I'm aware that this is probably going to be the most controversial article on this site and I deliberately want it to be the most polemic one. Some misguided individuals may insist that encryption is bad because it's just used by criminals and nonces and if you have nothing to hide you have nothing to fear, that we can't protect children from harm unless VPNs are banned, that courts ordering websites to be blocked is okay because - for now - it's mostly just affecting pirate sites plundering from starving Hollywood execs, or that freedom of speech doesn't mean freedom from consequences and doubleplusungood ideas are threatening our democracy or something.
The aim of this piece is to see what restrictions and freedoms for the Internet and computing in general are in place across the world. Besides just being an interesting study, there's also real-world utility: Where can you host a website without disclosing your name and adress? What country should you select for your VPN server? In which country will you not need to worry about the police kicking in your front door at 4 am because they didn't like a joke you made on social media?
What this is not is a general comparison of a country's freedom. I'm not looking at the freedom of press, at the election system, or at how libertarian a country is when it comes to guns, sex, or tax. This is purely a look at the digital realm.
I am comparing a carefully selected list of only a few countries; it would be great to compare all ~200 countries of the world but it is an impossible task. I have included the G7 countries (US, Canada, UK, Germany, France, Italy, Japan) and the BRIC countries (Brazil, Russia, India, China) and also Australia in order to honour them for being the first Western country to stop pretending they care about privacy or freedom. I also added Switzerland and Iceland because they always come up in all those lists of what the best countries for privacy and VPNs are - so let's put them to the test.
Of course, there's many more countries in the world and many of them are lauded for their freedoms and protections from government overreach, for example I've heard good things about the Netherlands, Norway, Estonia, and Panama. But it's impossible to diligently compare all countries and there is no clear indication that I'm really missing out a hidden champion - a brief research shows that they all have some restrictions in this or that category. A final thought: for now, you might be able to find lots of freedom in a poor country with low Internet penetration where the government has better things to do than policing the web or isn't able to comprehensively enforce its laws. Why not host your VPS in Papua New Guinea, Transnistria, or Somaliland?
Source: eylenburg.github.io
Last updated: 3 August 2025
Click on the "▶" symbol to read more
| U.S. 🇺🇸 |
Canada 🇨🇦 |
Australia 🇦🇺 |
U.K. 🇬🇧 |
Germany 🇩🇪 🇪🇺 |
France 🇫🇷 🇪🇺 |
Italy 🇮🇹 🇪🇺 |
Switzerland 🇨🇭 |
Iceland 🇮🇸 |
Russia 🇷🇺 |
Brazil 🇧🇷 |
India 🇮🇳 |
PR China 🇨🇳 |
Japan 🇯🇵 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Legal restrictions of free speech onlinenot counting as "speech" in this context are...- pornography - copyright infringement - defamation - fraud - inciting imminent targeted violence Vague laws without clear definitions of which expressions and opinions are illegal automatically result in "red". |
Very few, but proposedAs good as it gets (see tooltip) In the United States, certain categories of speech are not protected by the First Amendment and can be considered illegal. These include obscenity, which must meet the Miller test by appealing to prurient interests, depicting sexual conduct in a patently offensive way, and lacking serious literary, artistic, political, or scientific value. Speech that constitutes fraud, child pornography, or is integral to illegal conduct is also unprotected. Additionally, speech that incites imminent lawless action, as established by the Brandenburg test, is not protected, meaning advocacy for violence or illegal acts is only punishable if it is directed at producing imminent lawless action and is likely to do so.Other unprotected categories include true threats, which involve serious expressions of intent to commit unlawful violence against a person or group, and "fighting words" that are likely to provoke an immediate violent response from an average person. False statements of fact made with actual malice or negligence can lead to liability in defamation cases, especially when they harm a person's reputation. Lying under oath (perjury) or making false statements to federal investigators is also criminal and unprotected. Commercial speech, such as advertising, receives diminished protection, and false or misleading advertising can be punished. Hate speech, while often offensive, is generally protected under the First Amendment unless it falls into one of the unprotected categories like true threats or incitement to violence. The government may regulate speech in specific contexts, such as broadcasting indecent language on public airwaves, which the FCC can fine under certain conditions. Intellectual property violations, such as copyright infringement or counterfeiting currency, also constitute illegal speech under relevant laws. The STOP HATE Act (proposed 2025) would ban 'hate speech', antisemitism, and 'disinformation' |
RestrictedMostly relating to vaguely defined 'hate speech' and Holocaust denial in Criminal Code §318 & §319(+ failed laws like Bill C-36 (failed in 2021) or Bill C-63 (failed in 2025)) |
RestrictedMostly relating to vaguely defined 'hate speech' and showing National Socialist symbols, such as the Racial Discrimination Act 1975 and the Criminal Code Amendment (Hate Crimes) Bill 2025"The laws at both federal and NSW levels aim to curb hate-fueled violence, particularly against Jewish Australians. They criminalize advocating force or violence against protected groups, toughen penalties for Nazi-related symbolism, and even impose mandatory minimum sentences for some offenses.The new laws stretched the rules in ways that might make civil liberties advocates nervous. Previously, to be charged with urging violence against a group, prosecutors had to prove intent. Now? Recklessness will do. This means you don't have to actually intend for violence to happen — just failing to consider the possibility could land you in serious trouble. The law also takes a broad approach to Nazi symbolism. Displaying a swastika was already illegal in some contexts, but now similar prohibitions apply to a range of extremist symbols, with penalties jumping from one year in prison to five. And if you're caught making a "Nazi salute?" Enjoy your 12-month mandatory minimum sentence." - Reclaim The Net The Communications Legislation Amendment (Combatting Misinformation and Disinformation) Bill 2024 (proposed) would ban 'misinformation' and 'disinformation' |
Severe limitations of speechIllegal speech includes vaguely defined 'hate speech', anti-immigration speechIn 2025, the UK government has deployed a "social media surveillance unit" for monitoring social media for anti-immigrant posts., speech likely to cause 'distress', 'indecent' or 'offensive' speech, 'false' or 'misleading' information, obscenity, insults, advocating against the monarchyTreason laws prohibit advocating the abolition of the monarchy or imagining the death of the monarch., blaspheming Islam"England now has a blasphemy law" - The SpectatorThere is no official blasphemy law criminalizing criticism of Islam or Muslims. However, concerns have grown over recent prosecutions for actions deemed offensive to Islam (e.g., Quran burning) under existing public order and hate crime laws. Multiple high-profile cases and political discussions suggest a de facto return to blasphemy law principles via prosecution tactics, but no explicit blasphemy legislation has been passed as of July 2025, and moree.g. UK laws on defamation are among the strictest in the western world, imposing a high burden of proof on the defendant. The most important laws are the Malicious Communications Act 1988Prohibits sending letters, electronic communications, or articles with the purpose to cause distress or anxiety by conveying messages that are indecent, grossly offensive, or false (known or believed to be false by sender). Covers hate speech that is racially or religiously motivated. Jurisprudence may interpret any pro-White or nationalist sentiments as incitement, even benign expressions like "Love your Nation" or "It's OK to be White" (e.g., in the case of Samuel Melia). Criminalizes any malicious communications in general, including insults. Prison sentences up to 2 years possible., the Hate Crime and Public Order (Scotland) ActAddresses stirring up hatred on grounds such as race, religion, sexual orientation. Covers threatening communications that stir up religious hatred. Includes offences related to behaviour causing breach of the peace aggravated by racial or religious hatred., and the Online Safety Act 2023 (particularly §179)Enforces investigations and regulation of harmful online content, including disinformation. Section 179 establishes offence of false communications "Section 179 criminalizes knowingly false communications intended to cause "non-trivial psychological or physical harm." The wording here is as vague as it is dangerous. What qualifies as 'non-trivial psychological harm'? If the government decides that criticisms of its handling of the grooming gang scandal cause emotional distress to MPs—or, conveniently, to the public—it could label them as harmful misinformation. Knowing the penalties—up to 51 weeks in prison and unlimited fines—citizens may think twice before questioning the government on sensitive issues. And that's the goal: silence through fear." - [need to find source for quote] but this is not a comprehensive list. |
Severe limitations of speechIllegal speech includes vaguely defined 'hate speech' (Penal Code §130) (including "liking" a postsee LG Meiningen, Beschl. v. 05.08.2022, 6 Qs 146/22), insulting religions (Penal Code §166), Holocaust denial (Penal Code §130, §189), insults (Penal Code §185), insulting politicians including cases where people were prosecuted (though unclear if convicted) for bagatelles like calling Robert Habeck an "imbecile", Ricard Lang "fat", or Andy Grote a "penis" (Penal Code §188), National Socialists symbols and phrasestechnically it refers to the Dissemination of Means of Propaganda of Unconstitutional Organizations, or Use of Symbols of Unconstitutional Organizations, but in practice this does not just refer to things like a Swastika flag but can even result in convictions for seemingly harmless phrases like 'Alles für Deutschland' (Everything for Germany) (Penal Code §86), disparagement of the President or the State and its symbols (Penal Code §90), revealing someone's biological sex or birth name (Self-Determination Act) or misgendering themDecision Landgericht Frankfurt a.M. 18.07.2024, Az. 2-03 O 275/24 |
RestrictedMostly relating to vaguely defined 'hate speech' (Gayssot Act 1990 & Law of 30 Dec 2004), Holocaust denial, as well as positive representation of drugs or incitement to their consumption (Penal Code §222-234 to §222-239) |
RestrictedIllegal speech includes vaguely defined 'hate speech' (Penal Code §604), Holocaust denial (Law 16 June 2016 n. 115), insulting religions (Penal Code §403), speech that is offensive to public moralityLaws prohibiting publications or performances offensive to public morality ("buon costume") do exist, but enforcement and prosecution for such offenses appear to be rare and not a high priority in practice (Penal Code §21), insulting the President (Penal Code §278) |
RestrictedPenal Code §261bis prohibits vaguely defined 'hate speech'incitement, discrimination, racism, sexism, religious discrimination as well as Holocaust denial or justificationThe wording of the law applies to all genocides, but in practice this is not the case: In 2015, the ECHR ruled in the case of Perinçek v. Switzerland that criminalizing the denial of the Armenian Genocide was an unnecessary restriction on freedom of expression. The ECHR made a distinction between the two, stating that Holocaust denial is "invariably seen as connoting an antidemocratic ideology and antisemitism" , whereas the denial of the Armenian Genocide was deemed to be a matter of historical debate rather than a direct incitement to hatred. |
RestrictedPenal Code §233 prohibits vaguely defined 'hate speech'. Anyone who publicly mocks, defames, denigrates or threatens a person or group of persons by comments or expressions of another nature, for example by means of pictures or symbols, for their nationality, colour, race, religion, sexual orientation or gender identity, or disseminates such materials, shall be fined or imprisoned for up to 2 years. Insults are illegal as well per §234 but the law is not applied in practice.Insults are technically illegal in Iceland, Penal Code §234 under the section on Crimes against the Sanctity of Private Life. Punishable by fines or imprisonment up to one year. In practice however, the Icelandic Constitution makes that particular law toothless, due to the free expression clause. Speech crimes in general are very difficult to convict in Iceland because the courts have to prove that restricting the speech is "necessary and in accordance with democratic traditions". The state cannot initiate a prosecution, a private individual has to report it first. In total, about 30 people have been found guilty of insults in Iceland in as many years. in every case the punishment is simply to have your insult officially declared "dead and worthless." No jail time or fines have been issued. |
Severe limitations of speechIllegal speech includes vaguely defined 'hate speech', 'extremist' policitical positions, 'humiliation of human dignity', disseminating 'unreliable' information and 'disinformation', discrediting the Russian Army (including criticism of the invasion of Ukraine or the actions of the Soviets in WW2), Holocaust denial and 'rehabilitating' National Socialism. Most important laws are §280, §282 and §354 of the Penal Code, but this is not a comprehensive list. |
Severe limitations of speechIllegal speech includes vaguely defined 'hate speech' (Penal Code §20) (not just incitement but also slurs and jokes)which can end with prison sentences, e.g. 8 years for comedian Leo Lins, insulting or mocking a religion (Penal Code §208), justifying a crime (Penal Code §287), and insulting a public official (Penal Code §331) |
Severe limitations of speechIllegal speech includes vaguely defined 'hate speech' (Penal Code §153A), insulting religions (Penal Code §295A & §298), contempt or exciting disaffection against the government (Penal Code §124A), damaging public order or friendly relations with foreign states, damaging 'decency or morality', incitement to an offense (all Constitution §19(2)), and activities that threaten the sovereignty or integrity of India (Unlawful Activities (Prevention) Act) |
Severe limitations of speechIllegal speech includes vaguely defined 'hate speech'Inciting hatred or discrimination among nationalists or harming the unity of the nationalities, injuring the reputation of state organs (which could capture any criticism of the government), 'harming national unification' (e.g. arguing for the independence of Taiwan, Hong Kong, Macao, Tibet, or Xinjiang) disinformation or 'distorting the truth', 'destroying the order of society', and criticizing socialism. |
Strict defamation lawsNominally there are very few restrictions on speech, however defamation laws are very strict and insults and damaging someone's reputation can be prosecuted (Japanese defamation laws do not require the statement to be false; even true statements that harm someone's reputation can lead to legal consequences - unless disclosing the statement is in the public interest). |
| Internet censorship | Indirect & proposedThe Block BEARD Act (proposed 2025) would force ISPs to block piracy websites.Indirect censorship is possible already: - The government has pressured social media platforms to remove content under the pretext of fighting misinformation and hate speech. - High-profile cases such as WikiLeaks, SamouraiWallet and The Pirate Bay involve domain seizures framed as law enforcement actions against crime, which are considered legal despite First Amendment concerns. - TAKE IT DOWN Act: Aimed at combating non-consensual sharing of intimate images, this act could enable censorship by allowing platforms to remove content based solely on complaints, without proof of harm or an appeals process. - PAFACA: Commonly known as the "TikTok ban", targeting apps or websites owned by foreign entities. Proponents argue it is not censorship because a new (American) owner of TikTok would still be allowed to circulate the same content. |
Selective censorshipIn the past, ISPs have been ordered to block websites associated with copyright infringement. Critics also worry that the Online Streaming Act enables state control about what Canadians see online. This act extends the Canadian Radio-television and Telecommunications Commission's regulation to online streaming platforms like YouTube, Netflix, TikTok, and Spotify, requiring them to promote and recommend Canadian content. A central controversy is the perceived risk of government censorship and overreach. Critics worry that giving the CRTC authority to influence algorithms and content recommendations. |
Widespread censorshipThe Australian Communications and Media Authority (ACMA) has the power to enforce content restrictions on Internet content hosted within Australia, and maintain a blocklist of overseas websites. The eSafety Commission can order the removal of 'harmful' content and block access to certain websites, which in the past included archive.org and specific videos deemed inappropriate, such as violent incidents shared on platforms like X. Indirect censorship through the Online Safety Act which requires age verification for accessing potentially 'harmful' content. |
Widespread censorshipIn the past, ISPs have been ordered to block websites associated with copyright infringement or Russian government propaganda (e.g. RT). Indirect censorship through the Online Safety Act which requires removal of speech that could be illegal in the UK as well as age verification for accessing potentially 'harmful' contentincluding: Sexually explicit content. Content which encourages, promotes or provides instructions for: suicide,deliberate self-injury, or disordered eating or behaviors associated with an eating disorder. Content which is abusive or incites hatred against people by targeting any of the following characteristics: race, religion, sex, sexual orientation, disability, or gender reassignment. Bullying content. Violent content which: encourages, promotes or provides instructions for an act of serious violence against a person, or depicts real or realistic serious violence against a person, an animal, or a fictional creature, including the graphic depiction of a serious injury. Content which encourages, promotes, or provides instructions for a challenge or stunt highly likely to result in serious injury to the person who does it or to someone else. Content which encourages a person to ingest, inject, inhale, or self-administer a physically harmful substance, or a substance in physically harmful quantity. Content that shames or otherwise stigmatises body types or physical features. Content that promotes or romanticizes depression, hopelessness and despair. Filesharing websites.. Many UK-based websites were forced to close due to the OSA and or have blocked UK IPs. |
Widespread censorshipIn the past, ISPs have been ordered to block websites associated with copyright infringement, Russian government propaganda (e.g. RT), and far-right politics. The NetzDG requires social media platforms to remove illegal speech within strict timeframes and imposes fines for non-compliance. This law effectively forces social media companies to over-censor and remove even legal speech. The EU's Digital Services Act creates an obligation for platforms to take action in the form of 'content moderation' against not just illegal content, but also legal but 'harmful' content such as 'disinformation' or 'negative effects on civic discourse or elections'. In the future it will also require age verification from many websites, leading to further de facto censorship. |
Widespread censorshipIn the past, ISPs as well as third-party DNS and VPN providers, have been ordered to block websites associated with copyright infringement, Russian government propaganda (e.g. RT), and far-right politics. This law effectively forces social media companies to over-censor and remove even legal speech. The EU's Digital Services Act creates an obligation for platforms to take action in the form of 'content moderation' against not just illegal content, but also legal but 'harmful' content such as 'disinformation' or 'negative effects on civic discourse or elections'. The DSA also requires age verification from many websites, leading to further de facto censorship. There is strong government pressure to censor on social media companies, for example Rumble was forced to blocked French IPs due to censorship demands, the CEO of Telegram (Pavel Durov) was arrested in 2024 with the prosecutors alleging that censorship on Telegram was insufficient, and a French prosecutor classified X as an 'organised crime group' in 2025 for not censoring enough. |
Widespread censorshipIn the past, ISPs as well as third-party DNS and VPN providers, have been ordered to block websites associated with copyright infringement, Russian government propaganda (e.g. RT), and adult content. The 'Piracy Shield' censorship framework targets piracy and sports streaming websites, but has also affected many innocent websites such as Google Drive. The EU's Digital Services Act creates an obligation for platforms to take action in the form of 'content moderation' against not just illegal content, but also legal but 'harmful' content such as 'disinformation' or 'negative effects on civic discourse or elections'. The DSA also requires age verification from many websites, leading to further de facto censorship. |
Selective censorshipIn the past, courts have ordered ISPs to block specific websites.A notable example occurred in December 2007, when a magistrate in the canton of Vaud ordered Swiss ISPs to block access to three websites hosted in the USA that strongly criticized the Swiss judiciary and were prosecuted for defamation. ISPs were required to alter their DNS servers to block specific domains. |
Selective censorshipIn the past, courts have ordered ISPs to block specific websites, such as The Pirate Bay. |
Pervasive censorshipPervasive censorship and blocking (including deep packet inspection), especially since the 2022 invasion of Ukraine. The Russian government has increasingly tightened its grip on the internet, especially in response to political protests and dissent. Blocked websites and apps include Youtube, Facebook, Instagram, X/Twitter, Rumble, Archive.to, Signal, SimpleX, Discord, and soon WhatsApp. |
Widespread censorshipIn the past, courts have ordered ISPs to block specific websites, mainly for the purpose of political censorship. Social media websites must swiftly remove posts that contain 'hate speech' incite violence, or promote so-called 'anti-democratic acts' as soon as they are flagged, sidestepping the need for a court order. Rumble was forced to block Brazilian users due to censorship demands, whereas X/Twitter was blocked by Brazilian ISPs in 2024 (with a threat of fine for any Brazilians accessing X through a VPN) until they caved in to Brazilian censorship demands. WhatsApp and Telegram were previously banned for similar reasons. |
Widespread censorship§69A of the Information Technology Act 2000 allows the government to block public access to any information in the interest of sovereignty, integrity, national security, friendly relations with foreign states, or public order. The IT Ministry can make content-blocking orders to social media companies (e.g. X was ordered to block thousands of accounts in 2025) and ISPs are frequently ordered to block websites (e.g. a court ordered the blocking of Protonmail in 2025). |
Pervasive censorshipThe Great Firewall of China blocks a large amount of websites and apps, including Google, Youtube, Whatsapp, Facebook, Instagram, X, Snapchat, Pinterest, Wikipedia, Dropbox, and Signal. Content on the Chinese Internet is highly regulated and subject to a strict censorship regime. The government employs various methods, such as IP blocking, keyword filtering, and deep packet inspection, to enforce these restrictions. This censorship not only limits access to global information but also shapes public discourse within China. |
Selective censorshipCourt-ordered site blocks mainly targets piracy websites, especially those relating to manga and anime. However, this is usually applied to high-profile sites, not as a blanket censorship policy. |
| Ban of anonymous VPNs, Tor, or I2P | No bans | No bans | No bans | Not banned, but restrictionsAdvertising the use of VPNs can be illegal under the Online Safety Act. |
No bans | No bans | No bans | No, but proposedA proposed (2025) update to the VÜPF/OSCPT surveillance law would require VPN providers with >5,000 users to identify their users. |
No bans | Mostly blocked, use is illegalYarovaya Law (2016): VPNs must identify their users and keep logs. VPN apps forced to be removed from app stores. Illegal to advertise VPNs. VPN connections are blocked, employing deep packet inspection. VPN users can be fined. |
Not currently, but bans possibleIn 2024, VPN apps were banned from the Apple App Store and Play Store. People found using a VPN to access X could be prosecuted and fined. These restrictions have since been lifted. This ban was enacted by Supreme Court Justice Alexandre de Moraes rather than through an act of legislation, meaning that such a VPN ban can happen again at any time. |
Not banned, but restrictionsVPN servers located in India must collect and retain user data, but there is no ban on VPNs otherwise. |
Mostly blocked, use is illegalVPNs must be approved by the government and must identify their users and keep logs. VPN apps forced to be removed from app stores. High fines and even prison terms can be imposed on VPN users. VPN connections are blocked, employing deep packet inspection. |
No bans |
| Encryption bans incl. mandatory backdoors and other circumventions |
No bansThough such laws are regularly proposed, they have so far all failed e.g. the EARN IT Act, Lawful Access to Encrypted Data Act, and Florida's “Social Media Use by Minors” bill (HB 744/SB 868) |
No, but proposedBill C-26, centered on cybersecurity and expanding surveillance powers, passed the Parliament and reached Senate review in June 2024. Senate found technical flaws and amended it, sending it back to the House of Commons. As of July 2025, it has not yet become law and remains subject to legislative review and correction |
Yes (backdoor on demand)The Assistance and Access Act 2018 allows intelligence and police agencies to issue notices to compel cooperation from technology companies in building in backdoor access. For example, the government demanded that Signal create a backdoor for them, which they refused so far. |
Yes (backdoor on demand)The Investigatory Powers Amendment Bill, passed in 2024, expands the powers of the UK government to demand access to encrypted communications. The Online Safety Act, particularly Clause 122, allows Ofcom to compel companies to break end-to-end encryption, enabling mass surveillance of private communications. This law has been used again Apple, forcing them to stop offering iCloud end-to-end encryption in the UK. |
No, but proposedVarious EU proposals, including CSAR ('Chat Control')The "Chat Control" (EU CSAR) proposal, requiring scanning of private communications for CSAM, failed to attract majority support in the Council throughout 2024-2025. Denmark, assuming the rotating EU Presidency in July 2025, reintroduced the bill, aiming for potential adoption by October 2025. The proposal remains under negotiation and is not yet law, eIDAS Art. 45eIDAS 2.0, and specifically Article 45, remains highly controversial due to concerns it would allow governments to intercept secure web traffic by mandating third-party trusted certificate authorities. As of July 2025, the text is still in trilogue negotiations, and final adoption or rejection remains undecided, the ProtectEU strategyThe ProtectEU strategy and related Roadmap are at the initial policy stage, aiming to provide law enforcement with "lawful and effective" access to encrypted data. As of July 2025, no legislative bill has been passed, but the Commission’s plan has raised alarm among privacy advocates and the HLG Recommendations on 'Access to Data for Effective Law Enforcement'The EU's High Level Group’s recommendations - including weakening end-to-end encryption and regulating VPNs - are not legally binding but inform legislative proposals. No formal law has passed as of July 2025, but these recommendations continue to shape digital policy debates. aim to ban end-to-end encryption or mandate backdoors or circumvent it using client-side scanning. |
No, but proposedVarious EU proposals, including CSAR ('Chat Control')The "Chat Control" (EU CSAR) proposal, requiring scanning of private communications for CSAM, failed to attract majority support in the Council throughout 2024-2025. Denmark, assuming the rotating EU Presidency in July 2025, reintroduced the bill, aiming for potential adoption by October 2025. The proposal remains under negotiation and is not yet law, eIDAS Art. 45eIDAS 2.0, and specifically Article 45, remains highly controversial due to concerns it would allow governments to intercept secure web traffic by mandating third-party trusted certificate authorities. As of July 2025, the text is still in trilogue negotiations, and final adoption or rejection remains undecided, the ProtectEU strategyThe ProtectEU strategy and related Roadmap are at the initial policy stage, aiming to provide law enforcement with "lawful and effective" access to encrypted data. As of July 2025, no legislative bill has been passed, but the Commission’s plan has raised alarm among privacy advocates and the HLG Recommendations on 'Access to Data for Effective Law Enforcement'The EU's High Level Group’s recommendations - including weakening end-to-end encryption and regulating VPNs - are not legally binding but inform legislative proposals. No formal law has passed as of July 2025, but these recommendations continue to shape digital policy debates. aim to ban end-to-end encryption or mandate backdoors or circumvent it using client-side scanning. |
No, but proposedVarious EU proposals, including CSAR ('Chat Control')The "Chat Control" (EU CSAR) proposal, requiring scanning of private communications for CSAM, failed to attract majority support in the Council throughout 2024-2025. Denmark, assuming the rotating EU Presidency in July 2025, reintroduced the bill, aiming for potential adoption by October 2025. The proposal remains under negotiation and is not yet law, eIDAS Art. 45eIDAS 2.0, and specifically Article 45, remains highly controversial due to concerns it would allow governments to intercept secure web traffic by mandating third-party trusted certificate authorities. As of July 2025, the text is still in trilogue negotiations, and final adoption or rejection remains undecided, the ProtectEU strategyThe ProtectEU strategy and related Roadmap are at the initial policy stage, aiming to provide law enforcement with "lawful and effective" access to encrypted data. As of July 2025, no legislative bill has been passed, but the Commission’s plan has raised alarm among privacy advocates and the HLG Recommendations on 'Access to Data for Effective Law Enforcement'The EU's High Level Group’s recommendations - including weakening end-to-end encryption and regulating VPNs - are not legally binding but inform legislative proposals. No formal law has passed as of July 2025, but these recommendations continue to shape digital policy debates. aim to ban end-to-end encryption or mandate backdoors or circumvent it using client-side scanning. |
No bans | No bans | Yes (banned w/o backdoor)The Yarovaya Law requires encryption backdoors. Russia restricts the use of end-to-end encrypted services that do not provide authorities with access to decrypted data, hence E2EE service are de facto banned in Russia. Most recently, TLS 1.3, ESNI, DNS over HTTPS (DoH), and DNS over TLS (DoT) have been banned. |
No bans | Yes (backdoor on demand)§69 of the Information Technology Act 2000 and Article 19 (2) of the Indian constitution, have been interpreted by the courts to empower the government to order the decryption and interception of any message. In 2023, 14 apps offering E2EE messaging were banned, though the government has not provided a clear legal framework or blocking orders for these actions. WhatsApp (India's most popular messaging app) and other companies have resisted demands for a backdoor so far. |
Yes (banned w/o backdoor)China does not have an explicit law that outright bans E2EE, but Chinese authorities have expressed disapproval of end-to-end encryption that limits their ability to access data, leading to bans of encrypted apps in the past. International apps offering E2EE, such as WhatsApp or Signal, are blocked in China. The Cryptography Law of 2020 grants state agencies full access to cryptographic systems and decryption keys, effectively nullifying the possibility of private, unbreakable encryption. Overall, end-to-end encrypted services without government decryption access are essentially not allowed or heavily restricted under Chinese law |
No bans |
| Key disclosure laws Obligation to decrypt data using password or biometrics |
Passwords no, biometrics yesPasswords are protected by the Fifth Amendment and do not need to be disclosed. The situation for biometric unlocking is more disputed, but courts have generally allowed police to compel biometric unlocks (e.g. forcing a suspect's finger onto a phone or holding a device to their face), starting with cases like United States v. Dionisio (1973). |
None | YesThe Cybercrime Act 2001 grants police with a magistrate's order the wide-ranging power to require "a specified person to provide any information or assistance that is reasonable and necessary to allow the officer to access computer data that is 'evidential material'; this is understood to include mandatory decryption. Failing to comply carries a penalty of 6 months' imprisonment. |
YesThe Regulation of Investigatory Powers Act 2000 gives UK authorities the power to compel the disclosure of encryption keys or the decryption of encrypted data. Refusal to comply can result in a maximum sentence of two years imprisonment, or five years in cases involving national security or child indecence. |
Passwords no, biometrics yesGerman law distinguishes between biometric data and passwords. Forcing biometric unlocks is more likely to be considered permissible because it involves physical evidence, whereas compelling a password may infringe on the right against self-incrimination. However, case law on this is limited and evolving. A 2019 case in Bavaria allowed police to use a suspect's fingerprint to unlock a phone, though the decision was controversial and not universally binding. Unlocking a cell phone by forcibly placing a defendant's finger on the phone's fingerprint sensor was ruled legal in 2025 by a court (OLG Bremen ruling Ref. 1 ORs 26/24 8.1.25) and police is also allowed to take fingerprints and attempt to use them for unlocking a device later (LG Ravensburg AZ 2 Qs 9/23 jug.) |
YesThe Article 30 of the Law No. 2001-1062 of 15 Nov 2001 allows a judge or prosecutor to compel any qualified person to decrypt or surrender keys to make available any information encountered in the course of an investigation. Failure to comply with such a request can result in penalties, including three years of jail time and a fine of €45,000; if the compliance would have prevented or mitigated a crime, the penalty increases to five years of jail time and €75,000. |
None | None | None | De jure no, de facto maybeThere is no specific, publicly documented Russian law. However, since 2019 all smartphones and computers sold in Russia must come with pre-installed Russian software, which most likely facilitates government access to these devices anyway. In practice, Russian authorities operate with significant leeway, and refusal to unlock a device or decrypt data can lead to serious consequences, even without an explicit legal mandate. Authorities may interpret refusal as suspicious behaviour, leading to prolonged detention or charges under vague laws like "obstructing law enforcement" or "extremism". While you may not be legally required to decrypt your data, the question is: do you feel lucky? |
None | Yes§69 of the Information Technology Act 2000 empowers the government to compel assistance from any "subscriber or intermediary or any person in charge of the computer resource" in decrypting information. Failure to comply with such a request is punishable by up to seven years' imprisonment and/or a fine. |
De jure no, de facto maybeDe jure there is no key disclosure requirement, however China gives law enforcement significant powers and prioritizes its ability to compel decryption and access to data even if this means compelled disclosure of passwords or encryption keys in practice. Refusal to unlock a device or decrypt data is likely to be met with significant pressure, including detention, interrogation, accusations of obstructing justice, or charges under laws like the Anti-Terrorism Law or National Security Law. |
None |
| Ban of anonymous payments excl. payment limits e.g. for large cash transactions |
No bans, but devs punishedThere is no ban on the use of anonymous payment methods such as Monero, but in the past developers of cryptocurrency software allowing for financial privacy and anonymity have been prosecuted in the name of anti-money laundering, e.g. 'US v. Storm' and 'US v. Rodriguez' targeting the developers of Tornado Cash, a privacy protocol that mixes cyrptocurrency transactions to obscure their origin. |
No bans, but restrictionsHowever, Justin Trudeau's Emergency Act granted the government the power to restrict cryptocurrency transactions, including Monero, as part of efforts to curb funding for the Freedom Convoy protests. It did, however, not constitute an outright ban of Monero or other cryptocurrencies. |
No bans, but restrictionsHowever, Monero has been delisted from all CEX for Australian users due to KYC and other regulations, even though it's not banned per se. |
No bans, but restrictionsHowever, Monero has been delisted from all CEX for British users due to KYC and other regulations, even though it's not banned per se. |
Partially bannedArt. 79 of the EU's Anti-Money Laundering Regulation states that, starting in 2027, financial service providers such as banks and crypto exchanges are not allowed to handle privacy-preserving cryptocurrencies such as Monero. However, it will remain legal to hold, send and receive Monero in self-custodial wallets, and to accept Monero payments (e.g. VPN providers). |
Partially bannedArt. 79 of the EU's Anti-Money Laundering Regulation states that, starting in 2027, financial service providers such as banks and crypto exchanges are not allowed to handle privacy-preserving cryptocurrencies such as Monero. However, it will remain legal to hold, send and receive Monero in self-custodial wallets, and to accept Monero payments (e.g. VPN providers) |
Partially bannedArt. 79 of the EU's Anti-Money Laundering Regulation states that, starting in 2027, financial service providers such as banks and crypto exchanges are not allowed to handle privacy-preserving cryptocurrencies such as Monero. However, it will remain legal to hold, send and receive Monero in self-custodial wallets, and to accept Monero payments (e.g. VPN providers) |
No bans | No bans | Banned commerciallySince 2022, "it is prohibited to transfer or accept digital financial assets as a consideration for transferred goods, performed works, rendered services, as well as in any other way that allows one to assume payment for goods (works, services) by a digital financial asset" (i.e. cryptocurrencies). It remains technically legal to own cryptocurrencies or use them in non-commercial contexts. |
No bans | No bans | BannedThe People’s Bank of China issued a ban on all crypto activities, including trading, mining, and individual ownership, effective from June 2025. The Chinese government aims to centralize financial control with its state-backed digital yuan (CBDC) and eliminate decentralized crypto assets. |
No bans, but restrictionsHowever, Monero has been delisted from all CEX for Japanese users due to KYC and other regulations, even though it's not banned per se. |
| Mandatory Online ID incl. mandatory age verification or imprint obligations |
Age verification in some statesAge verification laws are in place in several US states, but not on a federal level. The Kids Online Safety Act (proposed 2025) and SCREEN Act (proposed 2025) aim to implement restrictions on a federal level. |
No, but proposedBill S-209, aimed at mandatory age verification for access to online adult content, returned to the Senate for first reading in May 2025. Debate continues in Parliament with a focus on privacy and implementation challenges. The bill has not yet been enacted. |
Age verificationThe Online Safety Bill 2024 mandate age verification to restrict the use of social media by minors under the age of 16. Furthermore, age verification requirements have been extended to YouTube and search engines like Google and Bing. |
Age verification & imprintThe Online Safety Act 2023 requires age verification for a variety of 'potentially harmful' contentSexually explicit content. Content which encourages, promotes or provides instructions for: suicide,deliberate self-injury, or disordered eating or behaviors associated with an eating disorder. Content which is abusive or incites hatred against people by targeting any of the following characteristics: race, religion, sex, sexual orientation, disability, or gender reassignment. Bullying content. Violent content which: encourages, promotes or provides instructions for an act of serious violence against a person, or depicts real or realistic serious violence against a person, an animal, or a fictional creature, including the graphic depiction of a serious injury. Content which encourages, promotes, or provides instructions for a challenge or stunt highly likely to result in serious injury to the person who does it or to someone else. Content which encourages a person to ingest, inject, inhale, or self-administer a physically harmful substance, or a substance in physically harmful quantity. Content that shames or otherwise stigmatises body types or physical features. Content that promotes or romanticizes depression, hopelessness and despair. (not just limited to sexually explicit content). The Electronic Commerce (EC Directive) Regulations 2002 have imprint obligations not just for commercial websites, but even for private websites with a small commercial element such as advertising banners. |
Social media ID & imprint§5 TMG prescribes imprint obligations not just commercial websites, but also for private websites with a small commercial element such as advertising banners. The EU's Digital Services Act will require mandatory age verification to access 'potentially harmful' content online, though it is not yet implemented in Germany. It also requires social media platforms to supply the government with the identity of people publishing 'harmful' (but mostly legal) opinions; 90% of the requests received by X in 2024 came from Germany. |
Age verification & imprintLoi pour la confiance dans l'économie numérique prescribes imprint obligations not just commercial websites, but also for private websites with a small commercial element such as advertising banners. The EU's Digital Services Act will require mandatory age verification to access 'potentially harmful' content online, and France is trialling the implementation. |
Age verificationThe EU's Digital Services Act will require mandatory age verification to access 'potentially harmful' content online, and Italy is trialling the implementation. |
No, but proposedA proposed (2025) update to the VÜPF/OSCPT surveillance law would require providers of email hosting, instant messaging, and social media with >5,000 users to identify their users. |
No | No | No | No | Real-name systemChina mandates online real-name registration whereby users must provide official ID credentials to access most Internet services. The new 2025 national Internet ID system builds on this by introducing a government-issued digital credential that centralizes authentication across platforms, linking government databases with online activity. |
No |
| Mandatory non-targeted data retention for Internet and telecom metadata |
NoneNo comprehensive federal requirement for ISPs to retain connection logs or metadata for all users; any retention is voluntary, although proposals for mandatory logging have existed (e.g. SAFETY Act 2009). CLOUD Actrequires US-based service providers to provide law enforcement with data stored on their servers, even if those servers are located outside the United States. However, it does not require companies to retain or log data that they would not otherwise maintain as part of their operations. It only governs access to data that a provider already stores. and PRISMPRISM is the name of a US intelligence program, disclosed in 2013, which enables the NSA to collect internet communications from US-based tech companies. PRISM allows for the compelled disclosure of content or metadata held by providers when targeted at non-US persons outside the US. are not data retention laws. |
None | Yes (24 months)The Data Retention Act 2015 requires retention of ISP metadata (such as IPs, connection logs, or browsing history), email and telephony metadata (including mobile phone locations) for 2 years. |
Yes (12 months)The Investigatory Powers Act 2016 requires retention of ISP metadata (such as IPs, connection logs, or browsing history), email and telephony metadata (including mobile phone locations) for 1 year. |
NoneDespite several attempts to introduce a data retention law (Vorratsdatenspeicherung) and passing parliament, it has been declared unconstitutional. There is currently no mandatory data retention in Germany. |
Yes (12 months)Mandatory retention of ISP metadata (such as IPs, connection logs, or browsing history), email and telephony metadata (including mobile phone locations) for 1 year. |
Yes (12-24 months)Mandatory retention of ISP metadata (such as IPs, connection logs, or browsing history) for 1 year and telephony metadata (including mobile phone locations) for 2 years. |
Yes (6 months)The SPTA and OSCPT require the retention of ISP metadata (such as IPs, connection logs, or browsing history) and telephony metadata (including mobile phone locations) for 6 months. A proposed (2025) update to the VÜPF/OSCPT surveillance law would extend this requirement to email, instant messaging, and VPN providers with >5,000 users. |
None | Yes (12 months)The Yarovaya Law 2016 requires retention of ISP metadata (such as IPs, connection logs, or browsing history), email and telephony metadata (including mobile phone locations) and even VPN logs for 1 year. |
Yes (12 months)Mandatory retention of ISP metadata (such as IPs, connection logs, or browsing history) for 1 year. |
Yes (12-24 months)Mandatory retention of ISP metadata (such as IPs, connection logs, or browsing history) and telephony metadata (including mobile phone locations) for 1 year. |
Yes (6 months)Mandatory retention of ISP metadata (such as IPs, connection logs, or browsing history), email and telephony metadata (including mobile phone locations) and even VPN logs for 6 months. |
No, but proposedAs of March 2025, Japan’s data protection laws are under review. However, the legislative outcome is unclear. |
| Mandatory registration for SIM cards | No | No | Yes, must register with official ID | No | Yes, must register with official ID | Yes, must register with official ID | Yes, must register with official ID | Yes, must register with official ID | No | Yes, must register with official ID | Yes, must register with official ID | Yes, must register with official ID | Yes, must register with official ID | Yes, except data-only SIMs |
| No "fair use" of copyrighted material | Fair Use, but DMCA misuseBroad, flexible exceptions allowing various uses (such as commentary, criticism, news reporting, teaching, scholarship, and research) based on four fairness factors (purpose, nature, amount, market impact). However, the DMCADigital Millennium Copyright Act has in the past been misused for censorship and "taking down" legal content, as content needs to be removed quickly and without proving copyright infringement. |
Fair DealingsUse permitted only if it falls into prescribed categories (e.g., research, private study, criticism, review, news reporting, education, parody, satire). More restrictive than US. |
Fair DealingsOnly allowed for specified purposes such as research, criticism, review, news reporting, parody/satire, professional advice, or education. Additional exceptions are very situation-specific and narrowly crafted. |
Fair DealingsPermitted uses limited to research, private study, criticism, review, news reporting, parody, caricature, pastiche, and quotation. Other uses require permission. |
Narrow statutory exceptionsNo general fair use; only narrow, enumerated exceptions for uses such as quotation, research, criticism, and certain educational and private uses. The list is exhaustive and exceptions are strictly interpreted. |
Narrow statutory exceptionsUses are only allowed if they fit an exhaustive list of exceptions (quotation, press review, private copy, educational use). No general fair use doctrine; exceptions are narrowly interpreted. |
Narrow statutory exceptionsNo fair use; only limited statutory exceptions for private copying, education, and criticism, provided specific requirements are met. |
Narrow statutory exceptionsPermits limited exceptions for private use, quotation, education, and information reporting, but otherwise copyright is strictly enforced. |
Narrow statutory exceptionsFollows European approach: no fair use, only specific exceptions for quotation, education, private copying, etc. Uses outside these lists aren’t permitted. |
Narrow statutory exceptionsUses must fall within a strictly defined list of statutory exceptions, such as quotation, news reporting, and personal use. No general fair use principle. |
Narrow statutory exceptionsExceptions are limited to those expressly listed in statute (quotation, private copying for personal use, etc.), with interpretation strictly applied. |
Fair DealingsNumerous prescribed purposes (research, criticism, review, news reporting, education, judicial proceedings) are allowed, but uses outside these are not: more flexible than in Europe but not as broad as US fair use. |
Narrow statutory exceptionsVery limited statutory exceptions; general fair use does not exist. Use usually only allowed for research, personal use, or narrow educational purposes. |
Narrow statutory exceptionsUse allowed only for narrowly defined statutory exceptions, such as quotation, certain educational use, and news reporting. No general fair use exception and generally very strict jurisprudencefor example, you can be jailed for transcribing a film to text. |
Colour guide:
No, not restricted, as good as it gets
No, not restricted for now but such laws are being planned at the moment
Restrictions only apply partially or indirectly; "No, but..."
Yes, restrictions apply but are limited in scope; "Yes, but..."
Yes, restrictions apply
Yes, restrictions apply and are very severe or wide in scope
Despite the ever-present moaning about the US allegedly slipping into tyranny or the (merited) worries that every byte of data on American servers can be accessed by the NSA and CIA, the legal protections in the US are still strongest of all the countries I looked at and probably worldwide. There's always some ifs and buts, for example the age verification that's now mandatory in many US states (but not federally), but overall the US does quite well, with the biggest relative strength being free speech. Other countries with a high degree of freedom in the digital realm are Canada, Iceland, and Japan. Unsurprisingly, China is the least free. But it's also very disappointing to see how "red" many Western countries appear, especially when you consider all the further restrictions that are currently proposed or in preparation. Interestingly, censorship in Western countries happens indirectly, by forcing private companies to do the censoring and blocking (cf. NetzDG, OSA) so that the lawmakers can keep pretending that it's not real censorship.
There is not much we can do as individuals, ultimately. Maybe those of us who are lucky enough to live in a democracy need to vote harder next time or sign another petition :^) Even when the noose gets tightened more and more, we should always try to opt out of government and corporate overreach wherever we still can. And make no mistake: even though Big Tech companies sometimes make a stand against the most malicious laws, that doesn't automatically make them the "good guys" either.
I will block all ads
I will block all trackers
I will reject all cookies
I will not subscribe to your newsletter
I will not download your app
I will not sign up or sign in
I will not enable DRM
I will bypass your paywall
I will not share my location
I will not hand out my phone number
I will not verify my identity or confirm my age
I will not solve your captcha
I will not turn off my VPN
I will disable telemetry
I will refuse remote attestation
I will only use free software
I will not make a Google, Apple or Microsoft account
I will encrypt everything
I will pay in cash or Monero wherever possible
I will strive to have as little of the fruits of my labour stolen through taxation as is legally possible
And finally, I will exercise my God-given right to unrestricted free speech to speak boldly and truthfully against tyrannical governments and other authoritarian powers.
Simple as.