Why the 14 Eyes alliance keeps coming up in privacy discussions

The “5 Eyes,” “9 Eyes,” and “14 Eyes” intelligence sharing arrangements come up frequently in privacy-tool discussions. The terms are often used loosely. Understanding what they actually are helps you evaluate the privacy claims of services that emphasize their jurisdictional positioning.

What these alliances actually are

The 5 Eyes is a formal intelligence sharing arrangement between the United States, United Kingdom, Canada, Australia, and New Zealand. The arrangement traces back to the UKUSA Agreement of 1946, originally focused on signals intelligence cooperation during the early Cold War. The 5 Eyes share intelligence on a routine basis through formal mechanisms.

The 9 Eyes adds Denmark, France, Netherlands, and Norway to the 5 Eyes core. The cooperation is less formalized than the 5 Eyes but real.

The 14 Eyes adds Germany, Belgium, Italy, Spain, and Sweden to the 9 Eyes. Even less formalized but documented cooperation on specific intelligence matters.

These groupings became widely known through Edward Snowden’s 2013 disclosures about NSA and Five Eyes surveillance programs.

What this means for VPN providers

VPN providers headquartered in 14 Eyes countries are subject to those countries’ legal disclosure mechanisms. Subpoenas and court orders can compel data production. Intelligence sharing between 14 Eyes members means that data produced under one country’s legal process may be shared with the others.

For VPN providers, this matters because:

A US-headquartered VPN provider can be compelled by US legal process to log and disclose user data, even if the company’s stated policy is to not log.

A UK-headquartered VPN provider faces similar UK legal pressures, with intelligence sharing implications.

A German VPN provider operates under German law, which has both strong privacy protections and specific surveillance powers.

A Swiss VPN provider operates outside the 14 Eyes (Switzerland is not party to these arrangements). Swiss law includes specific user-protective provisions.

A Panama-headquartered VPN provider is outside any of these arrangements; Panama has no mandatory data retention for VPN providers.

Why privacy-conscious users care

Several reasons:

The 14 Eyes arrangements mean that data collected under one country’s legal process can flow to other member countries. Privacy depends on the weakest member of the chain.

Countries within the 14 Eyes have generally cooperated with intelligence sharing requests. Privacy protections that exist on paper may not function in practice when intelligence sharing is involved.

Countries outside the 14 Eyes (Switzerland, Iceland, Panama, Romania, etc.) have specific legal protections that 14 Eyes countries do not.

For users with specific threat models involving state-level adversaries, 14 Eyes membership is a real consideration.

Why privacy-conscious users sometimes overstate this

The 14 Eyes framing can be misleading in several ways:

Membership matters less than specific legal regime. A Swedish VPN provider (14 Eyes) operates under Swedish law, which has stronger privacy protections than US law. Within the 14 Eyes, the legal regimes vary substantially.

Intelligence cooperation does not equal automatic data sharing. The 14 Eyes arrangements cover specific kinds of intelligence cooperation, not blanket data sharing.

Many privacy concerns are about commercial entities, not state actors. For users worried about commercial data collection, jurisdictional arrangements are less relevant than the company’s actual data practices.

Outside-14-Eyes jurisdictions are not magically private. Russia, China, and various other non-14-Eyes countries have their own surveillance regimes, often more aggressive than 14 Eyes countries.

What this means for picking a VPN

For most users, jurisdiction matters less than the marketing implies. The realistic threats are:

ISP-level monitoring (any reputable VPN protects against this regardless of jurisdiction).

Geographic content blocking (any VPN with appropriate server locations works).

Casual government tracking (any VPN with audited no-logs claim is reasonably resistant).

For these realistic threats, a VPN’s no-logs design and audit history matter more than its jurisdiction.

Jurisdiction matters more for:

Targeted state-level surveillance (rare but real for journalists, activists, dissidents).

Specific compliance requirements where data residency matters.

Long-term threat modeling against motivated adversaries.

For these scenarios, jurisdiction is one consideration among several.

Specific country-by-country notes

For a VPN provider’s legal regime context:

Switzerland (ProtonVPN, Threema): outside 14 Eyes, strong constitutional privacy protections, has cooperated with specific Swiss legal processes (the 2021 climate activist case where Proton complied with a Swiss court order).

Sweden (Mullvad): in the 14 Eyes (added in the Nine Eyes expansion), but Swedish law restricts mandatory data retention, and Mullvad’s design minimizes what they have to disclose.

Germany (Tutanota, Mailbox.org, Posteo): in the 14 Eyes, has specific legal regime around BÜPF-equivalent surveillance, GDPR provides user protections.

Iceland (1984 Hosting): outside 14 Eyes, generally favorable jurisdiction for privacy.

Panama (NordVPN): outside 14 Eyes, no mandatory data retention.

British Virgin Islands (formerly ExpressVPN, now under Kape Technologies): outside 14 Eyes formal structure but has cooperated with UK legal processes.

Netherlands (StartMail): in the 14 Eyes, but Dutch privacy law is generally user-protective.

Romania (CyberGhost, before Kape acquisition): outside 14 Eyes, no mandatory data retention.

For most users, the practical difference between Swiss, Swedish, German, and Panamanian jurisdictions is small. For users with specific threat models, the differences may matter more.

A specific recommendation

For users considering jurisdiction as one factor among many: prefer Switzerland, Sweden, Iceland, or Panama. All are reasonable.

For users for whom jurisdiction is the dominant criterion: Switzerland (for ProtonVPN) or Iceland (for 1984 Hosting) are the strongest options.

For users who specifically distrust 14 Eyes: Mullvad is in the 14 Eyes but their design choices make this matter less than the technical no-logs implementation.

For users who want to overweight non-14-Eyes jurisdictions: ProtonVPN (Switzerland), 1984 Hosting (Iceland), Njalla (multiple non-14-Eyes), Mullvad (Sweden but with design that minimizes data exposure).

The 14 Eyes framing matters but not as much as some privacy-tools content suggests. Audit history, no-logs design, and corporate alignment matter more than country of incorporation for most realistic threats.

Mullvad | ProtonVPN | Njalla

Related: Why I keep recommending Mullvad, ProtonVPN editorial, VPN ownership map 2026