In case you received countless emails about updated or new privacy policies from companies you never heard off, you’re not alone. May 25, 2018 was the deadline for the implementation of European Union’s General Data Protection Regulation (GDPR).
The new privacy regulation has left numerous online businesses and tech companies scrambling to update their privacy policies and terms of service. Failure to adhere to GDPR rules will result in strict consequences, with penalties amounting up to €20 million or 4% of worldwide annual revenues.
The VPN industry is infamous for lack of transparency, with numerous cases involving misuse of user’s data and recording information without their consent. However, with GDPR in place, we have much needed regulations to safeguard users’ privacy, protect their personal data, and granting them control over their information.
This brings us to our research. We analyzed the privacy policies of different VPN providers and checked whether the services met GDPR requirements. Our results revealed that 46 out 83 VPN providers failed to comply with GDPR.
*Disclaimer: we do not intend to slander any VPN service. The aim of our research is to highlight VPN services that comply with GDPR. We will be reaching out to VPN providers that do not meet GDPR requirements and get their response.
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Providers that explained their policy based on these eight points passed our testing, while those that did not mention or explained these eight points came up short. In addition, we used a web archive tool called Wayback Machine to see the difference in privacy policies prior to the introduction of GDPR. The reason for checking previous versions of privacy policies was to show how the VPN provider has improved its transparency and incorporated GDPR elements.
Which VPN Providers Met GDPR Requirements?
1. NordVPN – GDPR Compliant
It clearly displays the information it takes from its subscribers and what data it collects when a user uses the VPN service. Likewise, it offers a detailed look at how is this data processed after collection.
Previously, there was no such option and NordVPN would store customer service data for six months. We also came across new sections, such as Review and changes of your information and its stance on processing data about children.
2. ExpressVPN – GDPR Compliant
That said, the provider met with some of the requirements of GDPR. It offers all the details about the data it collects and uses, which logs it stores and the type of cookies it uses. However, some questions remained unanswered, such as the duration for which it keeps users data and what are user’s rights as per GDPR.
Other than that, ExpressVPN complies with GDPR. Users can rest assured that their privacy will not be invaded at any cost. Likewise, users have control over the information gathered by ExpressVPN, as it will seek their consent before handling any personal information.
3. VyprVPN – GDPR Compliant
4. PureVPN – GDPR Compliant
Another interesting finding we uncovered from our research was that PureVPN has reworked its entire legal structure. It worked continuously for last six months with a team of legal experts and engineers to become as transparent as possible.
5. CyberGhost – GDPR Compliant
6. IPVanish – GDPR Compliant
7. ProtonVPN – GDPR Compliant
8. Windscribe – Does not comply with GDPR
9. TunnelBear – GDPR Compliant
10. ZenMate VPN – GDPR Compliant
ZenMate VPN made a name in the industry as a free web browser extension, but it still needs to maintain a top-notch privacy standard. Fortunately, it complies with GDPR and provides in-depth detail based on the eight rights of individuals.
11. HideIPVPN- Does not comply with GDPR
Our GDPR compliant VPN analysis indicates that HideIPVPN does not follow the above-mentioned users’ right. However, it only fulfills the first right of the user. According to its official claim, HideIPVPN does not sell its users’ data.
12. Buffered VPN – GDPR Compliant
Our review suggests that Buffered VPN has taken all the required steps to become one of the best GDPR compliant VPN services. The service has concisely created an exclusive FAQ section that covers all the queries related to users’ rights given by GDPR.
In order to become an efficient GDPR compliant service, Buffered has changed its internal processes. Likewise, it has altered its policies in accordance with GDPR. Thus, the provider can process all the users’ data according to GDPR requirements.
Furthermore, the provider has clearly described all the principles related to personal data processing in detail. Hence, users can assume how much transparent Buffered VPN has become when it comes to complying with GDPR regulations.
We contacted Buffered and asked for their official verdict about GDPR. We were glad to note that Buffered VPN has started processing its users’ personal data under strict and legal conditions. Moreover, it has also taken steps to protect the users’ data from different online threats.
In addition, Buffered VPN has changed its policies and procedures within the organization to become GDPR compliant VPN.
13. GooseVPN – Does not comply with GDPR Regulations
Our analysis indicates that the provider needs to work in accordance with GDPR compliance as soon as possible. Otherwise, GooseVPN may face the music in form of hefty fines and other penalties. Likewise, the service would not be able to get the attention of new users in coming future.
14. OVPN – Does not comply with GDPR
The provider does not offer a live chat support feature. Therefore, we were unable to get the official response of OVPN about GDPR. However, we expect that OVPN will take all the necessary measures to secure itself from GDPR fines and other penalties.
15. AceVPN – Does not comply with GDPR
Unfortunately, AceVPN has not done anything remarkable to become GDPR complaint VPN. Yes, you have read it correctly. The service does not provide enough information about users’ data collection process, their right to access their information or the right of erasure from its systems.
Moreover, it does not inform about GDPR users’ rights like the right to information, right to rectification, and so on. Therefore, the service has to improve its performance in terms of GDPR compliance drastically.
16. PandaPow VPN- Does not comply with GDPR
Likewise, we were unable to find sections like Right to object and rights related to automated decision-making including profiling too.
17. SaferVPN- Does not comply with GDPR
18. CELO VPN – Does not comply with GDPR
However, it was not the case. Therefore, European users will have to opt other VPN services that offer them more clarity about the use of their personal data.
19. VPNArea – GDPR Compliant
Our GDPR compliant VPN review discloses that VPNArea follows GDPR regulations. We were delighted to know that the provider has deployed data protection officer to solve users’ queries instantly. Hence, you can attain awareness about your personal data processing in a timely manner.
Likewise, you can modify your personal information by using your right to rectification. Furthermore, you can remove your personal data by using right to erasure in no time.
20. PrivateVPN – Does not comply with GDPR
21. ibVPN – GDPR Compliant
In case of data breach, the service is supposed to inform its users in accordance with GDPR regulations. Moreover, you can review your current information and make necessary changes as per your own terms.
22. Private Internet Access (PIA) – GDPR Compliant
Private Internet Access (PIA) allows its European users to avail the service according to their own terms. This is because the provider follows all the notions of GDPR in true letter and spirit. Therefore, you can get information about your data collection procedure.
Furthermore, you can use right to access and other users’ rights described in GDPR hassle-free. Similarly, you can opt right to rectification and right to erasure to update or remove your personal information instantly.
23. Ivacy – GDPR Compliant
We contacted its customer support to know if Ivacy is complying with GDPR or not. According to its official response, the provider is a GDPR compliant. You can explore its data protection rights section to find out how much Ivacy is abiding by GDPR requirements.
Other VPN Winners & Losers: Do They Meet GDPR Requirements?
- AstrillVPN: GDPR Compliant
- SurfEasy: Does not comply with GDPR
- TorGuard: GDPR Compliant
- VPN Unlimited: Does not comply with GDPR
- Avast VPN: GDPR Compliant
- TigerVPN: GDPR Compliant
- AirVPN: GDPR Compliant
- Zoog VPN: Does not comply with GDPR
- StrongVPN: GDPR Compliant
- Avira Phantom VPN: GDPR Compliant
- AnonVPN: VPN is no longer active
- Betternet: GDPR Complaint
- BolehVPN: Does not comply with GDPR
- CrypticVPN: Does not comply with GDPR
- FinchVPN: Does not comply with GDPR
- FrootVPN: Does not comply with GDPR
- Ghost Path VPN: Does not comply with GDPR
- Hola VPN: Offer GDPR rights to EU residents
- Incognito VPN: Does not comply with GDPR
- Ironsocket: GDPR Compliant
- Mullvad: GDPR Compliant
- IntelliVPN: GDPR Compliant
- LibertyVPN: Does not comply with GDPR
- Private Tunnel: GDPR Compliant
- RootVPN: Does not comply with GDPR
- Hotspot Shield: GDPR Compliant
- HideMyAss: Does not comply with GDPR
- LeVPN: GDPR Compliant
- FrostVPN: Does not comply with GDPR
- blackVPN: Does not comply with GDPR
- CactusVPN: GDPR Compliant
- BTGuard: Does not comply with GDPR
- EarthVPN: Does not comply with GDPR
- LiquidVPN: Does not comply with GDPR
- nVPN: Does not comply with GDPR
- GoTrusted VPN: Does not comply with GDPR
- HotVPN: Does not comply with GDPR
- Faceless.ME: Does not comply with GDPR
- SecurityKISS VPN: Does not comply with GDPR
- OctaneVPN: Partially Complies with GDPR
- OverPlay: Complies with GDPR
- RA4W VPN: Does not comply with GDPR
- OneVPN: Does not comply with GDPR
- VPN Baron: Complies with GDPR
- WorldVPN: Does not comply with GDPR
- WiTopia (PersonalVPN): Complies with GDPR
- Trust.Zone: Does not comply with GDPR
- SlickVPN: Does not comply with GDPR
- TotalVPN: Does not comply with GDPR
- Anonymous VPN: Does not comply with GDPR
- ActiVPN: GDPR Compliant
- Encrypt.me: GDPR Compliant
- ChillGlobal: Does not comply with GDPR
- FlowVPN: Does not comply with GDPR
- ChillGlobal VPN: Does not comply with GDPR
- VPN.cc: Does not comply with GDPR
- VPN Land: partially complies with GDPR
- VPN.asia: Does not comply with GDPR
- UnoTelly: Does not comply with GDPR
A Detailed Look at GDPR Compliance Points
What is GDPR?
GDPR (General Data Protection Regulation) is a set of rules that allows EU users to control their personal information. Moreover, it provides a simplified regulatory framework to businesses and netizens in the European Union. As a result, both businesses and individuals can take huge benefits from the digital economy while preserving each other’s privacy.
Here are the eight rights of individuals explained in detail:
The right to be informed
The right to be informed highlights the importance of information transparency. You can attain awareness about the use of your personal data in the right direction.
The right of access
The users may assume right of access as subject access that enables users in attaining a copy of their personal data. Hence, they can understand how and why you are using their data. Likewise, they can check if you are using their data lawfully or not.
The right to rectification
According to Article 16 of GDPR, users can rectify their incomplete or inaccurate data hassle-free. Thus, you can complete your incomplete data still it depends on the purposes of the processing.
The right to erasure
Article 17 of GDPR allows users to remove their personal data anytime from anywhere. However, the said rule only applies in specific situations.
The right to restrict processing
According to the right to restrict processing, users can exercise their right to restrict the processing of their personal information. Thus, you can ask organizations to limit the use of your personal data.
The right to data portability
The right to data portability enables the users to receive their personal data in machine-readable format. Moreover, you can transfer your data from one controller to another controller.
The right to object
Article 21 of GDPR provides users right to object to the processing of their personal data. This way, you can ask organizations to stop processing and using your data.
Rights in accordance with automated decision making and profiling
According to Article 22 of GDPR, you can perform automated decisions in specific situations only. Furthermore, you have to give information to users about the processing of their personal data.
What does this mean for the VPN Industry
Our GDPR compliant VPN research indicates that VPN industry is fully up to speed with GDPR requirements. There are different VPN services who have abided by GDRP regulations appropriately. Likewise, numerous online privacy providers have not made significant changes in their policies.
Therefore, European users should consider opting VPN services those comply with the GDPR guidelines. By doing so, they can attain more control over their personal data. If you avail a VPN service that does not comply with GDPR regulations, you may not be able to gain control over your personal information.
According to GDPR guidelines, VPN services are obliged to communicate with their subscribers in a transparent manner. If they are unable to do so, chances are that they may face penalties or hefty fines. These sanctions may hamper their future growth or expansion in the future.
Credit: This research was done in collaboration with Salmi (author).