For a VPN to reliably protect user data, it must not only use the most secure encryption and protocols but also shield itself with strong legal protections.
When it comes to VPN services, legal jurisdiction plays an outsized role in the privacy protection that a VPN service can provide. The importance of a VPN’s local privacy laws is due to the fact that unlike end-to-end encrypted services (like Proton Mail), all VPN services have the technical capability to intercept all user traffic. You can find more details about this in our article about VPN threat models, but due to the way the Internet works, there is no way around this. As a result, a VPN’s legal jurisdiction plays a critical role in determining the level of privacy protection that it can provide.
When it comes to assessing what is the best country for a VPN service, the most important factors are the following:
- Does the country have mandatory data retention laws?
- Can the VPN provider be legally coerced to intercept or log user data?
- Can the VPN provider be coerced to log user activity in secret?
- Is the country party to any surveillance or intelligence sharing agreements?
- Does the country have strong privacy laws?
- Does the country have advanced IT infrastructure and a large talent pool?
Outside of setting up a rig in international waters, which comes with its own difficulties (see: Sealand), all VPN companies need to be based in a country, and if the VPN company wants to stay in business, it must adhere to the law. Our analysis found that Switzerland offers privacy-focused VPNs significant advantages over nearly any other legal jurisdiction in the world, which is why both Proton Mail and Proton VPN are based in Switzerland. Each of these factors is analyzed in detail below:
Mandatory data retention
Like most countries in the world, Switzerland has data retention laws. However, Swiss data retention laws apply mostly to large telecommunication and major Internet service providers. Under current law, Proton VPN is exempt from any data-retention requirement.
This compares favorably with the rest of Europe. European nations have a history of enforcing strict data retention laws that would adversely affect any VPN privacy. The EU passed the Data Retention Directive (DRD) in 2006 which extended to all members of the European Economic Area, including non-EU countries like Norway, Iceland, and Liechtenstein — but NOT Switzerland. While this directive was annulled by the EU Court of Justice in 2014, many of these countries transposed the DRD regulations into national law, laws that remain in force despite the fact that they go against EU jurisprudence. Furthermore, the EU has not given up on blanket data retention, as shown by recent deliberations in the EU Council.
Another notable country that does not have mandatory data retention is the United States. Many US-based VPN companies cite this fact, but for reasons discussed later, the US is a poor choice for privacy-focused VPN services.
Legally-coerced data retention
When we compare Switzerland and the US key differences appear. The US has dubious practices that can destroy the protections privacy-focused companies offer their users. US government overreach and the lack of due process, as demonstrated in the FBI’s national security letters and the one-sided FISA courts, make it impossible for any US-based VPN service to credibly guarantee their users’ privacy. While data retention is not mandatory in the US, the US government can compel a VPN service to start logging their users’ online activity. Law enforcement does not have this power under Swiss law.
While data retention is generally poor for privacy, what is even worse is data retention without accountability. US national security letters generally come with gag orders, which prevent VPN companies from revealing that they have been forced to start logging their users’ browsing history. European countries have similar laws, such as the UK’s outrageous Investigatory Powers Act (IPA) and Germany’s sealed indictments and gag orders.
Switzerland stands apart in this regard because while secrecy regulations exist, Swiss law has the caveat that authorities must eventually disclose any secret order to the subject under surveillance. Once notified, this individual has the opportunity to file an objection to their surveillance in Swiss courts.
Surveillance networks and agreements
Even if a country has good privacy laws, a nation’s participation in intelligence sharing and surveillance agreements can undermine their enforceability. Countries that are part of the 5 Eyes or 14 Eyes intelligence sharing agreements are susceptible to the “lowest common privacy denominator.” In short, this means that law enforcement and intelligence agencies can exploit the most invasive law enforcement legislation passed by any member country. This is what makes the IPA or Australia’s recent Assistance & Access Bill even more concerning. Switzerland is an excellent choice because it is not part of the 14 Eyes.
Strong legal protections
Switzerland has much more robust legal protections in place than either the US or other European countries. While Switzerland is a party to different international assistance treaties, any surveillance requests that come from a foreign intelligence agency would need to pass the scrutiny of Swiss criminal procedure and data protection laws, a much stricter standard than any other country offers.
Places where strong legal guarantees for personal privacy are not credible, like Russia, China, Hong Kong (part of China), and Turkey to name a few, fail this standard.
Advanced IT infrastructure and talent
While there arguably isn’t much mass surveillance in Afghanistan, Panama, or certain nations in the Caribbean or Africa, these locations are not suitable due to the absence of the rule of law and, more importantly, a lack of advanced IT infrastructure and talent. Securing and operating a VPN service requires a large amount of technical expertise, which is generally only available in more developed economies. Of the countries that are known for privacy, Switzerland is among the most advanced and well-integrated globally.
The above factors are why we feel Switzerland is the best country for a VPN service. However, even among VPN services that claim to be based in Switzerland, there are a few extra factors that set us apart.
In 2018, the EU introduced the GDPR, a strict data privacy regulation. Under the GDPR, companies are subject to fines of up to €20 million if they violate any of the core GDPR principles.
Companies today are more and more international, which means a company’s principal place of business is an essential factor for determining jurisdiction. Even if a VPN company incorporates itself in Switzerland, Switzerland may not be where the bulk of its staff and management work, otherwise known as its “principal place of business.” In such cases, the VPN company will also fall under the jurisdiction of its principal place of business. Proton VPN is a uniquely Swiss VPN company; we are one of the only VPNs to have Switzerland as our principal place of business. The Swiss jurisdiction of Proton AG is not in doubt.
While current regulations offer no guarantees about the future, at present, Switzerland is without a doubt the best privacy country for a VPN service when considering all of the relevant factors. For this reason, we are proud to be headquartered in Geneva, Switzerland, and to provide the full privacy protections of Swiss law to all of our users globally.
The Proton VPN Team
Get a free Proton VPN account
Follow us on social media to stay up to date on the latest Proton VPN releases: Twitter | Facebook | Reddit
To get a free Proton Mail encrypted email account, visit: proton.me/mail
Is there any information that’s is kept or shared by proton or and other 3rd parties
And if yes what kind of information ?
You write that Szwjacaria is not part of 14 eyes.
Can you explain how MLAT law works for you?
I am very sorry if it is too much questions about ProtonVPN but I am a Russian (I know, I know, yes it is not okay and yes I want to leave) and I am very worry, a little bit puzzled, the case is the gov’t wants to build the GFW. The gov’t will do a test this month; 2020 is the year when Censorship will be much worse or no Internet at all like it is in North Korea. Every next new law here is worse than the previous one and no end in sight. I want to know how much I can trust the Service today. So, would ProtonVPN by any means comply with a request of Data Disclosure of a Russian citizen from the Russian government and shouldn’t a user get a warning if so from ProtonVPN sonehoe? Does GDPR apply to a Russian and how to be with a strange Russian law that forces to put all Russian Data (anything about a Russian citizen, a name, an IP, anything) inside Russia only? Don’t the two contradict each other and how to be with the logs then (see: SORM)? Is any Russian Data in Switzerland or is in Russia? Will ProtonVPN reject any unlawful request of the Russian officials if they do not follow Swiss laws strictly and how should be a lawful request, though??? Thanks!
As a Swiss company, Swiss law always prevails, even for servers outside of Switzerland.
Now all ProtonVPN has to do to make it a THE perfect VPN is to unblock HULU, and Prime Video.
I also really hope Switzerland does not change their current legislation!
Hello! Actually, we do permit HD streaming of Hulu shows using certain VPN servers located in the US. You can find all the details here: https://protonvpn.com/support/hulu-vpn/.
Regarding your second inquiry, Amazon is aggressively blocking VPN IPs, but US Plus servers do work in some instances.
One thing I have wondered concerning this is if the VPN servers are located in different countries, how can we be sure that the local government can’t make the physical server host insist on data retention, or covert surveillance? Although your company is based in Switzerland, your severs are not. They are probably in a server farm that is owned by someone else who may not have the same legal protections as you do. Or have I misunderstood this?
Hello! We only use dedicated servers in all of our locations, so covert surveillance would only be possible if our servers were somehow hacked, which is unlikely as we are strict about patching and implementing security best practices. That said, surveillance of our servers outside of Switzerland is indeed a risk, and to address that, we offer Secure Core VPN: https://protonvpn.com/support/secure-core-vpn/.
Does this mean that only the Swiss VPN servers get the full protection of law, or are the servers in other countries also protected by the head office in Switzerland?
Hello! Servers may be under the jurisdiction of the country that they are located in. However, we do not keep logs in any of our servers, so there is no personal identifying information on them. As the servers are managed out of Switzerland, Swiss law protects us from being forced to turn on logging in any of our servers. Because we are under Swiss law, we can also refuse requests from any other country.
Comments are closed.