What the Five Eyes Alliance Is
The Five Eyes is an intelligence-sharing alliance between the US, UK, Canada, Australia, and New Zealand. The alliance was formalized after World War II for signals intelligence sharing and has expanded significantly since then. The relevance to VPNs: if a VPN company is incorporated in a Five Eyes country, it could theoretically be compelled by courts in that country to provide data about users, and that data could be shared with partner agencies. Nine Eyes (adds France, Denmark, Netherlands, Norway) and Fourteen Eyes (adds Germany, Belgium, Italy, Spain, Sweden) are extensions of the alliance with varying levels of intelligence sharing.
What This Actually Means in Practice
The threat model matters here. If your concern is a government in a Five Eyes country wanting to identify you specifically, jurisdiction matters. If your concern is your ISP selling your browsing data to advertisers, jurisdiction is irrelevant -- the VPN's no-logs policy and technical implementation matter much more. For the vast majority of VPN users, the practical privacy impact of Five Eyes jurisdiction is minimal. The more important factor is whether the VPN actually keeps no logs. A VPN with a proven no-logs policy in a Five Eyes country (ExpressVPN, which has had servers seized with no useful data extracted) is more trustworthy than a VPN claiming no-logs in a 'privacy-friendly' jurisdiction with no audit to back it up.
Which Jurisdictions Are Considered Safer
VPNs based outside Five/Nine/Fourteen Eyes: Mullvad (Sweden, which is in 14 Eyes but has strong data protection laws), ProtonVPN (Switzerland, not in any Eyes alliance), ExpressVPN (British Virgin Islands, not a Five Eyes member despite UK connection), NordVPN (Panama, not in Eyes alliances), Surfshark (Netherlands, Nine Eyes -- but has passed independent audits). Switzerland and Panama are commonly cited as favorable VPN jurisdictions due to their lack of mandatory data retention laws and distance from US legal reach.
When Jurisdiction Matters Most
Journalists, activists, and people in high-risk situations who face potential government surveillance should prioritize non-Eyes jurisdictions and VPNs with independently audited no-logs policies. For these users, the combination of jurisdiction + audit + open-source client + RAM-only servers (no persistent storage) is the right criteria. For everyone else: no-logs policy, independent audit, and strong protocols matter more than the flag on the VPN company's incorporation papers.