When shopping for a virtual private network, you’re probably looking into things like VPN protocols, price, speeds, streaming capabilities and other features before deciding which one to go with. All are important factors to consider when looking for a VPN, but one crucial consideration often gets overlooked: jurisdiction.

Jurisdiction refers to the country where the VPN company is officially registered and to which country’s laws the VPN is beholden. Because privacy laws and data retention regulations differ greatly from one country to the next, jurisdiction has major privacy implications for VPN users. 

How major? I’d say using a VPN based in a country whose laws require VPNs to log user data is worse for your privacy than using no VPN at all. Same thing if a country’s laws allow local or foreign intelligence agencies to compel companies to log and share user data. Those are two of the biggest red flags you can find in a VPN service and big reasons why I’ve always paid close attention to jurisdiction throughout my decade-plus of experience testing and reviewing VPNs. 

Jurisdiction is a complex issue that can often be difficult to dissect, but I always make sure that any VPN service I recommend is based in a jurisdiction where it can’t be forced to spy on its users. Unfortunately, there’s still a lot of confusion about how local laws do or do not apply to VPN companies and what authority foreign agencies may or may not have over VPNs in other countries.

What really matters for your privacy is making sure the VPN you’re using is trustworthy, with a regularly audited no-logs policy, and is based in a privacy-friendly jurisdiction with no data retention laws that could force VPNs to log user data. Bonus points if the VPN is open-source and its no-logs claims have been tested in the wild.

The number of Eyes isn’t the most important detail

A long-held belief among many in online circles is that it’s risky to use a VPN based in a 14 Eyes country, which is a group of 14 countries that share surveillance data under an intelligence alliance.

But what actually matters for your privacy is using a VPN based in a country that doesn’t have mandatory data retention laws that could allow authorities to compel VPN companies to log user traffic. The lack of such regulations is what really allows a VPN to claim a genuine no-logs policy and is true whether the VPN is based in a 14 Eyes country or not. 

In other words, the local regulatory landscape has a much greater influence than any Eyes designation in dictating whether a VPN is safe to use. 

Case in point: Mullvad, one of the most private VPNs available and one that I regularly recommend for users with critical privacy needs, is based in Sweden, one of the 14 Eyes countries. But the legal framework in Sweden is such that authorities are unable to compel VPN companies to log user data. Mullvad answers to Swedish law and Swedish law only, meaning that intelligence agencies from another 14 Eyes country (or any other country, for that matter) have no power to jump in and make Mullvad log user data. 

Also, Mullvad is fully open-source and has a no-logs policy that has been audited, offering a high level of transparency and peace of mind that the company isn’t logging user activity on its network. Further, Mullvad says that it retains lawyers to monitor the legal landscape (in Sweden and abroad) and is prepared to shut down its service if a government becomes legally able to compel the company to spy on its users.

In fact, Mullvad’s policies were put to the test in 2023 when Swedish authorities, acting on a search warrant, raided Mullvad’s offices in Gothenburg to seize customer data on the VPN’s systems. However, the Swedish police left empty handed because the data did not exist.

Similarly, Windscribe, also based in a 14 Eyes country (Canada), maintains air-tight privacy and isn’t subject to laws that would force them to log user data. Windscribe has been tested a few times in the wild — once by Greek authorities in 2023, who later dropped their case in 2025 due to lack of data, and more recently by Dutch authorities, who reportedly seized a Windscribe server in February. The Dutch case is still ongoing as of this writing, but Windscribe CEO Yegor Sak told me that no user data is at risk because there is no user data to hand over.

In many jurisdictions (in or out of the 14 Eyes), authorities may be able to legally approach VPN companies with a warrant, demanding they hand over existing data related to an active investigation. But if the VPN is truly not logging customer data, it won’t have anything of use to hand over to authorities. 

But in certain jurisdictions, like in the United States, authorities can issue a subpoena, warrant or other legal action that includes a gag order, which can prevent a VPN company from disclosing the fact it has been told to start logging user data. Additionally, Wired reported that United States lawmakers recently sent a letter to the US director of intelligence, asking for confirmation on whether VPN users in the US are essentially waiving their constitutional protections from warrantless government surveillance when connecting to a server overseas. If the answer is yes, that could be a major issue if you’re using a shady VPN service that’s collecting data on your internet activity or if your VPN can be compelled by a legal order to start logging.

However, a trustworthy VPN that’s built from the ground up for privacy can’t just flip a switch and start logging from one minute to the next. Complying with such an order would require that VPN to modify its server code and essentially its entire infrastructure design to start recording useful data and storing it permanently — not to mention totally selling out its entire user base in the process.

This is exactly why things like RAM-only servers, open source software, transparency reports and regular third-party audits are so important in addition to jurisdiction. A RAM-only server infrastructure helps ensure that no data persists on a hard drive and that all data is completely wiped whenever a server is shut down or rebooted. If a VPN’s apps are open source, its source code is publicly available for anyone to scrutinize, meaning that any attempt at secret logging could be apparent to someone reviewing it. 

Transparency reports that detail the number and type of legal requests a VPN receives in a certain timeframe (and how the company responded to the requests, if at all) are important in building public trust. And although independent audits don’t paint the full picture, they’re crucial trust signals that can help validate a VPN’s claims that they’re not logging and that their infrastructure is properly set up to protect user privacy. 

A VPN with a reasonable privacy setup would struggle to start spying on users, even if it could be compelled to do so. But the point of good VPN jurisdiction is that it shouldn’t be able to.

Where would (and wouldn’t) you want your VPN to be based

Generally speaking, you’ll want a VPN that’s based in a jurisdiction without mandatory data retention laws, supported instead by strong data protection frameworks that have the proper checks in place to limit government overreach and warrants from other countries. Some of the best jurisdictions for VPNs to be in include countries like Switzerland (Proton VPN), British Virgin Islands (ExpressVPN), Panama (NordVPN), Sweden (Mullvad), Gibraltar and Romania. 

Privacy-focused VPN users should think twice about going with a VPN based in the US due to the risks associated with VPN companies being served national security letters (which can compel a company to hand over records) and gag orders preventing them from talking about it.

VPNs based in the UK are also risky because the country’s Investigatory Powers Act gives the government the authority to weaken encryption, enforce gag orders and compel ISPs and potentially VPNs to log user data. Similar laws in Australia make VPNs based there risky as well.

VPNs based in countries with heavy internet censorship and surveillance should never be considered. For example, any VPN operating in China needs to be government-approved and provide authorities with backdoor access to its systems.   

Look for VPNs with clear jurisdiction

While many VPNs are incorporated and operate in a single jurisdiction, others may operate out of one country but set up a legally registered entity in a different jurisdiction. This may be done for tax benefits or to ensure that the VPN company is legally registered in a safe jurisdiction, even if it doesn’t operate physically in that country. 

Also, some VPN parent companies may be headquartered in an entirely different country. For instance, ExpressVPN’s parent company, Kape Technologies, is a UK-based company, but ExpressVPN is legally based out of the British Virgin Islands. ExpressVPN makes clear in its privacy policy that it operates in accordance with BVI laws. Similarly, NordVPN’s offices are in Lithuania, but under its Panamanian jurisdiction, all data requests “must follow the appropriate legal process set out under the laws of the Republic of Panama,” according to the company’s privacy policy.

Because of all of this, VPN ownership structures and actual jurisdiction can sometimes be a tough nut to crack. But trustworthy VPNs all make it clear what jurisdiction they are legally registered in and, therefore, what country’s laws they answer to. It’s something CNET specifically looks for when evaluating VPNs. If you come across a provider that doesn’t make its ownership or jurisdiction clear, it’s best to avoid that VPN. 

Bottom line

Ultimately, what you want is a VPN that’s built for privacy from the ground up and is based in a country that won’t force it to spy on its users — that’s the real consideration when it comes to jurisdiction.

If privacy is your main consideration with a VPN, you can also read up on the settings to enable for optimal privacy and additional privacy and security tools to bundle with your VPN, or check out CNET’s reviews of Mullvad, ExpressVPN and Proton VPN.