Topic Terms

What is VPN Jurisdiction?

VPN jurisdiction refers to the country where a VPN provider is legally incorporated, which determines which government's laws, data retention requirements, and court orders the provider must comply with.

VPN jurisdiction refers to the country where a VPN provider is headquartered and legally registered. This matters because governments can serve VPN providers with legal orders — subpoenas, national security letters, court orders — compelling them to produce data or surveil users. The laws that govern those demands depend entirely on where the provider is based.

Why Jurisdiction Matters

A VPN provider legally incorporated in the United States must comply with US law — including FISA court orders, National Security Letters (which come with mandatory gag orders), and court-ordered wiretaps. A provider incorporated in Switzerland must comply with Swiss law — which has strong data privacy protections and limited international cooperation obligations.

This affects what a government can demand from a provider, and what the provider is legally able to disclose to you about those demands.

The Five Eyes and Privacy Alliances

The most widely discussed jurisdictional framework for VPNs is the Five Eyes Alliance — the US, UK, Canada, Australia, and New Zealand — and its expanded versions (Nine Eyes, 14 Eyes). These alliances mean member nations can share intelligence data, including potentially data collected or compelled from technology companies in member countries.

Privacy-focused VPN users often seek providers headquartered outside these alliances.

Notable Jurisdictions for VPN Providers

Outside 14 Eyes (generally preferred for privacy):

  • Panama — No mandatory data retention laws; home to NordVPN
  • British Virgin Islands — UK territory but with its own independent legal system and no data retention laws; home to ExpressVPN
  • Switzerland — Strong constitutional privacy protections; neutral; home to ProtonVPN
  • Romania — EU member with strong court-upheld privacy precedents

Inside 14 Eyes:

  • Sweden — Home to Mullvad; 14 Eyes, but Sweden has a strong rule of law and Mullvad has withstood real server seizures
  • Netherlands — Home to Surfshark; 9 Eyes
  • USA — Home to Private Internet Access; Five Eyes, but PIA has a court-tested no-log record

Jurisdiction vs. No-Log Policy

Jurisdiction and no-log policy work together — and no-log policy often matters more. If a provider stores no data, a legal order produces nothing. PIA operating in the US with no logs has a better real-world track record than a provider in a "good" jurisdiction that quietly logs everything.

The ideal combination: a provider outside the 14 Eyes with a third-party audited no-log policy and RAM-only servers.

Data Retention Laws

Many countries require ISPs and some technology companies to retain user data for specified periods (6 months, 1 year, 2 years). VPN providers specifically structured to avoid data retention obligations — through jurisdiction choice, corporate structure, or architectural design — operate in this gap. Always verify that a provider is explicitly not subject to local data retention mandates.

Related Terms