VPN Jurisdiction: Where's best place for a VPN to be based?

A VPN is an online subscription service that is designed to provide users with increased digital privacy. It does this in two ways - by concealing the user’s location (IP address) and by securely encrypting all their data.

VPN Jurisdiction map

Many people don't realise that where a VPN provider is headquartered can have a huge impact on the level of privacy the provider can actually offer. The best jurisdictions for VPN providers are locations where the government does not enforce any mandatory data retention. In addition, it is much safer for a VPN to be based in a country that has strong data protection laws.

While there are a number of locations that are considered "best for VPNs to be based” (and we will discuss these later), it is actually better to begin by looking at the places where it is worst for a VPN to be based. This is because understanding what is bad about those places sheds a lot of light on why certain places are better.

5-EYES nations

The Five Eyes (FVEY) is a surveillance agreement between the USA, the UK Canada, Australia, and New Zealand. All five countries have signed the multilateral UK - USA Agreement, a treaty for joint cooperation in signals intelligence. It is the most comprehensive espionage alliance in the world. Also troubling, most FVEY nations have at least some level of mandatory data retention, warrants - and even gag orders - that permit intelligence agencies to put tech firms (like VPNs) under pressure to hand over logs about their users.

9-EYES nations

This is an extension of FVEY that adds France, Denmark, the Netherlands and Norway into the signals intelligence agreement. While the extra four 9-Eye nations are not considered as problematic as FVEY, they can be considered strongly aligned with the invasive practices of the other nations.

14-EYES nations

This is the third and final extension of the FVEY surveillance treaty. It adds Belgium, Germany, Italy, Spain, and Sweden to the list of countries that should be regarded with suspicion when it comes to data privacy.

The European Union

Countries that are members of the European Union are sometimes considered less favorable for privacy. This is especially true if the country implements the 2006 EU DRD directive (now defunct, but enshrined in most EU countries local laws) against VPN providers. EU states that have closer ties to 14 Eyes nations, most likely cooperate with FVEY, and almost all perform some level of covert surveillance. Despite this, there are some EU countries that are known to outshine the rest when it comes to privacy (more on these later on).

Countries with mandatory data retention laws.

Mandatory data retention laws force ISPs (and sometimes other tech firms) to retain detailed logs of all the traffic that passes through their servers. Many EU nations have mandatory data retention laws that directly apply to VPNs as well as ISPs.

Warrants and gag orders.

Countries without mandatory data retention laws that apply directly to VPNs (such as the US) often enforce "gag orders.” A gag order stops a firm from disclosing to the public that it has begun retaining logs on behalf of the government. Even a zero-logs VPN could be compromised within a nation with warrants and gag orders, and subscribers would never know.

What are the best VPN jurisdictions?

Of all the known jurisdictions where VPNs are based, there are a few that stand out as "the best”. These locations are considered better for VPNs to be based for any one of a number of reasons: 

  • Better privacy laws
  • Fewer ties to Western governments and FVEY/14-EYES
  • Less economically able to devote money to large-scale surveillance

Here is a list of our favorite jurisdictions, with reasons why they are generally preferred:

Hong Kong

Despite its proximity to China and historical ties to the UK, Hong Kong now profits from economic and political independence. It also has strong privacy laws that make it a great location for a VPN to be based.

Romania.

Although it is a member of the EU, Romania is not a 14-EYES country. It does not enforce Mandatory Data Retention or the EU’s DRD (for ISPs or VPNs). This makes it one of the few European locations that are considered safe for VPN firms to be based.

Bulgaria

This is another country that does not enforce Mandatory Data Retention laws or the EU’s DRD against tech firms (including VPNs). Bulgaria also remains outside of the 14-EYES treaty.

Singapore

Despite having a lot of censorship, Singapore is a capitalist Mecca that is generally regarded as a tech-haven. It has strong data privacy laws that protect both businesses and individuals’ data. It is a good place for a VPN firm to be based because the government tends to leave international tech firms alone. Check out our Singapore VPN page for more details on services with servers in the country.

Panama

This country has no mandatory data retention laws, which is why it is believed to be good for privacy. However, its strong political ties to the US could allow it to be pressured by the US government. Better than a FVEY or 14-EYES country.

The British Virgin Islands

The BVI regulates its own internal affairs and has no mandatory data retention laws. However, since it lies under the jurisdiction and sovereignty of the UK government, it seems reasonable to assume that the UK could put pressure on the BVI government and businesses. So (and this is something of a guess, as the legal situation is very murky) being based in the BVI is thought to be safer than being based in a 14-EYES nation.

The Netherlands

This country has traditionally been considered strong for data privacy. Many privacy oriented firms are based in this country, including Start Page, the privacy-focused search engine endorsed by Edward Snowden. Sadly, the Netherlands is trying to pass new mass surveillance laws. For the time being, it remains in limbo following a referendum that rejected the invasive new policies. A member of 14-EYES.

Sweden

Although Sweden does have mandatory data retention laws, DRD is never enforced against VPNs. This makes Sweden one of the few countries considered to be safe for a VPN to be based. However, it does perform surveillance and is a member of 14-EYES.

Written by: Ray Walsh

Digital privacy expert with 5 years experience testing and reviewing VPNs. He's been quoted in The Express, The Times, The Washington Post, The Register, CNET & many more. 

10 Comments

Anonymous
on January 4, 2020
Reply
what about Norway?
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small.png
Douglas Crawford replied to Anonymous
on January 6, 2020
Reply
Hi Anomymous. Please see the Norway entry in our World Privacy Report
Foster
on December 27, 2019
Reply
Doesn’t Singapore have mandatory data retention laws?
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small.png
Douglas Crawford replied to Foster
on January 2, 2020
Reply
Hi Foster. As far as we can determine, no. Although ISPs are required to take “all reasonable steps” to filter content deemed “undesirable, harmful, or obscene.”
0xBAD
on August 1, 2019
Reply
With regards to Switzerland, there have been some developments on this front. See this blog post: https://protonmail.com/blog/swiss-surveillance-law/
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small.png
Douglas Crawford replied to 0xBAD
on August 2, 2019
Reply
Hi 0xBAD, That article is dated 2015...
Lee
on November 15, 2018
Reply
Do the data retention laws apply to where a VPN providers servers are located or just to where the company is actually physically located?
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small.png
douglas replied to Lee
on November 19, 2018
Reply
Hi Lee, Data retention laws usually only apply in the jurisdiction a VPN provider is based, although they may also apply to the server center. But server centers log a lot less information that may compromise the privacy of VPN users than a VPN can. Please 5 Best No Logs VPNs for an in-depth discussion on this issue (proprivacy.com/vpn-comparison/best-no-logs-vpns/).
Show More Got Something to Say?

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

Large brand with very good value, and a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service