Do You Know Your VPN’s Jurisdiction? Your Privacy Depends on It

When shopping for a virtual private networkyou probably study things like VPN protocols, price, speeds, streaming capabilities and other features before deciding which one to choose. All of these factors are important to consider when looking for a VPN, but one crucial factor is often overlooked: jurisdiction.

Jurisdiction refers to the country in which the VPN company is officially registered and the laws of the country to which the VPN is subject. Since privacy laws and data retention regulations differ significantly between countries, jurisdiction has major privacy implications for VPN users.

To what extent? I would argue that using a VPN based in a country whose laws require VPNs to log user data is worse for your privacy than using no VPN at all. The same goes if a country’s laws allow local or foreign intelligence agencies to force companies to record and share user data. These are two of the biggest red flags you can find in a VPN service and the main reasons why I’ve always paid close attention to jurisdiction throughout my decade of experience testing and reviewing VPNs.

Jurisdiction is a complex issue that can often be difficult to analyze, but I always make sure that any VPN service I recommend is based in a jurisdiction where it cannot be forced to spy on its users. Unfortunately, there is still a lot of confusion about how local laws do or do not apply to VPN companies and what authority foreign agencies may or may not have over VPNs in other countries.

What really matters for your privacy is making sure the VPN you use is trustworthy, has a regularly audited no-logging policy, and is based in a privacy-friendly jurisdiction with no data retention laws that could force VPNs to log user data. Bonus points if the VPN is open source and its no-logging claims have been tested in the wild.

The number of eyes is not the most important detail

A long-held belief among many online circles is that it is risky to use a VPN based in a 14 Eyes country, which is a group of 14 countries that share surveillance data as part of an intelligence alliance.

But what really matters for your privacy is using a VPN based in a country that doesn’t have mandatory data retention laws that could allow authorities to force VPN companies to record user traffic. The absence of such regulations is what actually allows a VPN to claim true no logging policy and this is true whether the VPN is based in a 14 Eyes country or not.

In other words, the local regulatory landscape has a far greater influence than any Eyes designation in determining whether a VPN is safe to use.

Concrete example: Mullvadone of the most private VPNs available and one I regularly recommend to users with critical privacy needs, is based in Sweden, one of the 14 Eyes countries. But the Swedish legal framework is such that authorities cannot force VPN companies to record user data. Mullvad responds only to Swedish law and Swedish law, which means that intelligence agencies from another 14 Eyes country (or any other country, for that matter) do not have the authority to intervene and cause Mullvad to record user data.

Additionally, Mullvad is completely open source and operates a no-logging policy that has been audited, providing a high level of transparency and peace of mind as the company does not log user activity on its network. Additionally, Mullvad says it hires lawyers to monitor the legal landscape (in Sweden and abroad) and is prepared to shut down its service if a government becomes legally able to compel the company to spy on its users.

In fact, Mullvad’s policy was put to the test in 2023 when Swedish authorities, acting on a search warrant, raided Mullvad’s offices in Gothenburg to seize customer data on VPN systems. However, the Swedish police left empty-handed because the data did not exist.

Likewise, Windscribe, also based in a country of 14 Eyes (Canada), maintains absolute confidentiality and is not subject to laws that would force them to record user data. Windscribe has been tested in the wild several times – once by Greek authorities in 2023, who then abandoned their case in 2025 due to lack of data, and most recently by Dutch authorities, who reportedly seized a Windscribe server in February. The Dutch case is still ongoing as of this writing, but Windscribe CEO Yegor Sak told me that no user data is at risk because there is no user data to transmit.

In many jurisdictions (in or outside the 14 Eyes), authorities may be able to legally approach VPN companies with a warrant, demanding that they hand over existing data related to an active investigation. But if the VPN really doesn’t record customer data, there will be no use for it to pass on to the authorities.

But in some jurisdictions, such as the United States, authorities can issue a subpoena, warrant, or other legal action including an order of silence, which can prevent a VPN company from disclosing the fact that it was asked to start recording user data. Additionally, Wired reported that US lawmakers recently sent a letter to the US intelligence director, seeking confirmation whether VPN users in the US are essentially giving up their constitutional protections against warrantless government surveillance when they connect to a server abroad. If the answer is yes, this could be a major problem if you use a questionable VPN service that collects data on your internet activity or if your VPN may be forced by a legal order to start connecting.

However, a Reliable VPN that is designed from the ground up for privacy can’t just flip a switch and start connecting any minute. Complying with such an order would require VPN to change its server code and essentially the entire design of its infrastructure to start recording useful data and storing it permanently – not to mention completely selling out its entire user base in the process.

This is exactly why things like RAM-only servers, open source software, transparency reporting, and regular third-party audits are so important in addition to jurisdiction. A RAM-only server infrastructure helps ensure that no data persists on a hard drive and that all data is completely erased each time a server is shut down or restarted. If a VPN’s applications are open source, its source code is publicly available for anyone to review, meaning any covert logging attempts could be obvious to someone reviewing it.

Transparency reports that detail the number and type of legal requests a VPN receives in a certain time frame (and how the company responded to those requests, if at all) are important for building public trust. And although independent audits do not give the complete pictureThese are crucial trust signals that can help validate a VPN’s claims that it doesn’t log and that its infrastructure is properly configured to protect user privacy.

A VPN with a reasonable privacy setting would have a hard time starting to spy on users, even if it could be forced to. But the whole point of a good VPN jurisdiction is that it shouldn’t be able to do that.

Where would you want (and wouldn’t want) your VPN to be based

Generally speaking, you’ll need a VPN based in a jurisdiction without mandatory data retention laws, backed by strong data protection frameworks that have the appropriate controls in place to limit government overreach and safeguards from other countries. Some of the best jurisdictions for VPNs include countries like Switzerland (Proton VPN), British Virgin Islands (ExpressVPN), Panama (NordVPN), Sweden (Mullvad), Gibraltar and Romania.

Privacy-focused VPN users should think twice before opting for a US-based VPN due to the risks associated with VPN companies receiving national security letters (which can force a company to turn over records) and hush orders preventing them from speaking out about it.

UK-based VPNs are also risky because the country’s Investigatory Powers Act gives the government the power to weaken encryption, enforce silence orders and force ISPs and potentially VPNs to log user data. Similar laws in Australia also make VPNs based there risky.

VPNs based in countries with severe internet censorship and surveillance should never be considered. For example, any VPN operating in China must be approved by the government and provide authorities with backdoor access to its systems.

Look for VPNs with clear jurisdiction

While many VPNs are incorporated and operate in a single jurisdiction, others may operate from one country but create a legally registered entity in a different jurisdiction. This may be done to gain tax benefits or to ensure that the VPN company is legally registered in a safe jurisdiction, even if it does not physically operate in that country.

Additionally, some VPN parent companies may be headquartered in a completely different country. For example, ExpressVPN’s parent company, Kape Technologies, is a UK-based company, but ExpressVPN is legally based in the British Virgin Islands. ExpressVPN clearly states in its Privacy Policy that it operates in accordance with the laws of the BVI. Likewise, NordVPN’s offices are in Lithuania, but under Panamanian jurisdiction, all data requests “must follow the appropriate legal procedure defined by the laws of the Republic of Panama,” according to the company’s privacy policy.

For this reason, VPN ownership structures and actual jurisdiction can sometimes be difficult to resolve. But trustworthy VPNs all clearly state in which jurisdiction they are legally registered and, therefore, which country’s laws they comply with. This is something CNET specifically looks for when evaluating VPNs. If you come across a provider that doesn’t clearly state ownership or jurisdiction, it’s best to avoid that VPN.

Conclusion

Ultimately, what you want is a VPN that’s designed from the ground up for privacy and based in a country that won’t require it to spy on its users – that’s the real consideration when it comes to jurisdiction.

If privacy is your main concern with a VPN, you can also read about settings to enable for optimal privacy And Additional privacy and security tools to bundle with your VPNor check out CNET’s reviews at Mullvad, ExpressVPN And Proton VPN.