You’ve probably seen “outside Five Eyes jurisdiction” used as a selling point by privacy tools. Most people skip past it. They shouldn’t. It’s one of the most important phrases in the privacy space and almost nobody explains what it actually means.
Here’s the full picture.
The Short Version
Five Eyes is an intelligence-sharing alliance between five English-speaking governments: the United States, the United Kingdom, Canada, Australia, and New Zealand. They share signals intelligence — intercepted communications, surveillance data, metadata — with each other freely and routinely.
Why does that matter to you? Because if a company operates in any of those five countries, that government can compel them to hand over your data. And then share it with the other four.
How It Started
Five Eyes grew out of a World War II signals intelligence partnership between the US and UK. It was formalized in the UKUSA Agreement in 1946 and remained classified until 2010. The arrangement was simple: we share everything we collect. You share everything you collect. No duplicating effort, maximum coverage.
Over the decades it expanded — first to Canada, Australia, and New Zealand (the Five Eyes), then loosely to Nine Eyes (add France, Denmark, Netherlands, Norway) and Fourteen Eyes (add Germany, Belgium, Italy, Spain, Sweden). The further out you go, the less formal the sharing arrangement, but the principle holds: these governments talk to each other.
What They Actually Do
The most concrete exposure came from Edward Snowden in 2013. The documents he released showed the NSA running PRISM — a program pulling data directly from Microsoft, Google, Apple, Facebook, Yahoo, and others. Legally compelled, secretly operated, broadly scoped.
The UK’s GCHQ ran TEMPORA — tapping fiber optic cables and storing everything passing through them for 30 days. The kind of dragnet that doesn’t target individuals. It targets everyone and sorts later.
The intelligence agencies don’t just collect on foreigners. They collect on their own citizens too — and use the alliance to route around domestic legal restrictions. The NSA can’t legally spy on Americans without a warrant. But GCHQ can spy on Americans freely and share it with the NSA. The alliance is, among other things, a legal laundering mechanism.
Why Jurisdiction Matters for Privacy Tools
When you use a VPN, email provider, or cloud service, you’re trusting that company with your data. The question is: under what legal framework does that company operate?
A company based in the US can be served a National Security Letter — a secret subpoena with a built-in gag order. They can’t tell you it happened. They can’t tell their lawyers it happened. They hand over your data and go back to running their business.
A company based in Switzerland operates under Swiss law. Swiss law requires a Swiss court order, a formal legal process, and in many cases notification to the target. It’s not impossible to get your data — but it’s expensive, slow, and visible.
A company based in Iceland operates under Icelandic law, outside Five Eyes, with strong constitutional protections for privacy and free speech. Same deal — not impenetrable, but an entirely different legal obstacle course.
This is why Mullvad is in Sweden. Why Proton is in Switzerland. Why serious infrastructure people care about where their VPS is hosted. Jurisdiction is a layer of protection. Not a guarantee — but a real, meaningful friction point.
The Limits of Jurisdiction Shopping
Jurisdiction matters but it isn’t magic. A few things to keep straight:
If you’re logged into Google from a Mullvad VPN, Google still has your data. The VPN doesn’t help with that.
End-to-end encryption is stronger than jurisdiction. If the provider can’t read your data, a court order doesn’t matter much — there’s nothing useful to hand over. Proton’s encrypted email is more valuable than the Swiss jurisdiction. The jurisdiction just adds another layer.
No jurisdiction protects you if you give your data away voluntarily. Privacy tools don’t fix behavior.
The Practical Takeaway
When you’re evaluating a privacy tool, ask two questions:
Where is it based? If the answer is US, UK, Canada, Australia, or New Zealand — that company can be secretly compelled to hand over your data and prohibited from telling you.
Can they read your data? If the answer is yes — jurisdiction matters a lot. If the answer is no, provably, with open-source audited code — jurisdiction matters less.
The best tools are outside Five Eyes AND can’t read your data. That’s the combination worth paying for.