When choosing a VPN, most people focus on speed, price, and the claim that the service doesn’t log user activity. Those factors matter, but there’s a more fundamental question that gets less attention: where is the VPN company legally based, and what does that jurisdiction’s law require them to do with user data?

A “no-log policy” isn’t a technical guarantee—it’s a promise made by a company operating under specific legal obligations. If the law in that company’s jurisdiction requires data retention or allows government agencies to compel logging, your privacy depends on the company’s willingness to resist legal orders. Some jurisdictions make that resistance possible. Others make it impossible.

Why Jurisdiction Matters

VPN companies must comply with the laws of the country where they’re incorporated and where they operate servers. Those laws vary dramatically in their approach to privacy and government surveillance.

Data retention laws: Some countries require ISPs and telecommunications providers to retain customer data for months or years. VPN providers may be classified as ISPs, subjecting them to these requirements.

Mandatory logging orders: Intelligence and law enforcement agencies in some countries can issue secret orders requiring companies to log specific users or all users. Refusal can result in contempt charges or forced closure.

Gag orders: Some legal frameworks prohibit companies from disclosing that they’ve received a logging or surveillance order. This makes it impossible for VPN providers to warn users or be transparent about government requests.

International cooperation treaties: Even if a VPN is based in a privacy-friendly jurisdiction, intelligence-sharing agreements between countries mean that data can be handed to foreign governments through legal channels.

The Five Eyes, Nine Eyes, and Fourteen Eyes

The most commonly cited jurisdictional concern in privacy communities is membership in international surveillance alliances.

Five Eyes: US, UK, Canada, Australia, New Zealand. These countries have extensive intelligence-sharing agreements dating back to World War II. Agencies routinely share signals intelligence (SIGINT), including internet metadata and intercepted communications.

Nine Eyes: The Five Eyes plus Denmark, France, the Netherlands, and Norway.

Fourteen Eyes: The Nine Eyes plus Germany, Belgium, Italy, Spain, and Sweden.

Membership in these alliances means that data obtained by one country’s intelligence agency can be shared with the others without additional legal process. If a VPN based in a Five Eyes country is compelled to log data, that data could be shared with intelligence agencies in the other four countries.

Does this mean you should automatically avoid VPNs based in these jurisdictions? Not necessarily. But it does mean that a VPN’s ability to resist government requests is weaker in these countries than in non-member jurisdictions with stronger privacy laws.

Jurisdictions with Strong Privacy Protections

Certain countries have legal frameworks that limit government surveillance powers and strengthen companies’ ability to protect user privacy.

Switzerland: Swiss privacy law is among the strongest in the world. Companies are not required to retain user data unless specifically ordered by a court. Intelligence agencies need judicial authorisation for surveillance. ProtonVPN and Perfect Privacy are Swiss-based.

Iceland: Strong constitutional privacy protections and no mandatory data retention laws. Iceland is not part of any major intelligence-sharing alliance. However, it’s a small market, and few major VPN providers are based there.

British Virgin Islands (BVI): Technically a British Overseas Territory, but operates under its own legal system with no mandatory data retention laws. ExpressVPN is BVI-based. The counterargument is that BVI’s legal independence from the UK is not absolute, and extraordinary legal pressure could theoretically flow through UK government channels.

Panama: No data retention requirements, strong privacy laws, and not part of any intelligence alliances. NordVPN and Surfshark are Panama-based. Critics point out that Panama has cooperated with US law enforcement in other contexts (financial crimes, drug trafficking), though there’s no evidence this extends to VPN data.

Romania: EU member, subject to GDPR, but Romanian law doesn’t require data retention for VPN services. CyberGhost is Romanian. Being in the EU means potential exposure to EU law enforcement, but also strong privacy rights under GDPR.

Jurisdictions to Be Cautious About

United States: Extensive surveillance powers under laws like the PATRIOT Act, FISA, and CLOUD Act. National Security Letters (NSLs) can compel companies to turn over data and prohibit disclosure of the request. US-based VPN providers operate in a hostile legal environment for privacy.

United Kingdom: The Investigatory Powers Act 2016 (the “Snoopers’ Charter”) gives UK intelligence agencies broad surveillance powers, including the ability to compel service providers to install backdoors and log user activity. Disclosure of these orders can be prohibited.

Australia: The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 allows Australian agencies to compel tech companies to provide access to encrypted communications. While primarily targeting messaging apps, the law’s scope could theoretically apply to VPN providers.

Russia and China: Both countries have enacted laws requiring VPN providers to register with the government, log user activity, and block access to banned websites. Most international VPN providers have withdrawn from these markets rather than comply. Any VPN provider still operating legally in Russia or China is logging data.

The Limits of Jurisdiction Protection

It’s important to understand that favourable jurisdiction doesn’t guarantee privacy. A VPN company’s operational security, internal policies, and technical architecture matter more than jurisdiction alone.

A VPN incorporated in Switzerland that logs all user activity and stores it on servers in a Five Eyes country isn’t meaningfully more private than a US-based VPN with a genuine no-log policy. Jurisdiction sets the legal baseline, but company practices determine actual privacy.

Additionally, VPN servers are physically located in countries around the world, including many with surveillance-friendly laws. If you connect to a VPN server in the UK, that server is subject to UK legal jurisdiction regardless of where the VPN company is incorporated. In practice, this means server seizure or monitoring is possible, though server-level attacks are harder if the VPN properly implements encryption and doesn’t log.

What to Look For

When evaluating a VPN based on jurisdiction:

Check where the company is incorporated. This is usually disclosed on the company’s website or in their privacy policy. Be wary of companies that obscure their legal jurisdiction.

Look for independent audits. Several reputable VPN providers have commissioned third-party security audits of their no-log claims and infrastructure. These audits (from firms like Cure53 or Deloitte) provide more assurance than the company’s word alone.

Review transparency reports. Some VPNs publish regular reports on government data requests and how they responded. A history of refusing invalid requests and challenging legal orders is a positive signal.

Understand the threat model. If you’re trying to hide casual browsing from your ISP, jurisdiction is less critical. If you’re a journalist working in a country with state-level surveillance, jurisdiction matters enormously, and you may need a VPN incorporated in a privacy-friendly jurisdiction with servers hosted in neutral countries.

Consider decentralised alternatives. Technologies like Tor don’t have a single legal jurisdiction because there’s no central company. This makes them resistant to jurisdiction-based compulsion, though Tor has other trade-offs (speed, usability).

Practical Recommendations

For most users, a VPN based in Switzerland, Panama, or the BVI, with a public no-log policy and third-party audits, provides strong privacy. Examples: ProtonVPN (Switzerland), NordVPN (Panama), ExpressVPN (BVI).

Avoid VPNs based in Russia, China, or countries with explicit data retention mandates. Treat US, UK, and Australian-based VPNs with more scrutiny—they can provide acceptable privacy for low-risk use cases, but they’re not ideal for high-privacy-threat scenarios.

Jurisdiction isn’t everything, but it’s not nothing. Combine a privacy-friendly jurisdiction with strong technical architecture, audited no-log claims, and transparent operational practices. That combination provides the best defence against surveillance.