Return to protonvpn.com Facebook   Twitter   Reddit   ProtonMail

What country is best for VPN privacy?

Posted on January 24th, 2019 by in Privacy & Security.

protonvpn best vpn privacy security country

 

For a VPN to reliably protect user data, it must not only use the most secure encryption and protocols but also shield itself with strong legal protections.

When it comes to VPN services, legal jurisdiction plays an outsized role in the privacy protection that a VPN service can provide. The importance of a VPN’s local privacy laws is due to the fact that unlike end-to-end encrypted services (like ProtonMail), all VPN services have the technical capability to intercept all user traffic. You can find more details about this in our article about VPN threat models, but due to the way the Internet works, there is no way around this. As a result, a VPN’s legal jurisdiction plays a critical role in determining the level of privacy protection that it can provide.

When it comes to assessing what is the best country for a VPN service, the most important factors are the following:

  • Does the country have mandatory data retention laws?
  • Can the VPN provider be legally coerced to intercept or log user data?
  • Can the VPN provider be coerced to log user activity in secret?
  • Is the country party to any surveillance or intelligence sharing agreements?
  • Does the country have strong privacy laws?
  • Does the country have advanced IT infrastructure and a large talent pool?

Outside of setting up a rig in international waters, which comes with its own difficulties (see: Sealand), all VPN companies need to be based in a country, and if the VPN company wants to stay in business, it must adhere to the law. Our analysis found that Switzerland offers privacy-focused VPNs significant advantages over nearly any other legal jurisdiction in the world, which is why both ProtonMail and ProtonVPN are based in Switzerland. Each of these factors is analyzed in detail below:

Mandatory data retention

Like most countries in the world, Switzerland has data retention laws. However, Swiss data retention laws apply mostly to large telecommunication and major Internet service providers. Under current law, ProtonVPN is exempt from any data-retention requirement.

This compares favorably with the rest of Europe. European nations have a history of enforcing strict data retention laws that would adversely affect any VPN privacy. The EU passed the Data Retention Directive (DRD) in 2006 which extended to all members of the European Economic Area, including non-EU countries like Norway, Iceland, and Liechtenstein — but NOT Switzerland. While this directive was annulled by the EU Court of Justice in 2014, many of these countries transposed the DRD regulations into national law, laws that remain in force despite the fact that they go against EU jurisprudence. Furthermore, the EU has not given up on blanket data retention, as shown by recent deliberations in the EU Council.

Another notable country that does not have mandatory data retention is the United States. Many US-based VPN companies cite this fact, but for reasons discussed later, the US is a poor choice for privacy-focused VPN services.

Legally-coerced data retention

When we compare Switzerland and the US key differences appear. The US has dubious practices that can destroy the protections privacy-focused companies offer their users. US government overreach and the lack of due process, as demonstrated in the FBI’s national security letters and the one-sided FISA courts, make it impossible for any US-based VPN service to credibly guarantee their users’ privacy. While data retention is not mandatory in the US, the US government can compel a VPN service to start logging their users’ online activity. Law enforcement does not have this power under Swiss law.

Secret directives

While data retention is generally poor for privacy, what is even worse is data retention without accountability. US national security letters generally come with gag orders, which prevent VPN companies from revealing that they have been forced to start logging their users’ browsing history. European countries have similar laws, such as the UK’s outrageous Investigatory Powers Act (IPA) and Germany’s sealed indictments and gag orders.

Switzerland stands apart in this regard because while secrecy regulations exist, Swiss law has the caveat that authorities must eventually disclose any secret order to the subject under surveillance. Once notified, this individual has the opportunity to file an objection to their surveillance in Swiss courts.

Surveillance networks and agreements

Even if a country has good privacy laws, a nation’s participation in intelligence sharing and surveillance agreements can undermine their enforceability. Countries that are part of the 5 Eyes or 14 Eyes intelligence sharing agreements are susceptible to the “lowest common privacy denominator.” In short, this means that law enforcement and intelligence agencies can exploit the most invasive law enforcement legislation passed by any member country. This is what makes the IPA or Australia’s recent Assistance & Access Bill even more concerning. Switzerland is an excellent choice because it is not part of the 14 Eyes.

Strong legal protections

Switzerland has much more robust legal protections in place than either the US or other European countries. While Switzerland is a party to different international assistance treaties, any surveillance requests that come from a foreign intelligence agency would need to pass the scrutiny of Swiss criminal procedure and data protection laws, a much stricter standard than any other country offers.

Places where strong legal guarantees for personal privacy are not credible, like Russia, China, Hong Kong (part of China), and Turkey to name a few, fail this standard.

Advanced IT infrastructure and talent

While there arguably isn’t much mass surveillance in Afghanistan, Panama, or certain nations in the Caribbean or Africa, these locations are not suitable due to the absence of the rule of law and, more importantly, a lack of advanced IT infrastructure and talent. Securing and operating a VPN service requires a large amount of technical expertise, which is generally only available in more developed economies. Of the countries that are known for privacy, Switzerland is among the most advanced and well-integrated globally.

Bonus Factors

The above factors are why we feel Switzerland is the best country for a VPN service. However, even among VPN services that claim to be based in Switzerland, there are a few extra factors that set us apart.

GDPR Compliance

In 2018, the EU introduced the GDPR, a strict data privacy regulation. Under the GDPR, companies are subject to fines of up to €20 million if they violate any of the core GDPR principles.

Though Switzerland is not a member of the EU, many Swiss companies nevertheless comply with the GDPR because they have users who live in the EU. ProtonVPN is one such company that explicitly adheres to the GDPR. Strict adherence to the GDPR transparency principles means we face a fine of up to €20 million if we violate our stated Privacy Policy, giving our users a concrete reason to trust our Privacy Policy.

Headquarters location

Companies today are more and more international, which means a company’s principal place of business is an essential factor for determining jurisdiction. Even if a VPN company incorporates itself in Switzerland, Switzerland may not be where the bulk of its staff and management work, otherwise known as its “principal place of business.” In such cases, the VPN company will also fall under the jurisdiction of its principal place of business. ProtonVPN is a uniquely Swiss VPN company; we are one of the only VPNs to have Switzerland as our principal place of business. The Swiss jurisdiction of Proton Technologies AG is not in doubt.

Conclusion

While current regulations offer no guarantees about the future, at present, Switzerland is without a doubt the best privacy country for a VPN service when considering all of the relevant factors. For this reason, we are proud to be headquartered in Geneva, Switzerland, and to provide the full privacy protections of Swiss law to all of our users globally. 

Best Regards,
The ProtonVPN Team

You can get a free ProtonVPN account here.

Follow us on social media to stay up to date on the latest ProtonVPN releases:  Twitter Facebook | Reddit

To get a free ProtonMail encrypted email account, visit: protonmail.com

Prior to joining ProtonVPN, Richie spent several years working on tech solutions in the developing world. As a senior editor and writer at Latterly, he covered and commented on international human rights stories. He joined ProtonVPN to advance the rights of online privacy and freedom.

Post Comment

8 comments

  1. Dude

    I am very sorry if it is too much questions about ProtonVPN but I am a Russian (I know, I know, yes it is not okay and yes I want to leave) and I am very worry, a little bit puzzled, the case is the gov’t wants to build the GFW. The gov’t will do a test this month; 2020 is the year when Censorship will be much worse or no Internet at all like it is in North Korea. Every next new law here is worse than the previous one and no end in sight. I want to know how much I can trust the Service today. So, would ProtonVPN by any means comply with a request of Data Disclosure of a Russian citizen from the Russian government and shouldn’t a user get a warning if so from ProtonVPN sonehoe? Does GDPR apply to a Russian and how to be with a strange Russian law that forces to put all Russian Data (anything about a Russian citizen, a name, an IP, anything) inside Russia only? Don’t the two contradict each other and how to be with the logs then (see: SORM)? Is any Russian Data in Switzerland or is in Russia? Will ProtonVPN reject any unlawful request of the Russian officials if they do not follow Swiss laws strictly and how should be a lawful request, though??? Thanks!

  2. ProtonVPN Admin

    As a Swiss company, Swiss law always prevails, even for servers outside of Switzerland.

  3. ProtonUser

    Now all ProtonVPN has to do to make it a THE perfect VPN is to unblock HULU, and Prime Video.

    I also really hope Switzerland does not change their current legislation!

  4. ProtonVPN Admin

    Hello! Actually, we do permit HD streaming of Hulu shows using certain VPN servers located in the US. You can find all the details here: https://protonvpn.com/support/hulu-vpn/.
    Regarding your second inquiry, Amazon is aggressively blocking VPN IPs, but US Plus servers do work in some instances.

  5. Paul

    One thing I have wondered concerning this is if the VPN servers are located in different countries, how can we be sure that the local government can’t make the physical server host insist on data retention, or covert surveillance? Although your company is based in Switzerland, your severs are not. They are probably in a server farm that is owned by someone else who may not have the same legal protections as you do. Or have I misunderstood this?

  6. ProtonVPN Admin

    Hello! We only use dedicated servers in all of our locations, so covert surveillance would only be possible if our servers were somehow hacked, which is unlikely as we are strict about patching and implementing security best practices. That said, surveillance of our servers outside of Switzerland is indeed a risk, and to address that, we offer Secure Core VPN: https://protonvpn.com/support/secure-core-vpn/.

  7. Larry H

    Does this mean that only the Swiss VPN servers get the full protection of law, or are the servers in other countries also protected by the head office in Switzerland?

  8. ProtonVPN Admin

    Hello! Servers may be under the jurisdiction of the country that they are located in. However, we do not keep logs in any of our servers, so there is no personal identifying information on them. As the servers are managed out of Switzerland, Swiss law protects us from being forced to turn on logging in any of our servers. Because we are under Swiss law, we can also refuse requests from any other country.

Leave a Reply

Your email address will not be published. Required fields are marked *

Knowledge base

 

Secure Your Internet Today

Get ProtonVPN