Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
When shopping for Virtual private networkMaybe you’re looking at things like VPN protocols, price, Speeds, Streaming capabilities and other features before you decide which one you want to use. These are all important factors to consider when looking for a VPN, but one crucial consideration is often overlooked: jurisdiction.
Jurisdiction refers to the country in which the VPN company is officially registered and the laws of the country to which the VPN is subject. Because privacy laws and data retention regulations vary greatly from country to country, jurisdiction has significant privacy implications for VPN users.
How big? I would say that using a VPN based in a country whose laws require VPNs to log user data is worse for your privacy than not using a VPN at all. Same thing if a country’s laws allow domestic or foreign intelligence agencies to force companies to record and share user data. These are two of the biggest red flags you can find in a VPN service and big reasons why I’ve always paid close attention to jurisdiction throughout my decade of experience testing and reviewing VPNs.
Jurisdiction is a complex issue that is often difficult to parse, but I always make sure that any VPN service I recommend is located in a jurisdiction where it cannot be forced to spy on its users. Unfortunately, there is still a lot of confusion about how local laws do or do not apply to VPN companies and what authority foreign agencies may or may not have over VPNs in other countries.
What really matters for your privacy is making sure that the VPN you use is trustworthy, with a no-logs policy that is regularly audited, and based in a privacy-friendly jurisdiction with no data retention laws that might force VPNs to log user data. Bonus points if the VPN is open source and the no-log claims have been actually tested.
The number of eyes is not the most important detail
There is a long-standing belief among many in online circles that it is dangerous to use a virtual private network (VPN) based in the country of the 14 Eyes, a group of 14 countries that share surveillance data as part of an intelligence alliance.
But what actually matters for your privacy is using a VPN based in a country that doesn’t have mandatory data retention laws which can allow authorities to force VPN companies to log user traffic. The lack of such regulations is what really allows a VPN to claim to be genuine No logs policy This is true whether the VPN is located in one of the 14 Eyes countries or not.
In other words, the local regulatory landscape has much more influence than any set of eyes in determining whether a VPN is safe to use.
Example: moleone of the most private VPNs available and one I regularly recommend to users with significant privacy needs, is based in Sweden, one of the 14 Eyes countries. but Legal framework in Sweden So much so that the authorities are unable to force VPN companies to log user data. Mullvad responds to Swedish law and Swedish law only, which means that intelligence agencies from another 14 Eyes country (or any other country, for that matter) do not have the ability to intervene and make Mullvad data record user data.
Mullvad is completely open source and includes… No logs policy Which has been audited, providing a high level of transparency and peace of mind that the company does not log user activity on its network. Furthermore, Mullvad says it is using lawyers to monitor the legal landscape (in Sweden and abroad) and is prepared to shut down its service if the government becomes legally able to force the company to spy on its users.
In fact, Mullvad’s policies were tested in 2023 when Swedish authorities, acting on a search warrant, raided Mullvad’s offices in Gothenburg to seize customer data on VPN systems. But the Swedish police He left empty handed Because the data wasn’t there.
Similarly, Windscribealso based in one of the 14 Eyes countries (Canada), maintains complete privacy and is not subject to laws that force it to record user data. Windscribe has been tested several times in the wild – once Greek authorities in 2023who later dropped their case in 2025 due to lack of data, and more recently by Dutch authorities, who reportedly It took over the Windscribe server in February. The Dutch case is still ongoing as of this writing, but Windscribe CEO Igor Sack told me that there is no user data at risk because there is no user data to hand over.
In many jurisdictions (within or outside 14 Eyes), authorities may be able to legally contact VPN companies with a warrant, and demand that they hand over existing data related to an active investigation. But if the VPN doesn’t really record customer data, it won’t be of any use for handing it over to the authorities.
But in some jurisdictions, such as in the United States, authorities can issue a subpoena, injunction, or other legal action including a gag order, which can prevent a VPN company from disclosing the fact that it has been asked to start logging user data. In addition, Wired reported US lawmakers recently sent a letter to the US intelligence director, demanding confirmation of whether VPN users in the US are essentially waiving their constitutional protections from warrantless government surveillance when connecting to a server abroad. If yes, this could be a big problem if you are using a shady VPN service that collects data about your online activity or if your VPN could be forced by legal order to start recording.
However, A Trustworthy VPN Built from the ground up for privacy, it can’t just flip a switch and start recording from minute to minute. Complying with such an order would require a VPN to modify its server code and essentially design its entire infrastructure to start logging and permanently storing useful data – not to mention selling out its entire user base in the process.
This is exactly why things like RAM-only servers, open source software, transparency reports, regular third-party audits, and jurisdiction are so important. The RAM-only server infrastructure helps ensure that no data remains on the hard drive and that all data is completely erased when the server is shut down or restarted. If VPN apps are open source, their source code is publicly available for anyone to examine, meaning any attempt at secret logging may be obvious to someone reviewing it.
Transparency reports detailing the number and type of legal requests a VPN receives in a given time frame (and how the company responds to the requests, if at all) are important in building public trust. Although Independent audits do not paint the full pictureThese are important trust signals that can help validate a VPN’s claims that it does not log and that its infrastructure is properly set up to protect user privacy.
A VPN with reasonable privacy settings will have a hard time starting to spy on users, even if it has to do so. But the point of a good VPN is that it shouldn’t be able to.
Where you want (and don’t want) your VPN to be based
In general, you will need a VPN based in a jurisdiction without mandatory data retention laws, supported instead by robust data protection frameworks that have appropriate controls in place to limit government overreach and safeguards from other countries. Some of the best jurisdictions for VPNs include countries like Switzerland (Proton VPN), British Virgin Islands (ExpressVPN), Panama (NordVPN), Sweden (Mulvad), Gibraltar and Romania.
Privacy-focused VPN users should think twice before using a US-based VPN due to the risks associated with receiving VPN companies’ national security letters (which could force the company to hand over logs) and gag orders preventing them from talking about it.
UK-based VPNs are also risky since they are based in the country Investigative Powers Act It gives the government the power to weaken encryption, impose gag orders, and force ISPs and possibly VPNs to log user data. similar Laws in Australia Making the VPNs out there risky too.
VPNs located in countries with heavy internet censorship and censorship should never be considered. For example, which VPN works in China It must be approved by the government And providing authorities with backdoor access to their systems.
Look for VPNs with clear jurisdiction
While many VPNs are incorporated and operate in one jurisdiction, others may operate outside of one country but create a legally registered entity in a different jurisdiction. This may be done to gain tax advantages or to ensure that the VPN company is legally registered in a safe jurisdiction, even if it does not physically operate in that country.
Also, some VPN parent companies may be headquartered in a completely different country. For example, ExpressVPN’s parent company, Kape Technologies, is a UK-based company, but ExpressVPN has its legal headquarters in the British Virgin Islands. ExpressVPN explains in privacy policy They operate in accordance with the laws of the British Virgin Islands. Likewise, NordVPN’s offices are located in Lithuania, but under its jurisdiction in Panama, all data requests “must follow appropriate legal procedures established under the laws of the Republic of Panama,” according to the company’s report. privacy policy.
Because of all this, it can sometimes be difficult to break down VPN ownership and actual jurisdiction structures. But trustworthy VPNs all make it clear which jurisdiction they are legally registered in, and therefore, which country laws they respond to. It’s something CNET specifically looks for when evaluating VPNs. If you come across a provider that does not clarify its ownership or jurisdiction, it is best to avoid that VPN.
Bottom line
Ultimately, what you want is a VPN built for privacy from the ground up and based in a country that won’t force it to spy on its users — and that’s the real consideration when it comes to jurisdiction.
If privacy is your main consideration with a VPN, you can also read on Settings to enable optimal privacy and Additional privacy and security tools to bundle with your VPNor check out CNET’s reviews for mole, ExpressVPN and Proton VPN.