the individual has? YES
    • How the individual can raise a complaint? YES

Overall Score: 10/11, 90%

PrivateInternetAccess

  1. Is GDPR mentioned in the privacy policy? YES
  2. Is the privacy policy easy to find? YES
  3. Is the privacy policy easy to understand? YES
  4. Do any terms contradict GDPR law? NO
  5. Does the privacy policy state:
    • Who is collecting the data? YES
    • What data is being collected? YES
    • The legal basis for processing the data? YES
    • How the information is used? YES
    • How long the data is stored for? YES
    • What rights does the individual has? YES
    • How the individual can raise a complaint? YES

Overall Score: 11/11, 100%

ProtonVPN

  1. Is GDPR mentioned in the privacy policy? YES
  2. Is the privacy policy easy to find? YES
  3. Is the privacy policy easy to understand? YES
  4. Do any terms contradict GDPR law? NO
  5. Does the privacy policy state:
    • Who is collecting the data? YES
    • What data is being collected? YES
    • The legal basis for processing the data? NO
    • How the information is used? YES
    • How long the data is stored for? YES
    • What rights does the individual has? QUESTIONABLE
    • How the individual can raise a complaint? YES

Overall Score: 9/11, 82%

Conclusion: ProPrivacy Analysis

Despite having more than two years to prepare for GDPR, our research suggests that the VPN industry still has some way to go before it can claim to be compliant with the new regulation. There are a number of standout providers that have implemented the policies and processes necessary to ensure compliance.

Private Internet Access, Buffered, Tunnelbear, and Cyberghost should be commended for their proactive approach to GDPR. Their willingness to document their processes and policies fully is a clear indication that they understand the importance of the new legislation and openly have chosen to communicate precisely what these changes mean for their customer base.

Unfortunately, our research suggests that a great many companies have failed to take the necessary measures to ensure compliance out of the gate.

It should be noted that our analysis of privacy policies and notices is just that – an analysis of privacy policies that have been made publicly available. Just because a provider has not explicitly stated a policy does not mean that there is not have one in place.

That said, GDPR guidance clearly states that these policies must be clearly communicated to the data subject. So whether any given policy is in place, by not communicating it within the terms of the site, many providers are failing to meet their obligations to their users.

This is a fluid situation and many companies are still working hard to ensure compliance. We will work with providers and update this page on a regular basis so that ProPrivacy.com readers have the most up-to-date information available.

Update: Comments from the industry

Private Internet Access

Not only is GDPR an important step in protecting the fundamental right to privacy for European citizens, it also raises the bar for data protection, security, and compliance in the industry. We’re proud to provide the highest level of privacy for our customers.

Tunnelbear

The GDPR is an important privacy win for the VPN space. It's going to help customers be more confident in the logging claims of their provider. At TunnelBear, our customers can use a Data Subject Access Request to download, update and delete any of their Personal Data. We've also made this feature available to all of our customers, regardless of where they're located.

ProtonVPN

Users consent as by signing up to our service they agree to our Privacy Policy and Terms of Service. We have separate check boxes to agree on Privacy Policy and Terms of Service. It's important to note that we collect only a limited amount of data during the account creation. We DO NOT ask name, surname, address and any other sensitive personal information. Users got a right to opt out from our mailing lists and also delete account - all is done from their dashboards. We take GDPR very seriously as online privacy is our mission. All users can delete their accounts and data linked with it. When logged in, user can easily access “Delete” button in his account management page.

Appendix: Understanding your rights under GDPR

Right to be informed

The first important part of GDPR is the right to be informed. This part of the regulation makes it a legal requirement for firms and organizations to tell you in advance what personal data is being processed about you and why. GDPR means that there are no nasty surprises later on: all personal data must be taken with your complete foreknowledge.

Personal data

As an individual, GDPR provides the opportunity for you to demand to know what personal data is held on file about you by any business, non-government organization (NGO), or government institution (these are referred to as processors and controllers in the GDPR legislation). This is called the right of access.

So, what constitutes personal data? GDPR classifies personal data as any information about you that allows you to “be directly or indirectly identified.” Examples of personal data include your name, address, identification numbers, and location data or online identifiers such as an IP address.

The new rules mean that companies and organizations can only hold these personal details about you “for specified, explicit and legitimate purposes”. What’s more, they can only hold your data while it is directly needed for the purposes that they acquired it. They cannot process it for any secondary reasons whatsoever.

The rules are strict and if, for example, you give your CV to a company to apply for a job - the firm cannot keep that CV on file just in case another job comes up in the future. This is because that would require storing the data for a secondary reason, which is illegal.

Pseudonymized personal data

GDPR differs from current privacy laws such as the UK’s Data Protection Act 1998 because it includes pseudonymized data within the parameters of the definition of personal data. If pseudonymized data could be used to identify an individual under any circumstances, then it qualifies as personal data.

Special category data

This is the name given by GDPR to sensitive personal information. It is a high-risk subcategory of personal data. It includes genetic data and biometrics, information about religious and political views, sexual orientation, health, race, and other sensitive details. This kind of data is subject to even more rigorous controls.

Right of access

From 25 May, firms should no longer store any of your personal data on file unless it is “necessary” for an ongoing process that you have agreed to. This is where your right of access comes in useful.

As soon as GDPR comes into effect, you can ask any organization to tell you exactly what personal data they have about you. The firm has 30 days to comply with your request.

Right to rectification

Having invoked your right of access, you will be presented with a detailed account of what personal data is held about you on file. The right to rectification allows you to make that firm update any personal data about you that is incorrect. If it is incomplete, you can ask for it to be updated. You can make a rectification request verbally or in writing and it must be processed within 30 days.

Right to erasure

GDPR gives you the right to ask firms or organizations to delete your personal data. This part of GDPR also enshrines the “right to be forgotten,” confirming the legal basis by which individuals can ask search engines like Google to delist search results that are of detriment to the individual.

It is worth noting that the right to erasure is not absolute, so there will be cases when firms or organizations are able to keep your data even if you ask for it to be erased.

With the right to be forgotten, for example, search results may remain available to the general public if is in the public’s best interest to be able to continue to access it. This is the case when past convictions could reasonably affect citizens decision-making process now or in the future.

However, as per the right to be informed, whoever is holding personal data about you will need to explain exactly why it has a compelling legal right to continue processing that data.

Right to restrict processing

In addition to asking for data to be erased, citizens can limit the processing of their data. Sometimes, people may want certain records to be kept on file because of an ongoing legal dispute, for example. In those cases, the individual can ask a firm to hold on to the data for future use, but forbid them from processing it in the meantime.

Right to portability

This allows you to move your personal data from one location to another easily, or between one firm and another. This gives any individual full control over his or her data in a way that gives them ease of access to their own data, without the need to keep providing and duplicating it.

Right to object

This is closely related to the rights to erase and rectify. However, it is useful of its own right because it gives individuals the specific right “to stop their data being used for direct marketing.”

Like the right to erasure, this right is not absolute and controllers or processors of data may be able to prove they have a legitimate right to continue processing your personal data under some circumstances.

Rights relating to automated processing and profiling

Finally, GDPR gives people the right to question the use of automated systems that process their personal data. Consumers must give consent for automated processing to happen unless it is “necessary for the entry into or performance of a contract” or has been “authorized by Union or Member state law applicable to the controller.”

GDPR allows anybody to request human intervention or challenge a decision that is made by an automated system. This ensures that no arbitrary biases or prejudices cannot be challenged.

GDPR rights of individuals - Should you invoke them?

GDPR is an outstanding privacy legislation that massively increases the rights of individuals. The rights above allow anybody to have direct control over the data that firms hold about themselves. If you have any reason to question a controller or processor of your data or have concerns about how your data is being processed you are well within your rights to ask for information.

In the event that you cannot get the data you want from a firm, a complaint should be lodged with the Information Commissioner's Office in the UK and the European Commission within the EU. These are the bodies responsible for enforcing the new legislation.

Written by: Sean McGrath

Sean McGrath is Editor of ProPrivacy.com. An experienced investigative journalist, writer and editor, he has worked for some of the world's best-known IT publications including the ComputerWeekly, PCPro, TechWeekEurope & InformationWeek. He regularly comments on industry matters for the likes of Forbes, Silicon, iTWire, Cyber Defense Magazine & Android Headlines.

0 Comments

There are no comments yet.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

A large brand offering great value at a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service