VPN Jurisdiction: 5/9/14 Eyes Explained
Understand the intelligence-sharing alliances (Five Eyes, Nine Eyes, Fourteen Eyes) and how VPN jurisdiction affects your privacy.
Why VPN Jurisdiction Matters
The country where a VPN company is incorporated determines which laws govern its data handling. Some countries require companies to log user data, comply with surveillance orders, or share information with intelligence agencies. Choosing a VPN in a privacy-friendly jurisdiction reduces the risk that your data is compelled by law.
The Eyes Alliances
Five Eyes (FVEY)
The Five Eyes is an intelligence-sharing alliance between:
- United States
- United Kingdom
- Canada
- Australia
- New Zealand
These nations share signals intelligence (SIGINT) extensively. A court order in any Five Eyes country can potentially compel data disclosure, and the shared intelligence means data collected in one country is accessible to all five.
Nine Eyes
The Five Eyes plus:
- Denmark
- France
- Netherlands
- Norway
These countries participate in intelligence sharing but with less integration than the core five.
Fourteen Eyes (SIGINT Seniors Europe)
The Nine Eyes plus:
- Germany
- Belgium
- Italy
- Spain
- Sweden
This broader group cooperates on surveillance to varying degrees.
Jurisdiction Impact on VPNs
| Jurisdiction | Data Retention Laws | VPN Providers |
|---|---|---|
| Panama | No mandatory retention | NordVPN |
| British Virgin Islands | No mandatory retention | ExpressVPN, Surfshark |
| Switzerland | No VPN-specific retention | ProtonVPN |
| Sweden | No mandatory VPN retention | Mullvad |
| Romania | No mandatory retention | CyberGhost |
| USA (Five Eyes) | No mandatory retention but NSLs possible | Private Internet Access |
| UK (Five Eyes) | Investigatory Powers Act 2016 | HideMyAss (owned by Avast) |
Does Jurisdiction Guarantee Privacy?
Jurisdiction is important but not the only factor:
- A VPN in Panama with poor logging practices is worse than one in the US with a verified no-logs policy and independent audits.
- Some providers in Five Eyes countries have proven their no-logs claims in court (PIA has been subpoenaed twice and had no data to provide).
- RAM-only servers, which erase all data on reboot, provide stronger guarantees than jurisdiction alone.
What to Prioritize
- Verified no-logs policy -- Independent audits and court-tested claims matter more than jurisdiction.
- Privacy-friendly jurisdiction -- All else being equal, choose a provider outside the Fourteen Eyes.
- Technical safeguards -- RAM-only servers, open-source clients, and regular security audits.
- Transparency reports -- Providers that publish how many legal requests they receive and how they respond.