What exactly are the 5 Eyes, 9 Eyes and 14 Eyes?

The 5 Eyes (FVEY) is the historical signal intelligence sharing alliance born from the 1946 UKUSA agreement: United States, United Kingdom, Canada, Australia, New Zealand. The 9 Eyes extend sharing to Denmark, France, Netherlands and Norway. The 14 Eyes (SIGINT Seniors Europe group) add Germany, Belgium, Italy, Spain, Sweden. These levels are tiered: a 5 Eyes member can access raw intelligence that a 14 Eyes member only sees in synthesized form.

If my cloud is hosted in France, who can access my data?

France is a 9 Eyes member. Concretely, the DGSE can require access to data under the 2015 Intelligence Act (articles L.851 and following of the CSI) and shares with other 9 Eyes members under bilateral agreements. A cloud like OVHcloud, hosted in France, therefore remains within the 9 Eyes perimeter. To escape 14 Eyes: jurisdiction outside the alliance — Switzerland, Iceland, Panama, Romania, or self-hosted cloud in Svalbard (paradoxically, despite Norway's 9 Eyes status, Svalbard servers have a protective legal framework).

Does the US CLOUD Act apply to a European cloud?

Yes if it's a subsidiary or operator whose parent company is American. Microsoft Azure, AWS, Google Cloud remain subject to the CLOUD Act (2018) even for data physically stored in Europe — a US judicial warrant can compel the parent to deliver data. The CJEU invalidated Privacy Shield in 2020 (Schrems II ruling) precisely because of this jurisdictional conflict. This is why Proton (Switzerland), Tresorit (Switzerland), and Mailfence (Belgium) communicate aggressively about their non-US jurisdiction.

Is Switzerland really outside 14 Eyes?

Yes. Switzerland never signed the UKUSA agreement or SIGINT Seniors Europe protocols. The Federal Intelligence Service Act (LRens, 2017) authorizes international sharing but under control of an independent federal administrative tribunal, with a high threshold. In practice, Proton Mail and Tresorit publish annual transparency reports (Proton 2024: 4,920 state requests received, 2,105 partially satisfied, 0 deliveries of encrypted content) that demonstrate operational isolation. Switzerland remains the reference jurisdiction for cloud privacy in 2026.

Is Iceland really safe for hosting a cloud?

Yes, for legal and geographical reasons. Iceland adopted the Icelandic Modern Media Initiative (IMMI) in 2010 — a legal framework protecting whistleblowers and journalists. Combined with the absence of formal SIGINT alliance and geothermal infrastructure attracting datacenters, Iceland hosts providers like 1984 Hosting and OrangeWebsite. Limits: informal cooperation with 5 Eyes exists via NATO, and the market is narrow (few consumer offers). For personal use, Switzerland > Iceland > Panama in this order.

If I self-host my cloud, am I outside jurisdiction?

You reduce the attack angle but don't eliminate it. Self-hosting Nextcloud on a Hetzner VPS (Germany, 14 Eyes) or OVH (France, 9 Eyes) places you under the VPS provider's jurisdiction. To really exit 14 Eyes: VPS at 1984 Hosting (Iceland), Njalla (Nevis), or Buyshared (Bulgaria outside 14 Eyes). But self-hosting also implies total responsibility for security (updates, TLS certificates, backups) — a Nextcloud unmaintained for 6 months becomes an open door regardless of jurisdiction.

5/9/14 Eyes and your cloud privacy: the real world map of surveillance (2026)

The essentials

The signal intelligence (SIGINT) 5 Eyes, 9 Eyes and 14 Eyes alliances are neither a conspiracy myth nor a state secret: they are documented by major leaks (Snowden 2013, Vault 7 in 2017) and confirmed by official declarations of several signatory governments. In 2026, their impact on cloud privacy remains massive — not because they enable direct mass surveillance, but because they determine which state can legally compel a cloud provider to deliver encrypted data.

The question for a cloud privacy user is therefore not "do these alliances exist?" (yes), nor "could I be personally spied on?" (statistically no if you're not a specific target), but: "if my provider receives a legal request tomorrow, which law applies and how many states can access it through intelligence sharing?" This is the logic we unfold here, jurisdiction by jurisdiction.

Of the 12 cloud privacy providers we mapped in May 2026, 9 are hosted or registered in 14 Eyes or allied countries, and only 3 — Proton Drive, Tresorit and pCloud (Switzerland) — benefit from real jurisdictional protection outside 14 Eyes. Add to that a few niches: 1984 Hosting (Iceland), Njalla (Nevis), Internxt (Spain 14 Eyes but decentralized infrastructure).

Where these alliances come from and why you heard about them in 2013

The 5 Eyes (FVEY) core dates back to the 1946 UKUSA agreement, signed between the United States and the United Kingdom at the end of WWII to continue sharing intercepted intelligence against the USSR. Canada joined in 1948, Australia and New Zealand in 1956. These five countries share raw intelligence — phone interceptions, satellite data, direct access to telecom infrastructures.

The 9 Eyes and 14 Eyes extensions (sometimes called SIGINT Seniors Europe) are less privileged concentric circles: members receive filtered and synthesized intelligence, but actively participate in collection. The Snowden documents published by The Guardian and Der Spiegel in 2013-2014 clarified the boundaries:

5 Eyes (FVEY): United States, United Kingdom, Canada, Australia, New Zealand
9 Eyes: 5 Eyes + Denmark, France, Netherlands, Norway
14 Eyes: 9 Eyes + Germany, Belgium, Italy, Spain, Sweden

Beyond the 14 Eyes, there are associated "Tier B" circles: Japan, South Korea, Singapore, Israel, which share occasionally without belonging to the formal alliance.

What these alliances technically do

Three operational mechanisms:

Database sharing: XKeyscore and similar, where each member feeds and queries.
Bypassing domestic limits: if the NSA cannot legally spy on a US citizen, British GCHQ can do it and transmit — practice documented and challenged by the ACLU.
Mutual requests on cloud providers: a British warrant against a US cloud goes through an accelerated channel (reinforced MLAT).

For your cloud privacy, the key point is mechanism 3: if Microsoft, Google or Apple receives a request from a 5 Eyes member, cooperation is almost automatic. If the request comes from a 9 or 14 Eyes member, delay and friction increase, but outcome remains likely.

CLOUD Act, EU Data Act, Swiss LRens: 2026 legal cartography

Beyond intelligence alliances, three recent legal texts structure cloud access:

CLOUD Act (United States, 2018)

The Clarifying Lawful Overseas Use of Data Act authorizes US authorities to require American companies (or those with significant US entity) to provide data wherever stored worldwide. Microsoft, Google, AWS, Cloudflare, Apple are concerned. A US federal warrant compels the parent company to deliver European customer data. The CJEU invalidated Privacy Shield in July 2020 (Schrems II ruling) precisely because this CLOUD Act makes GDPR and US-based hosting incompatible.

Consequence in 2026: using Microsoft 365, Google Workspace or iCloud for sensitive data de facto violates your European privacy expectation, regardless of physical datacenter location.

EU Data Act + DSA (European Union, 2023-2024)

The EU Data Act (in force 2024) requires cloud providers established outside the EU to designate a European legal representative and cooperate with national authorities. Combined with the Digital Services Act (DSA, 2022) and Digital Markets Act (DMA), it creates a localization obligation for "sensitive data" — without prohibiting the CLOUD Act on US actors.

Consequence: a cloud actor can be compelled simultaneously by the US CLOUD Act and EU Data Act, without reconciliation procedure. This is precisely the grey zone in which Microsoft, Google and AWS have operated since 2024.

Swiss Intelligence Act (LRens, 2017, revised 2024)

The LRens authorizes the Federal Intelligence Service (SRC) to request data access, but under three cumulative conditions: prior authorization by a federal administrative tribunal, demonstrated national interest, documented proportionality. In 2024, the SRC's public report mentions 172 formal requests, of which 43 were partially satisfied. No extraterritorial obligation.

This gap — factor 30 to 50 between US and Swiss cooperation on request volumes — explains why Proton and Tresorit have actively communicated about their Swiss jurisdiction since 2018.

The 2026 world map: where can your cloud really be?

Country	SIGINT status	Cloud legal framework	Privacy verdict
United States	5 Eyes	CLOUD Act, FISA 702, NSL	Avoid for sensitive data
United Kingdom	5 Eyes	Investigatory Powers Act 2016	Avoid (Snoopers' Charter)
Canada	5 Eyes	Bill C-26 (2024)	Avoid
Germany	14 Eyes	BND-Gesetz revised 2021	Meh (Hetzner ok for standard use)
France	9 Eyes	2015 Intelligence Act + LPM 2023	Meh (OVH ok for non-sensitive)
Spain	14 Eyes	Ley 11/2002 CNI	Meh
Switzerland	Outside 14 Eyes	LRens 2017 (independent tribunal)	OK — reference
Iceland	Outside 14 Eyes	IMMI 2010	OK (narrow market)
Panama	Outside 14 Eyes	No Data Retention Law	OK (few consumer offers)
Romania	Outside 14 Eyes	Law 506/2004 light	OK (cheap datacenters)
Nevis	Outside 14 Eyes	Confidentiality Act 1985	OK (Njalla, specialized VPS)
Norway (Svalbard?)	9 Eyes formally	LRens-like framework on Svalbard	OK with asterisk

This table considers only applicable law to storage. Law applicable to the owning legal entity of the provider matters just as much: Proton is Swiss (✅), Tresorit is Swiss but was acquired in 2021 by Swiss Post (✅, neutral state, outside 14 Eyes), pCloud is Swiss (✅), MEGA is New Zealand-based (❌, 5 Eyes), Internxt is Spanish (14 Eyes but decentralized infrastructure complicates legal enforcement).

Common myths to discard

Myth 1: "If I'm honest, I have nothing to hide"

A fallacious argument that conflates confidentiality with illegality. Your communications with your doctor, lawyer, tax advisor are legal, but their exposure to a third party (employer, ex, insurer, foreign state actor) can concretely harm you. Privacy is not criminal opacity, it's control over the sharing perimeter.

Germany is a 14 Eyes member and the BND-Gesetz revised in 2021 authorizes the German agency to intercept traffic transiting Frankfurt and Berlin datacenters without individual warrant. GDPR protects your data against abusive commercial use, not against intelligence access. Essential distinction.

Myth 3: "With a VPN, I'm untraceable"

A VPN masks your IP from the visited site, but your cloud provider sees your uploads, volume, timing. If the cloud is not zero-knowledge (see E2E vs zero-knowledge cloud storage), it also sees content. VPN + non-zero-knowledge cloud = problem displaced, not solved.

Myth 4: "Iceland is necessarily safe because IMMI"

IMMI is a progressive legislative framework, but Iceland is a NATO member and cooperates informally with 5 Eyes through that channel. For journalist/whistleblower use, Iceland remains preferable to Sweden or France, but inferior to Switzerland in terms of institutional compartmentalization.

2026 practical strategy: jurisdiction × threat matching

Jurisdiction choice depends on your threat model:

Competitive/commercial threat (basic industrial espionage): Germany, France, Netherlands suffice — their legal framework complicates unauthorized access.
Foreign state surveillance threat (US citizen fearing NSA, French citizen fearing DGSE): Switzerland mandatory, Iceland acceptable.
Domestic state surveillance threat (activist, journalist, whistleblower vis-à-vis own state): Switzerland + zero-knowledge service + native clients + Tor access.
Post-quantum threat (long-term, encryption decryptable tomorrow): provider implementing hybrid PQC (Proton Mail does it since 2024 with Kyber-768 + X25519). Jurisdiction plays less here, cryptographic model matters more.

This matching is what the Priviy methodology systematically applies to each tested provider: we score separately jurisdiction, cryptographic model, independent audit, operational resilience. No provider maximizes all 4 dimensions — you must prioritize based on your threat.

Our 2026 verdict

For the majority of cloud privacy users in 2026, the winning combination is:

Swiss provider (Proton Drive by default, pCloud Crypto if you want lifetime)
Zero-knowledge client encryption verified by independent audit
Native desktop/mobile client rather than web app
Paper recovery key stored offline

For high-risk profiles, add:

Access via Tor or multi-hop VPN
Strict separation between public identity and protected identity
Redundant backups across two different non-14-Eyes jurisdictions

The real benefit of understanding 5/9/14 Eyes alliances is not becoming paranoid: it's knowing how to read a provider's marketing communication. When pCloud writes "swiss-based servers", it's a verifiable jurisdictional argument. When Dropbox writes "your data is secure", it's a contractual promise without jurisdictional backing. The difference is exactly what separates reliable cloud privacy from marketing cloud privacy.