📍 Introduction
In April 2025, a criminal court in Athens dismissed charges against Yegor Sak, co-founder and CEO of Windscribe VPN, in a case that had quietly become a litmus test for digital privacy rights in Greece and the EU.Similarly, in April 2023, Swedish VPN provider Mullvad faced a police raid, which further underscored the significance of no-log policies in protecting user privacy.
The decision is more than a legal win for Windscribe — it underscores the role of no-log VPN policies in preserving privacy, while exposing a gap in legal understanding of how such infrastructure operates.
The Greek Case: A Legal Misfire?
In 2022, Greek authorities began investigating an alleged cyberattack on a Greek server. The attack was traced to an IP address belonging to Windscribe’s server in Finland. Without issuing a formal Mutual Legal Assistance (MLA) request to Windscribe in Canada, the Greek cybercrime unit subpoenaed the Finnish hosting provider, discovered Sak’s name on the billing record, and initiated criminal charges against him personally.
Key facts:
- Windscribe’s strict no-logs policy meant it had no data to offer authorities.
- The company was never formally subpoenaed.
- The case proceeded against Sak personally, despite lack of evidence, user data, or corporate culpability.
After nearly two years of legal proceedings, the court dismissed all charges on April 11, 2025, ruling that no evidence linked Sak or Windscribe to any criminal conduct.
🇪🇺 The EU Framework: A Shield for No-Logs
The Court of Justice of the EU (CJEU) has repeatedly ruled that general and indiscriminate data retention violates the Charter of Fundamental Rights (see: Digital Rights Ireland, C-293/12; Tele2 Sverige, C-203/15).
Under EU law:
- VPN providers are not required to retain metadata or user logs.
- The General Data Protection Regulation (GDPR) requires data minimization — collecting only what is necessary.
- A no-logs policy is legally sound, provided it is transparently enforced and audited.
This jurisprudence strengthens the position of companies like Windscribe, which choose not to retain traffic or session logs.
🇸🇪 The Mullvad Case: A No-Log Policy Proven in Practice
On April 18, 2023, Swedish police officers from the National Operations Department (NOA) visited Mullvad’s Gothenburg office with a search warrant, intending to seize computers containing customer data. Mullvad demonstrated that, in line with their strict no-logs policy, such data did not exist. After consulting with the prosecutor, the officers left without taking anything and without any customer information.
This incident highlights the effectiveness of Mullvad’s no-logs policy and the importance of transparency in privacy practices.
🇬🇷 Greek Law: Misunderstood Tech, Misapplied Charges
Greek law does not yet regulate VPNs or define obligations specific to anonymizing networks.
Relevant legislation:
- Law 4577/2018 (transposing Directive 2013/40/EU) criminalizes unauthorized access to information systems.
- Law 4624/2019 implements GDPR principles, including data minimization.
- Greek Penal Code (Art. 386B) targets intentional participation in computer crimes, not indirect association.
In the Windscribe case:
- The absence of any retained data should have been the end of the inquiry.
- Greek criminal procedure does not support vicarious liability for lawful infrastructure providers — especially when no connection to a specific user is proven.
The attempt to prosecute Sak illustrates how technical misunderstanding and jurisdictional overreach can collide in cybercrime cases.
Implications: For VPNs, Tech, and Greek Courts
This decision should be viewed as a precedent-setting moment for:
- The legal recognition of no-log VPN practices.
- Judicial awareness of how encrypted networks function.
- The necessity of clear procedural safeguards in prosecuting cross-border cybercrimes.
For Greece, it is a wake-up call: due process and understanding of digital infrastructure must evolve in tandem with EU data law.
Conclusion
The Greek court made the right decision — eventually. But the Windscribe case revealed vulnerabilities in how traditional legal systems perceive encrypted infrastructure and digital anonymity.
As legislators, judges, and lawyers, we must embrace a nuanced understanding of VPN services and support privacy-by-design technologies that operate lawfully and transparently.
Let this be a starting point for public dialogue and legal education — not an isolated victory.
References
- Windscribe Official Statement: windscribe.com/blog/windscribe-greek-court-case
- CJEU Case C-293/12 – Digital Rights Ireland
- CJEU Case C-203/15 – Tele2 Sverige AB
- Law 4577/2018 (Gov. Gazette A’ 199/2018)
- Law 4624/2019 (Greek GDPR Implementation)
- GDPR (EU Regulation 2016/679)
How We Can Help
At Amoiridis Law Services®, we understand the complexities of the visa and permit process, and our dedicated team is here to provide guidance and support, ensuring your experience in Greece is smooth and hassle-free. For further information and personalized assistance tailored to your needs and profile, contact our legal team.
For any further information and clarifications please do not hesitate to contact our qualified legal team, ready to provide you with further personalized information tailored to your needs and your profile.
You can email us: or call/text us directly at: +306908351705 (WhatsApp/Viber)
Athens, May 2025
Follow us on 
