Privacy Policy
Code of Ethics

VPN in Correlation with Data Protection: Data Protection Regulation in Connection with the Protection Provided by VPN

Personal data protection regulations play an increasingly prominent role in the digital age. The amount of data we have is constantly growing and, in this context, more and more individuals and organizations have access to it. Regulations protect individuals against data misuse and data breaches. In the blog below, you can read about the main features and implications of personal data protection regulation.

General data protection principles and rights

In general, personal data protection regulations provide individuals with enforcement rights in relation to the processing of their data. Examples of such rights are the right to be informed and the right to give consent. Access to and subsequent rectification of these data are also intended to protect the rights of individuals and, overall, serve as a control mechanism for individuals to ensure that their data are protected against misuse and breaches.

The relationship of VPNs with data protection

VPN (Virtual Private Network) allows us to change our location from an internet perspective at the touch of a button. However, our location is closely linked to data protection rules, which have a specific territorial scope. This territorial scope means that only specific parts of the Earth are covered, so changing our location can affect which regulation we are subject to. There can be significant differences between the regulations, so which one protects our personal data when we are online is not irrelevant.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation has completely reformed data protection regulation in the European Union since its creation in 2016. It sets out strict requirements for data controllers and processors to ensure compliance with data protection principles and to protect personal data. The GDPR requires transparency about data processing, with detailed rules on what data can be collected and how it can be used. The territorial scope of the GDPR is not based on EU citizenship but on residence, as explained in Article 3. [1] The GDPR may apply in three circumstances. Firstly, if the controller or processor has an establishment in the European Union, the GDPR applies to them regardless of the fact that the specific processing takes place outside the Union. The second circumstance is the scope of the data subjects. The GDPR applies to all data subjects in the Union who purchase goods or services from a processor not established in the European Union or whose processing is linked to the monitoring of their behavior, provided that the monitoring of behavior within the Union is involved.

Two important elements should therefore be highlighted in the context of VPNs. Firstly, if we use the program to “travel” outside the European Union in terms of the internet and use a service from a provider that does not have an establishment in the EU, we are not subject to the GDPR. Second, if we use the program to “travel” to the EU and use services, we are covered by the GDPR.

California Consumer Privacy Act CCPA

The CCPA is a privacy regulation that came into force in California, USA in 2020. Like the GDPR, it protects against online data abuse. In addition to the rights and obligations outlined in the context of the GDPR, for example, individuals have the possibility to erase data and refuse processing. Transparency is a key requirement for data processing, along with the purpose limitation of the use of the data obtained. In terms of territorial scope, the CCPA defines the scope of data subjects in a different way compared to the GDPR. [2] The business has to do business in the State of California and has to satisfy one or more of the following thresholds. The CCPA affects businesses that have had annual gross revenues in excess of twenty-five million dollars in the preceding calendar year. Alone or in combination annually buys, sells, or shares the personal information of one hundred thousand or more consumers or households. The third threshold is that the business derives 50 percent or more of its annual revenue from selling or sharing consumer’s personal information. Data brokers are particularly disadvantaged by this kind of regulation. Data brokers are in the business of collecting as much data as possible because, in the digital world, data has value and can be monetized. And in any case, the regulation excludes data processing for negative purposes by companies engaged in such activities. The use of VPNs is particularly disadvantageous for data brokers, as it allows users to choose between the scope of different data protection regulations, which can lead to unpredictability for such data collectors.

As for the VPN, you may be covered by the CCPA if you use the VPN to travel to California or if you use a company that handles your data, i.e. a company that does business in California and meets the criteria listed above. The VPN therefore allows you to use a company whose data processing is covered by the CCPA.

Data Privacy Framework (DPF)

The DPF is a data protection agreement between the European Union and the United States. The CCPA, and the GDPR, can be described as a general data protection regime, as opposed to the DPF, which is specifically designed to protect data coming from the European Union to the United States. [3] It ensures the protection of EU citizens’ data when it is processed abroad, thus preventing international abuse. The territorial scope of the DPF therefore covers primarily the United States, but also all third countries outside the EU. The data privacy framework can be seen as a program since this agreement has been concluded not only with the European Union but also with the United Kingdom and Switzerland. In all cases, however, it can be said that it is intended to protect data coming into the United States, and the US is therefore at the heart of the program.

Using a VPN can fall under the DPF in a number of ways. The DPF applies when using the service from a European Union Member State, the US, and is equally applicable when using the service from the UK and Switzerland. So, the internet has a particular relevance to the cases in which the DPF may apply.


Data protection regulation plays a key role in ensuring individuals’ rights to their personal data and in protecting their data. As technology evolves, these regulations face new challenges as new forms of misuse and unauthorized access to data are developed every day. Such regulations are the basis for protection, ensuring the security of Internet use and protecting individuals’ rights against third parties and data controllers.

Márk KABAI is a student of law at the Faculty of Law of the Eötvös Lóránd University, Hungary, and a scholarship student of Aurum Foundation. His research focuses on the interconnections of artificial intelligence and human rights, such as free speech.

Print Friendly, PDF & Email