New jurisdiction on the horizon for Xeovo? (Currently Finland, EU)
Given the recent leaked EU Council document proposing mandatory data retention requirements for VPN providers (minimum 12 months of user identification data, metadata, and location information), I'm wondering if Xeovo is considering relocating to a privacy-friendly jurisdiction outside the EU.
Background:
The EU is preparing legislation that would require VPN services to retain user data for at least one year, effectively making "no-log" VPNs illegal within EU territory. The proposal targets messaging apps, VPNs, cloud services, and other online platforms.
Timeline:
Impact assessment: Q1 2026
Legislative proposal: Mid-2026
Potential safer jurisdictions:
Tier 1 - Fully independent from EU regulations:
Switzerland (not in EU/EEA, strong privacy laws, home to ProtonVPN/ProtonMail)
Panama (completely outside EU sphere, already hosting privacy-focused VPNs)
British Virgin Islands (UK overseas territory, separate legal system, zero EU ties)
Faroe Islands (Danish autonomous territory, opted out of EU, not in EEA)
Tier 2 - European but with regulatory concerns:
Iceland (EEA member, must adopt some EU directives, but strong privacy tradition)
Norway (EEA member, may need to implement EU data retention rules)
Gibraltar (UK overseas territory, post-Brexit status still being negotiated with EU - uncertain regulatory future)
Note: Iceland, Norway, and Gibraltar, while having good privacy reputations, have ties to EU regulations. Iceland and Norway are EEA members and typically must implement EU directives. Gibraltar's regulatory framework is still being negotiated post-Brexit.
Switzerland and Faroe Islands remain the safest European options as they maintain full legislative independence on privacy matters.
Major providers like NordVPN and Surfshark have already expressed serious concerns about this proposal.
What are Xeovo's plans to protect user privacy in light of this development?
Let's discuss.
12 Comments
We are aware of this and are already working to oppose the proposal so it does not pass in the EU. We will not do this alone and will cooperate with other VPN providers to push back together.
Switzerland is in the same boat. The Swiss government is actively pushing changes to its surveillance framework (VÜPF/OSCPT) that would expand data-retention and identification requirements to VPNs, messengers, and cloud services.
Offshore locations like Panama are not picked, because of "privacy laws", but simply because the company wants to avoid paying the taxes. They also still have companies in EU to process and accept payments from customers, because majority of payment processors do not accept offshore businesses/banks.
If this law passes and VPN will be included this would leave us no option, but to relocate the company outside of EU. This could also result in a mass exodus of VPN servers from the EU entirely, as they would remain subject to EU law. Changing jurisdiction alone would not be enough.
Finally perfect timings for me to post this meme.
I wish you good luck. But frankly, I don't believe in a positive outcome. Similar bans are becoming more and more common in literally every country in the world. And while these countries may seem to be in conflict or completely unrelated, that doesn't stop them from moving in the same direction and issuing identical laws with different titles ("very unexpected").
Are you considering physical security methods or just legal ones? Automatic deletion of all logs, RAM-only servers, data wipes when connecting "incorrectly" directly to a server rack inside the hosting provider's building, etc.?
Is it possible to make all user logs look the same? Of course, you won't be doing this yourself, so as not to break the law. "Someone else" will simply create a third-party service/instructions/client, etc. And this tool, by a lucky chance, will work perfectly with your service.
We are looking only into legal one's. Unfortunately, the regulators are not that stupid and will classify this as "intentional data falsification", which will lead to fines, forced shutdown or worse.
So it's not the stupidity of the inspectors, but the loopholes. I think you should consult a good lawyer who can tell you how to screw the government. That's if the law comes into force, of course, and it will 99% of the time, because the authorities of all countries don't care what people think until they...
Perhaps the user themselves can configure something at the client level so that the traffic appears identical (without Tor). If you want logs, here they are. Let it be optional; some will make such settings, others won't.
I'm not an expert in technical matters, but I believe you can't play by the rules here, because they don't have any rules. Tomorrow they'll introduce another law: "To protect children, you must now submit an anal scan to confirm your age." "Now, to confirm that you're over 16, not 14, you must also provide a stool sample in addition to the scan."
Besides, the upper crust of any country always bends the rules and looks for loopholes to avoid paying taxes, etc., so you should do the same.
You can even take it to the extreme: "My gender is a VeraCrypt cryptocontainer, I can't give you my data because you're insulting my personality." I don't know the local laws, but I'm sure some nonsense can be found that will allow it.
In any case, victory will be ours.🐘
It's like text from a neural network.
But I agree that you need to look for legal and technical loopholes, because this law will definitely be passed in one form or another.
It's important to unite with others, but in the end, the most that unity will achieve is a text expressing discontent, which the authorities will print out and wipe their asses with.
It is. I am not an IT engineer and an English native tongue. I am a philosopher. My work is just thinking: I am the prompt designer of these Ai's posts.
It is not easy to find lawyer with such technical expertise. However even if we find any loophole the main problem remains.
If the law passes the damage is already done. Having a company in Europe would be big red flag and average consumer would assume that we log the information.
@Fodt Let's chill with AI posts. It's okay to use it to translate, but let's not litter Hub with it.
Imagine that the damage from this law has already been done and act based on the new reality. If you cannot ensure the protection of your users' data, then teach them or give them a ready-made tool to do it themselves. And explain everywhere in your advertising why it is safe.
You don't have many options. Either go underground, like darknet sites, or make radical changes.
You wrote above that you want to join forces with other VPN providers. So join forces, but not primarily to write about how you oppose this law, but for technical and legal solutions.
Speaking of average users, I am one of them. I am not a technical specialist or a lawyer. But I will never believe in any privacy policy because it's just letters on a screen. If the special services of one of the countries come to you personally and threaten your family or torture you (of course, they never do that), then in that very second you will collect all the logs and not write about it anywhere.
That's why the average user doesn't care. They care about speed, stability, and convenience of payment and use. Moreover, all VPN providers will face this, not just you. So you are on equal terms.
I would like to say a lot more, but the hub format is not convenient for this. So I will write as you respond, if it makes sense for both of us.
And I will repeat once again that the easiest thing to do is to make the logs identical or false, but from the user's side. You can store them for 100 years, but they will be nonsense. And you will be clear before the law because it is not you who does it, but the users. And you store everything very conscientiously.
After researching the EU data retention situation, here's what I found.
Switzerland is looking less reliable. ProtonMail handed over that activist's IP in 2021, and they've been signing EU cooperation agreements through 2024-2025. The privacy reputation seems more marketing than reality now.
Panama works for legal incorporation and jurisdiction protection, but server latency to EU is 180ms+ which kills performance.
Serbia is actually interesting: not in the EU so no data retention laws, 25ms latency to EU cities, low costs, and they don't automatically cooperate with requests. Seems like the best option for EU-facing infrastructure right now.
The setup that makes sense: Panama for legal entity (jurisdiction protection), Serbia for servers (performance), Russia/Kazakhstan as fallback.
Anyone else looked into Serbian hosting providers?