PrivadoVPN has finalized its departure from Swiss jurisdiction, updating its Terms of Service to establish Privado Networks ehf. as an Icelandic legal entity headquartered in Garðabær, near Reykjavík. The move, months in the making, is a direct response to Switzerland's proposed expansion of surveillance obligations - and it carries real consequences for how the company can be compelled to handle user data.
Why Switzerland Lost Its Privacy Crown
For much of the digital privacy era, Switzerland occupied a privileged position. Its strong constitutional protections, political neutrality, and relatively restrained approach to intelligence cooperation made it a preferred jurisdiction for privacy-oriented technology companies. VPN providers, encrypted email services, and secure messaging platforms clustered there precisely because Swiss law offered meaningful shelter from the broader European surveillance apparatus.
That shelter began to crack in March 2025, when the Swiss government proposed amendments that would extend mandatory monitoring and data collection obligations to what it termed "derived service providers" - a category broad enough to encompass VPNs alongside social media platforms and messaging applications. The practical effect would have been to force providers operating under Swiss law to log user activity in ways fundamentally incompatible with a credible no-logs policy. For a VPN, that is not a regulatory burden to negotiate around. It is an existential contradiction.
What Iceland Offers That Switzerland No Longer Can
Iceland's appeal is not simply that it lies outside the European Union, though that matters. The decisive factor is how Icelandic law categorizes VPN providers. Under the current Icelandic framework, VPNs are classified as application-layer service providers rather than telecommunications companies. That distinction is consequential: telecommunications operators in most jurisdictions carry mandatory data retention obligations, requiring them to store records of user connections, timestamps, and sometimes metadata for defined periods. Application-layer providers face no such requirement.
PrivadoVPN made this logic explicit when speaking to TechRadar earlier this year, stating that Iceland "treats VPNs as application layer service providers and not Telcos that require data retention and logging." The revised Terms of Service, which replace the previous Zug-registered Privado Networks AG with the newly incorporated Icelandic entity, convert that operational rationale into a legal commitment. Users are no longer relying on a company's stated policy; they are relying on a jurisdiction where the law does not require the data to exist in the first place.
The Revised Terms of Service and What They Signal
The updated Terms of Service document is notably more detailed than the version it replaces. Where the August 2023 edition was relatively concise, the new Icelandic ToS expands significantly to address the bounds of the service, user obligations, and operational parameters with greater precision. Less legal ambiguity is generally good for users - it narrows the interpretive space that can be exploited in disputes or under third-party pressure.
One specific addition worth noting: the updated document explicitly states that the 30-day money-back guarantee may only be claimed once per user. This is a housekeeping measure, not a privacy policy change, but its inclusion in a more formalized document reflects the broader shift toward contractual clarity that accompanies a serious legal restructuring.
PrivadoVPN's service itself has built a credible reputation on a generous free tier - 10GB of monthly data with an active kill switch and unthrottled speeds - while offering paying subscribers unlimited data, up to ten simultaneous connections, and servers across more than 60 countries. Strong unblocking performance for major streaming platforms has added to its appeal. The jurisdiction change does not alter any of that. What it changes is the legal environment in which the company must operate, and the strength of the guarantees it can honestly make.
A Broader Warning About Jurisdictional Stability
The PrivadoVPN case illustrates a wider and underappreciated risk in the privacy technology sector: the legal ground beneath these services shifts. A jurisdiction that offers strong protections today may not offer them in three years. Switzerland's trajectory demonstrates that even historically permissive environments can be reshaped by political pressures, intelligence-sharing agreements, or domestic security debates.
For users who depend on VPNs for genuine privacy - journalists working in sensitive environments, activists, or individuals in countries with aggressive surveillance regimes - the jurisdiction in which a provider is legally incorporated matters as much as the technical architecture of the service itself. A no-logs policy means little if the law can compel logs to be created. PrivadoVPN's move to Iceland is, at its core, an acknowledgment that maintaining credible privacy commitments sometimes requires relocating the legal foundation entirely rather than waiting to see how a regulatory environment evolves.
