Examples of VPNs refusing government data requests?

1. Notable, documented refusals: ProtonVPN and OVPN

ProtonVPN’s transparency reporting is an explicit, cited example: the company published counts of legal requests in 2023 and 2024 and says each request sought to identify who was connected to a server at a timestamp — information ProtonVPN does not log, and therefore it denied those requests ^[1]. OVPN is repeatedly highlighted as a privacy-focused, Sweden-based specialist that says it has operated as a zero-logs provider from the start and even carries insurance to cover court costs when fighting legal demands, an operational posture framed as an active refusal to concede user data ^[1].

2. “Refusal” by design: no-logs policies and technical limits

Several providers position themselves so that refusing a request is either unnecessary or impossible to honor because they do not retain the data being sought: industry reviewers note that top no-logs services run RAM-only servers and collect minimal account information, which leaves little for authorities to seize even under lawful compulsion ^[3]. VPN vendors and advocates—like Private Internet Access in its blog—argue that a genuine no-usage-logs architecture makes data requests unfeasible to comply with, an argument repeated across reviews and vendor statements ^{[4] [3]}.

3. Ambiguity and one-off disclosures: the NordVPN example

Not all major providers fit neatly into “refused” or “complied” categories: NordVPN has moved toward monthly transparency reports and disclosed the number of government inquiries it receives while also reporting a single order that resulted in disclosure during a recent reporting window, showing that even firms that emphasize privacy sometimes have mixed outcomes depending on law, jurisdiction, and the type of data sought ^[2]. Past coverage has also recorded careful shifts in public wording about how vendors respond to lawful orders, underscoring that corporate language and real-world legal entanglements do not always align ^[5].

4. Limits to refusal: jurisdiction, technical keys, and “store now, decrypt later” risks

Refusing or being unable to comply is not the same as absolute protection: experts and community discussions note that governments can target different pieces of the ecosystem—server operators, key holders, or upstream infrastructure—and that some encryption keys or legal mechanisms can be compelled in ways users don’t always anticipate ^[6]. Reviewers and tech press also warn that jurisdictions, new laws (like age-verification and other 2025–2026 regulatory moves), and government interest in VPNs mean the industry will continue to face legal pressure even as vendors adopt post-quantum encryption and architectural protections ^{[7] [8] [9]}.

5. What this means for users: practical takeaways and the reporting gap

The best-documented “refusals” come from firms that either don’t retain the requested data (ProtonVPN) or prepare to litigate (OVPN) and from audits and transparency reports showing many requests with few or no disclosures ^{[1] [2] [3]}; claims that a provider would refuse a request should be read alongside its logging policy, server architecture (RAM-only), transparency reports, and jurisdictional exposure ^{[3] [4]}. Reporting reliably catalogues some denials and structural protections but does not provide a complete public ledger of every legal demand and response, so the public record remains partial: vendors’ transparency reports, independent audits, and documented court fights are the strongest available evidence that a VPN has refused or could not comply with government data requests ^{[1] [2] [3]}.