Europe's highest court has handed VPN users and providers a rare, resounding win. In a judgment delivered on July 9, 2026, the Court of Justice of the European Union ruled that a publisher using state-of-the-art geo-blocking does not infringe copyright even when determined users bypass the block with a VPN - and that VPN providers themselves are not liable for what their users do. The decision, rooted in a dispute over Anne Frank's manuscripts, undercuts one of the favorite arguments used to paint VPNs as piracy tools.
The Anne Frank case behind the ruling
The dispute (Case C-788/24) grew out of a quirk of EU copyright law. Parts of Anne Frank's original manuscripts remain protected in the Netherlands until 2037, while the same texts entered the public domain in Belgium and many other member states years ago.
When the Anne Frank Stichting and its academic partners published a scholarly edition of the manuscripts online - geo-blocked so that Dutch visitors could not access it - the Swiss-based Anne Frank Fonds sued. Its core argument: because Dutch users could defeat the geo-block with a VPN, the publication amounted to a "communication to the public" in the Netherlands, where the texts are still protected.
What the court decided
The CJEU rejected that logic. A geo-blocking system that reflects the state of the art is legally effective, the court held, even though no technical measure is perfect. In the judgment's words, the possibility of circumvention through "a VPN or similar service" cannot "in itself and in all circumstances, be a decisive factor in finding those measures to be inadequate and, therefore, ineffective."
In practical terms: a publisher that puts up a serious, modern geo-fence has done its legal duty. The existence of VPNs does not turn a lawful publication in one country into an infringement in another.
VPN providers are neutral intermediaries
The court went a step further and addressed VPN services directly. A VPN provider, it held, "does not give end users access to a protected work" and plays no "indispensable role" in unauthorized distribution - it is a neutral intermediary, not a co-infringer. Users who hop borders act on their own responsibility.
That reasoning echoes what national courts have started to say as well. Earlier this year, a Spanish court threw out LaLiga's attempt to fine NordVPN for its users' behavior - and the CJEU has now anchored the same principle at the top of the EU legal order.
A counterweight to the pressure on VPNs
The ruling lands in a climate where VPNs are under growing legal pressure across Europe. France has forced providers into the role of content police, as we covered when French courts ordered ProtonVPN to block piracy sites. Denmark has gone even further, proposing criminal penalties for using a VPN to dodge geo-restrictions.
Against that backdrop, the Luxembourg judgment is a structural counterweight: it tells rightsholders that the mere existence of VPNs is not a legal weapon, and it tells member states that VPN services are intermediaries, not accomplices.
What happens next
The case now returns to the Dutch Supreme Court, which must decide whether the Stichting's actual geo-blocking implementation meets the "state of the art" threshold the CJEU has defined. If it does, the Fonds' claims fail; if not, the infringement case can still proceed. Luxembourg supplied the legal test - applying it to the facts is now a Dutch task.
For everyday VPN users, the significance is broader than copyright. The judgment treats a VPN as what it technically is: an encryption and routing tool that protects a connection and masks a location, used overwhelmingly for privacy and security. When the EU's top court explicitly refuses to treat that tool as an instrument of infringement, it strengthens the legal ground under everyone who relies on one.