VPN Regulation: Is It Allowed Everywhere, or Should You Be Careful?
There are many benefits to using a VPN, saving money and time, viewing content you can’t normally access, and using services that you otherwise couldnt. However, as with all activities, you need to be aware of the legal requirements when using a VPN. In this blog post, we will cover the legal regulations, restrictions and prohibitions related to VPNs, contributing to the responsible use of VPNs.
VPN legal regulations worldwide
The legal regulation of VPNs varies from country to country but can be divided into two main groups. There are countries that have not yet developed any comprehensive regulation of VPN use, and there may be some indirect restrictions on VPN use, for example through data protection regulations. These countries are the majority today. There is, however, a narrow group of countries, such as China, Russia, and Turkey, where a ban on VPN use seems to be in place. The rationale behind such regulation is that users use VPNs to access content that is banned in their country, among other things. These countries have an interest in ensuring that censorship is enforced as effectively as possible, and so they restrict the use of VPNs primarily for political reasons and to reinforce censorship. In China, for example, the Great Firewall, which blocks many websites and online services, is in place, and in this context, they are interested in banning the use of VPNs, but this has not yet been done until 2024. [1] In China, for example, a state license is required to use a VPN service, which allows Chinese users to choose from a list of already blocked VPN providers. It is important to note, however, that regulations on VPNs are in their infancy, with a significant percentage of countries not falling on either side, as they have not developed any regulations at all on the issues involved. However, it is also difficult to identify a country where VPN use is completely banned, with countries that have started to regulate mostly opting for a compromise between the two, namely banning the use of VPNs for certain services and only allowing VPNs from certain providers that have been pre-vetted by the state, ensuring that users do not use the software for things that the country does not permit.
Company policy
The vast majority of VPN users are using the service for business purposes, not for personal, home Internet use. Indeed, a significant number of companies require employees to use VPNs to protect corporate data. This can take the form of using a better-technology VPN to determine the IP address from which you want to access the internet, and the company will only allow access to corporate data if that IP address is used, thus excluding any outside party from accessing the data who is not using its prescribed VPN service and IP address, significantly reducing the chance of corporate data falling into the wrong hands. On the one hand, encryption means that valuable company information and data are less likely to be accessed by unauthorized parties. On the other hand, it provides a single system for managing company data. For this reason, it is also important for users to constantly monitor what VPN service their company expects, as it is essential for their work. This ensures remote access to corporate networks, for example for working from home. This became even more important in the post-COVID era, when the vast majority of employees were forced to work from home, making it necessary to create a secure framework for this type of operation, and many companies chose to use VPN services. Companies have set out this type of policy in their guidelines, which define acceptable use, security protocols and guidelines for secure access to corporate resources.
Terms of use
Terms of use are published by all VPN service providers and are one of the most important foundations for regulating VPNs. In the terms of use, service providers specify what the VPN can and cannot be used for and in what form. This includes restrictions on advertising, sending threats, copyright infringement, transmission, and distribution of explicit content. These are the conditions that are now the main obstacles to the free use of VPNs by users. This ensures that the most important prohibitions are in place and that users cannot use the service for inappropriate purposes. It is important to note, however, that in the vast majority of cases, there are no real legal consequences for breaching the terms of use. Companies will only resort to legal action in extreme cases, mainly by terminating access to the service in response to a breach of the terms of use. [2] This sanction is not a huge deterrent for the user, who can choose from a wide range of VPN providers, as there is no common database or cooperation between them in terms of ethics.
Network restrictions
Networks can also have built-in restrictions on how we connect to the internet. Such networks can be found in the workplace or at school and are characterized by either a separate interface for access in some cases or a separate username for those wishing to connect, as is the case with Eötvös Lóránd University of Sciences (hereinafter: ELTE). These networks may control the possibility to connect via VPN or make specific content available explicitly via VPN, as with ELTE. [3] With such VPN access, it is possible to access the supercomputer, which helps ELTE’s lecturers and researchers to collect information. It is therefore important to consider the requirements for using the network before attempting to connect to these networks via VPN.
Problems with the current regulation
The current regulatory framework poses several problems for both users and service providers. The main flaw in the regulation is that restrictions are generally reflected in usage conditions. These conditions of use do not entail any legal sanction, the main deterrent being a ban on the use of the service. However, this ban can only have permanent consequences in exceptional cases, as the user can immediately access the same service by registering a new account. It would be difficult to permanently ban someone from using the service, at best through hardware-based bans, which are not widespread among VPN service providers and therefore do not have a strong deterrent effect. The most important issues relating to the use of VPNs should be regulated by law, at the national or possibly intercontinental level. Criminal law, as the applicable law of last resort, is perfectly capable of providing adequate deterrence, for example, by providing an aggravating circumstance for data misuse through the use of a VPN, where the perpetrator circumvents data protection rules and uses the VPN to access data to which he would not otherwise be entitled. In this context, the data protection rules also raise several questions. The main problem relates to the definition of the scope of the data protection regulation, which is territorial and not personal. This allows an EU citizen to opt out of the GDPR by using a VPN, which raises a number of problems for the protection of EU citizens. Defining the scope on a personal basis would solve this problem, as wherever you are located from an internet perspective, your nationality remains the same. This type of personal scope would eliminate the possibilitiy for opting out of data protection regulations, thus effectively ensuring data protection also when using these types of services.
Summary
In today’s developed world, the use of VPNs is on the rise, as there are numerous benefits to be gained from using them. However, like everything else, VPN use has its downside and can be a particularly powerful weapon if it falls into the wrong hands. Today’s regulations do not pay enough attention to the dangers inherent in VPNs, which can lead to serious problems later on. With the right reform of data protection regulations, the possibilities offered by VPNs can be perfectly integrated into a secure institutional framework. In addition, it seems necessary to set a general regulation and limit on the use of a specific VPN, thus legalizing users’ behavior, since the main deterrent for users in our current legislation is the conditions of use. VPNs are one of the greatest technological innovations of our century, but their use must be properly regulated.
Márk KABAI is a student of law at the Faculty of Law of the Eötvös Lóránd University, Hungary, and a scholarship student of Aurum Foundation. His research focuses on the interconnections of artificial intelligence and human rights, such as free speech.