A VPN is an online subscription service that is designed to provide users with increased digital privacy. It does this in two ways - by concealing the user’s location (IP address) and by securely encrypting all their data.
Many people don't realise that where a VPN provider is headquartered can have a huge impact on the level of privacy the provider can actually offer. The best jurisdictions for VPN providers are locations where the government does not enforce any mandatory data retention. In addition, it is much safer for a VPN to be based in a country that has strong data protection laws.
While there are a number of locations that are considered “best for VPNs to be based” (and we will discuss these later), it is actually better to begin by looking at the places where it is worst for a VPN to be based. This is because understanding what is bad about those places sheds a lot of light on why certain places are better.
5-EYES nations. Five Eyes (FVEY) is a surveillance agreement between the US, the UK, Canada, Australia, and New Zealand. All five countries have signed the multilateral UKUSA Agreement, a treaty for joint cooperation in signals intelligence. It is the most comprehensive espionage alliance in the world. Also troubling, most FVEY nations have at least some level of mandatory data retention, warrants - and even gag orders - that permit intelligence agencies to put tech firms (like VPNs) under pressure to hand over logs about their users.
9-EYES nations. This is an extension of FVEY that adds France, Denmark, the Netherlands and Norway into the signals intelligence agreement. While the extra four 9-Eye nations are not considered as problematic as FVEY, they can be considered strongly aligned with the invasive practices of the other nations.
14-EYES nations. This is the third and final extension of the FVEY surveillance treaty. It adds Belgium, Germany, Italy, Spain, and Sweden to the list of countries that should be regarded with suspicion when it comes to data privacy.
The European Union. Countries that are members of the European Union are sometimes considered less favorable for privacy. This is especially true if the country implements the 2006 EU DRD directive (now defunct, but enshrined in most EU countries local laws) against VPN providers. EU states that have closer ties to 14 Eyes nations, most likely cooperate with FVEY, and almost all perform some level of covert surveillance. Despite this, there are some EU countries that are known to outshine the rest when it comes to privacy (more on these later on).
Countries with mandatory data retention laws. Mandatory data retention laws force ISPs (and sometimes other tech firms) to retain detailed logs of all the traffic that passes through their servers. Many EU nations have mandatory data retention laws that directly apply to VPNs as well as ISPs.
Warrants and gag orders. Countries without mandatory data retention laws that apply directly to VPNs (such as the US) often enforce “gag orders.” A gag order stops a firm from disclosing to the public that it has begun retaining logs on behalf of the government. Even a zero-logs VPN could be compromised within a nation with warrants and gag orders, and subscribers would never know.
What are the best VPN jurisdictions?
Of all the known jurisdictions where VPNs are based, there are a few that stand out as “the best”. These locations are considered better for VPNs to be based for any one of a number of reasons:
Better privacy laws
Fewer ties to Western governments and FVEY/14-EYES
Less economically able to devote money to large-scale surveillance
Here is a list of our favorite jurisdictions, with reasons why they are generally preferred:
Hong Kong. Despite its proximity to China and historical ties to the UK, Hong Kong now profits from economic and political independence. It also has strong privacy laws that make it a great location for a VPN to be based.
Romania. Although it is a member of the EU, Romania is not a 14-EYES country. It does not enforce Mandatory Data Retention or the EU’s DRD (for ISPs or VPNs). This makes it one of the few European locations that are considered safe for VPN firms to be based.
Bulgaria. This is another country that does not enforce Mandatory Data Retention laws or the EU’s DRD against tech firms (including VPNs). Bulgaria also remains outside of the 14-EYES treaty.
Singapore. Despite having a lot of censorship, Singapore is a capitalist Mecca that is generally regarded as a tech-haven. It has strong data privacy laws that protect both businesses and individuals’ data. It is a good place for a VPN firm to be based because the government tends to leave international tech firms alone.
Panama. This country has no mandatory data retention laws, which is why it is believed to be good for privacy. However, its strong political ties to the US could allow it to be pressured by the US government. Better than a FVEY or 14-EYES country.
The British Virgin Islands. The BVI regulates its own internal affairs and has no mandatory data retention laws. However, since it lies under the jurisdiction and sovereignty of the UK government, it seems reasonable to assume that the UK could put pressure on the BVI government and businesses. So (and this is something of a guess, as the legal situation is very murky) being based in the BVI is thought to be safer than being based in a 14-EYES nation.
The Netherlands. This country has traditionally been considered strong for data privacy. Many privacy oriented firms are based in this country, including Start Page, the privacy-focused search engine endorsed by Edward Snowden. Sadly, the Netherlands is trying to pass new mass surveillance laws. For the time being, it remains in limbo following a referendum that rejected the invasive new policies. A member of 14-EYES.
Sweden. Although Sweden does have mandatory data retention laws, DRD is never enforced against VPNs. This makes Sweden one of the few countries considered to be safe for a VPN to be based. However, it does perform surveillance and is a member of 14-EYES.
When selecting a VPN provider, it is important to consider where that VPN is based. If a VPN is based in a FVEY, 9-EYES, or 14-EYES country, then it is essential that it have a zero-logs VPN policy. However, even this may not be enough to protect your data - especially if that country also enforces warrants and gag orders. On the whole, you should stay away from VPNs in 5, 9 and 14-EYE countries if you value privacy, because it is possible that they have been compromised by intelligence agencies.
At the end of the day, it all boils down to your threat model. If you require a VPN that protects your data from your ISP and your local network administrator, or to protect you on public WiFi - it might not be of great concern to you where the VPN is based.
In this guide, we have highlighted some places that are thought to be ideal for a VPN to be based. However, it is worth remembering that individual VPN servers around the world will fall under the jurisdiction of their physical location.