VPN Jurisdiction and the 14 Eyes
Where a VPN company is legally incorporated determines which government's laws it must comply with - Including demands to hand over user data. Intelligence-sharing alliances like the 5 Eyes, 9 Eyes, and 14 Eyes extend this reach across national borders.
The Intelligence-Sharing Alliances
| Alliance | Member Countries | Risk for VPN Users |
|---|---|---|
| 5 Eyes | USA, UK, Canada, Australia, New Zealand | Highest - Most comprehensive SIGINT sharing; legal compulsion orders common |
| 9 Eyes | 5 Eyes + France, Denmark, Netherlands, Norway | High - Extended sharing agreements |
| 14 Eyes | 9 Eyes + Germany, Belgium, Italy, Sweden, Spain | Elevated - Broader cooperation, varies by country |
| Outside alliances | Panama, BVI, Switzerland, Romania, Seychelles, Iceland | Lower - No treaty obligation to share; still subject to mutual legal assistance requests |
Jurisdiction of Popular VPN Providers
| Provider | Jurisdiction | Alliance | Notable Legal Events |
|---|---|---|---|
| NordVPN | Panama | Outside | Server seized in Finland (2018) - No logs recovered |
| ExpressVPN | British Virgin Islands | Outside | Turkish authorities sought data (2017) - Nothing recoverable |
| Mullvad | Sweden | 14 Eyes | Office raided (2023) - Police left empty-handed; no logs existed |
| ProtonVPN | Switzerland | Outside | MLAT requests received; Switzerland requires court order |
| Surfshark | Netherlands | 9 Eyes | No reported incidents |
| Private Internet Access | United States | 5 Eyes | Subpoenaed twice - Logs confirmed non-existent in court |
| CyberGhost | Romania | Outside | No reported government data requests fulfilled |
| IPVanish | United States | 5 Eyes | Handed user logs to DHS in 2016 under previous ownership |
Does Jurisdiction Really Matter?
Jurisdiction matters, but it is not the only factor. A provider in Panama with terrible operational security is more dangerous than one in a 14 Eyes country with a fully audited, technically enforced no-logs policy. Consider both:
- Legal jurisdiction - What laws apply and what courts can compel
- Technical implementation - Does the infrastructure make logging impossible, not just disallowed?
- Independent audit - Has a third party verified the no-logs claim?
- Ownership - Is the company owned by a larger group with entities in 5 Eyes countries?
For logging policy details, see VPN Logging Policies Explained. For the full comparison, see VPN Comparison 2026.