PrivadoVPN has finalized its departure from Switzerland, updating its Terms of Service to establish Privado Networks ehf. as a legally incorporated entity in Garðabær, Iceland - a move that severs all formal ties with the Swiss jurisdiction the provider had operated under for years. The transition, first signaled in January 2025, is now a binding legal reality, driven by a specific and consequential shift in Swiss surveillance law that threatened to undermine the privacy protections VPN users rely on. For anyone who cares about where their data can and cannot be compelled to go, the distinction matters enormously.
Why Switzerland Lost Its Privacy Crown
For a long time, Switzerland occupied a privileged position in the privacy conversation. Its independence from European Union law, combined with a legal tradition of strong data protection and financial secrecy, made it a natural home for privacy-oriented technology companies. VPN providers marketed their Swiss jurisdiction as a feature in its own right - a shorthand for "we are beyond the reach of surveillance mandates."
That reputation cracked in March 2025, when the Swiss government put forward proposed amendments to its surveillance laws that would extend data retention and monitoring obligations to a newly defined category of "derived service providers." Critically, this category would encompass VPNs alongside messaging applications and social media platforms - entities that had previously operated outside the scope of telecommunications regulation. Had those amendments taken effect, VPN providers registered in Switzerland would have faced legally enforceable obligations to collect and retain user data, directly contradicting the core product they sell.
PrivadoVPN read the situation clearly and began its exit well before the proposals hardened into law. That kind of anticipatory legal repositioning is rare in the industry, where many providers respond to regulatory change after the fact rather than before it.
Iceland's Legal Architecture Offers Structural Protection
The choice of Iceland was not arbitrary. Under Icelandic law, VPN providers are classified as application-layer service providers - a category that sits entirely outside the telecommunications framework. This classification carries a precise and protective consequence: mandatory data retention laws, which apply to telecoms operators, simply do not apply to companies operating in that application-layer category. PrivadoVPN cannot be compelled to log connection data it is not legally required to collect in the first place.
Iceland is also a member of the European Economic Area but not the European Union, which gives it a particular legal position - it adopts much of the EU's single market framework while retaining the ability to diverge on specific legislative matters. Importantly, Iceland has a strong domestic tradition of press freedom and digital rights advocacy, and its data protection authority operates under GDPR-equivalent standards without being subject to every EU directive automatically. For a privacy-focused technology company, that combination of strong baseline protections and structural exemption from telecom-style regulation is a considered and defensible choice.
What the Updated Terms of Service Actually Change
The revised Terms of Service replace the old document in full. The former Swiss entity, Privado Networks AG, registered in Zug, is now superseded by Privado Networks ehf., headquartered in Garðabær, near Reykjavík. Beyond the jurisdictional shift, the new document is substantially more detailed than the August 2023 version it replaces. It lays out explicit operational guidelines, clarifies the boundaries of the service, and reduces the legal ambiguity that shorter, simpler terms inevitably leave open.
One notable addition: the Terms now explicitly state that the 30-day money-back guarantee may be used only once per user. This kind of specific consumer-facing clarification, while minor in isolation, reflects a more mature and precisely drafted legal document overall - one written with less room for interpretation disputes.
For existing and prospective users, the practical implication is straightforward. PrivadoVPN's no-logging claims are now backed not just by policy statements but by a legal environment in which logging obligations do not exist. A provider cannot be ordered to hand over data it has no legal duty to possess.
The Broader Shift in VPN Jurisdiction Strategy
PrivadoVPN's move reflects a wider pattern emerging across the privacy technology sector. As established "safe haven" jurisdictions come under regulatory pressure - Switzerland being only the most recent example - providers are being forced to assess not just where they are incorporated today, but where the legal ground is shifting beneath them. A jurisdiction that offered genuine protection five years ago may not offer the same protection in five years' time.
Iceland joins a small group of countries - alongside Panama, the British Virgin Islands, and the Seychelles - that privacy-focused VPN providers have identified as structurally favorable. What distinguishes Iceland from some of those alternatives is the combination of robust rule-of-law institutions, EU-standard data protection norms, and a specific legislative framework that categorically excludes VPNs from telecom-style obligations. It is a narrower and more legally grounded basis for a privacy claim than offshore incorporation in a jurisdiction chosen primarily for its regulatory absence.
For users who treat VPN jurisdiction as a meaningful criterion - and those who understand the technical and legal mechanics have good reason to - PrivadoVPN's completed transition represents a concrete, verifiable commitment rather than a marketing position. The Terms of Service are now Icelandic law's problem to enforce, and Icelandic law, as it currently stands, offers no mechanism to compel what PrivadoVPN has structured itself not to collect.
