For a VPN to reliably protect user data, it must not only use the most secure encryption and protocols but also shield itself with strong legal protections.
When it comes to VPN services, legal jurisdiction plays an outsized role in the privacy protection that a VPN service can provide. The importance of a VPN’s local privacy laws is due to the fact that unlike end-to-end encrypted services (like ProtonMail), all VPN services have the technical capability to intercept all user traffic. You can find more details about this in our article about VPN threat models, but due to the way the Internet works, there is no way around this. As a result, a VPN’s legal jurisdiction plays a critical role in determining the level of privacy protection that it can provide.
When it comes to assessing what is the best country for a VPN service, the most important factors are the following:
- Does the country have mandatory data retention laws?
- Can the VPN provider be legally coerced to intercept or log user data?
- Can the VPN provider be coerced to log user activity in secret?
- Is the country party to any surveillance or intelligence sharing agreements?
- Does the country have strong privacy laws?
- Does the country have advanced IT infrastructure and a large talent pool?
Outside of setting up a rig in international waters, which comes with its own difficulties (see: Sealand), all VPN companies need to be based in a country, and if the VPN company wants to stay in business, it must adhere to the law. Our analysis found that Switzerland offers privacy-focused VPNs significant advantages over nearly any other legal jurisdiction in the world, which is why both ProtonMail and ProtonVPN are based in Switzerland. Each of these factors is analyzed in detail below:
Mandatory data retention
Like most countries in the world, Switzerland has data retention laws. However, Swiss data retention laws apply mostly to large telecommunication and major Internet service providers. Under current law, ProtonVPN is exempt from any data-retention requirement.
This compares favorably with the rest of Europe. European nations have a history of enforcing strict data retention laws that would adversely affect any VPN privacy. The EU passed the Data Retention Directive (DRD) in 2006 which extended to all members of the European Economic Area, including non-EU countries like Norway, Iceland, and Liechtenstein — but NOT Switzerland. While this directive was annulled by the EU Court of Justice in 2014, many of these countries transposed the DRD regulations into national law, laws that remain in force despite the fact that they go against EU jurisprudence. Furthermore, the EU has not given up on blanket data retention, as shown by recent deliberations in the EU Council.
Another notable country that does not have mandatory data retention is the United States. Many US-based VPN companies cite this fact, but for reasons discussed later, the US is a poor choice for privacy-focused VPN services.
Legally-coerced data retention
When we compare Switzerland and the US key differences appear. The US has dubious practices that can destroy the protections privacy-focused companies offer their users. US government overreach and the lack of due process, as demonstrated in the FBI’s national security letters and the one-sided FISA courts, make it impossible for any US-based VPN service to credibly guarantee their users’ privacy. While data retention is not mandatory in the US, the US government can compel a VPN service to start logging their users’ online activity. Law enforcement does not have this power under Swiss law.
While data retention is generally poor for privacy, what is even worse is data retention without accountability. US national security letters generally come with gag orders, which prevent VPN companies from revealing that they have been forced to start logging their users’ browsing history. European countries have similar laws, such as the UK’s outrageous Investigatory Powers Act (IPA) and Germany’s sealed indictments and gag orders.
Switzerland stands apart in this regard because while secrecy regulations exist, Swiss law has the caveat that authorities must eventually disclose any secret order to the subject under surveillance. Once notified, this individual has the opportunity to file an objection to their surveillance in Swiss courts.
Surveillance networks and agreements
Even if a country has good privacy laws, a nation’s participation in intelligence sharing and surveillance agreements can undermine their enforceability. Countries that are part of the 5 Eyes or 14 Eyes intelligence sharing agreements are susceptible to the “lowest common privacy denominator.” In short, this means that law enforcement and intelligence agencies can exploit the most invasive law enforcement legislation passed by any member country. This is what makes the IPA or Australia’s recent Assistance & Access Bill even more concerning. Switzerland is an excellent choice because it is not part of the 14 Eyes.
Strong legal protections
Switzerland has much more robust legal protections in place than either the US or other European countries. While Switzerland is a party to different international assistance treaties, any surveillance requests that come from a foreign intelligence agency would need to pass the scrutiny of Swiss criminal procedure and data protection laws, a much stricter standard than any other country offers.
Places where strong legal guarantees for personal privacy are not credible, like Russia, China, Hong Kong (part of China), and Turkey to name a few, fail this standard.
Advanced IT infrastructure and talent
While there arguably isn’t much mass surveillance in Afghanistan, Panama, or certain nations in the Caribbean or Africa, these locations are not suitable due to the absence of the rule of law and, more importantly, a lack of advanced IT infrastructure and talent. Securing and operating a VPN service requires a large amount of technical expertise, which is generally only available in more developed economies. Of the countries that are known for privacy, Switzerland is among the most advanced and well-integrated globally.
The above factors are why we feel Switzerland is the best country for a VPN service. However, even among VPN services that claim to be based in Switzerland, there are a few extra factors that set us apart.
In 2018, the EU introduced the GDPR, a strict data privacy regulation. Under the GDPR, companies are subject to fines of up to €20 million if they violate any of the core GDPR principles.
Companies today are more and more international, which means a company’s principal place of business is an essential factor for determining jurisdiction. Even if a VPN company incorporates itself in Switzerland, Switzerland may not be where the bulk of its staff and management work, otherwise known as its “principal place of business.” In such cases, the VPN company will also fall under the jurisdiction of its principal place of business. ProtonVPN is a uniquely Swiss VPN company; we are one of the only VPNs to have Switzerland as our principal place of business. The Swiss jurisdiction of Proton Technologies AG is not in doubt.
While current regulations offer no guarantees about the future, at present, Switzerland is without a doubt the best privacy country for a VPN service when considering all of the relevant factors. For this reason, we are proud to be headquartered in Geneva, Switzerland, and to provide the full privacy protections of Swiss law to all of our users globally.