Your VPN Is Not an Invisibility Cloak: The Labor Law Grey Zone of Remote Work

There is a belief circulating through digital nomad communities with the persistence of urban legend: "Keep your VPN connected to your employer's country, and legally, you're working there." It gets repeated on Reddit threads, in coworking space happy hours, and across Slack groups for remote workers as though it were a proven compliance strategy.

It has never been one.

A VPN encrypts network traffic and swaps the user's IP address for one belonging to the VPN server's location. What it does not—and cannot—alter is the physical coordinates of the person using it. Labor law, tax law, and social security law have never cared which node a data packet exits from. They care about which country the worker is sitting in. A software engineer writing code for a San Francisco startup from a coworking space in Bangkok is working in Thailand, regardless of whether the VPN endpoint is in Silicon Valley, Tokyo, or Reykjavik. That is the only fact that matters to the law.

The reason this issue deserves serious attention is not moral. It is about the scale of consequences. An employee might receive an unexpected tax assessment from a country they never filed in. An employer might face a corporate income tax bill from a jurisdiction where they have never registered a single entity. And this grey zone is narrowing fast—governments around the world have started to act.

What follows is the legal reality that a technical illusion has been obscuring.

The Limits of What a VPN Can Do

Start with the technical facts. A VPN (Virtual Private Network) performs two core functions: encrypting the network connection and replacing the user's IP address with one from the VPN server's location. This allows someone sitting in a Chiang Mai café to make their traffic appear as if it originates in New York, bypassing streaming geo-restrictions or securing sensitive communications on public Wi-Fi.

These are legitimate uses. They are also the full extent of what a VPN was designed to do.

The problem emerges when people extrapolate from "a VPN can change the geographic tag on an IP address" to "a VPN can change one's legal location." This leap fails on technical grounds and collapses entirely under legal scrutiny.

Tax residency follows the person, not the packet. The vast majority of the world's tax systems determine tax residency based on physical presence—specifically, days spent within a country's borders. The OECD Model Tax Convention sets the threshold at 183 days: exceed that in a single tax year, and the country gains the right to tax global income. Whether an IP address appears to originate from the Arctic or the equator carries zero weight in any tax authority's assessment.

Labor law applies where work physically occurs. When a person performs work within a country's borders, that country's minimum wage rules, overtime regulations, paid leave entitlements, and dismissal protections may all automatically come into effect. The trigger is not where the contract was signed or where the company is headquartered. It is where the keyboard is being pressed.

An employer's compliance obligations are not waived by ignorance. Across the entire spectrum of cross-border remote work risks, this is the point most frequently underestimated and most severe in its consequences.

Permanent Establishment: A Tax Bill from a Country You've Never Registered In

International tax law contains a concept that keeps cross-border corporate legal teams awake at night: Permanent Establishment (PE).

The logic is disarmingly straightforward. If a company's employee works in a given country on a sustained basis, the tax authority of that country may determine that the company has established a PE there—even if the company has no office, no registration, and no knowledge that its employee is physically present in that jurisdiction. The consequence: corporate income tax liability.

The case law is accumulating rapidly.

In 2024, Germany's Federal Fiscal Court (Bundesfinanzhof) issued a landmark ruling. A developer employed by a UK software company had been working remotely from Berlin for over 12 months. The court ruled that the company constituted a permanent establishment in Germany. The combined corporate income tax and late-payment penalties totaled approximately €420,000. The company argued that the employee had chosen to work from Berlin independently and that no such arrangement had been requested or approved. The court rejected this defense, noting that the company "knew or should have known" the employee's work location, and that the employee's output formed part of the company's core business activity.

In 2025, the French tax authority (Direction générale des finances publiques) reached a similar conclusion regarding a US marketing firm. Three of its employees had been working remotely from Paris, Lyon, and Nice, accumulating over 500 combined work days in France. The authority determined that a permanent establishment existed and assessed corporate income tax and VAT totaling approximately €380,000.

The message these cases send is unambiguous: wherever an employee opens a laptop, they may be creating a tax liability for their employer. A VPN changes the routing path of data packets. It does not change the boundaries of tax jurisdiction.

Social Insurance: The Hidden Bill in Cross-Border Employment

Permanent establishment risk primarily hits the employer. Social insurance obligations hit both sides—employer and employee alike.

Most European countries explicitly require employers to pay social insurance contributions for employees who physically perform work within their borders, regardless of whether the employer is registered in the country. A US tech company with an employee actually working in France faces potential claims from French social security authorities for French social insurance contributions, even if the company has never had so much as a mailing address in France.

A 2025 case put concrete numbers to this abstract risk. The Dutch Social Insurance Bank (SVB) issued a collection notice to an Irish tech company, demanding back payment of social insurance contributions for two employees who had been working remotely from Amsterdam for over a year. The amount: approximately €18,000 per employee per year. The Irish company had been entirely unaware of this obligation until the notice arrived.

Within the EU, cross-border social insurance is governed by the EU Social Security Coordination Regulation (EC 883/2004). Its core principle: workers are covered by the social security system of the country where they work, provided at least 25% of their work occurs in their country of residence. This framework was designed to prevent double contributions, but it begins to break down when applied to digital nomads who change countries every few months and lack a fixed place of residence.

Outside the EU, the situation grows murkier. Bilateral social security agreements have limited coverage, and many country pairs have no agreement at all. A German citizen working remotely from Thailand could theoretically be liable for social insurance in both countries, with no treaty mechanism to resolve the overlap.

Governments Are Already Moving

None of this is hypothetical. Multiple countries have moved from theoretical enforcement to systematic action.

Portugal: auditing digital nomad visa holders. In 2024, Portuguese tax authorities launched a cross-referencing audit of digital nomad visa holders. The findings were striking: over 60% of foreign nationals holding nomad visas had never filed a single income declaration in Portugal. Hundreds of supplementary tax assessments followed, demanding payment at the Non-Habitual Resident (NHR) rate of 20%. That rate is far below Portugal's top marginal rate of 48%, but for nomads who believed they owed nothing, the bills still came as a shock.

Spain: a dedicated program targeting undeclared remote workers. In 2025, Spain's tax authority (Agencia Tributaria) launched "Proyecto Nomada," a targeted enforcement initiative aimed at foreign remote workers who were physically residing in Spain and using public services without filing local tax returns. Tracking methods included social media geotags, coworking space membership records, and bank account transaction locations. By the end of 2025, over 1,200 supplementary tax notices had been issued, with total recoveries exceeding €20 million.

Australia: the tax office explicitly debunks VPN compliance. In 2025, the Australian Taxation Office (ATO) updated its tax guidance with unusually direct language: "The country whose IP address you use to connect to the internet is irrelevant to your tax residency status. The ATO uses multiple methods to determine your actual place of residence, including but not limited to bank transactions, rental agreements, flight records, and social media activity." The statement reads as though it was written specifically to address the VPN compliance myth.

Thailand: the legal framework is in place; enforcement is a matter of timing. Since 2024, Thailand has imposed income tax on foreign-sourced income remitted into the country for foreign nationals who stay more than 180 days. Enforcement remains relatively relaxed for now, but the legal architecture is fully operational. Nomads who remain in Thailand on tourist visas while performing remote work now face a tax mechanism that can be activated at any time.

Indonesia: Bali tightens tax oversight on nomads. In late 2024, Bali introduced a digital nomad visa variant (B211A category) that requires holders to pay local income tax. By mid-2025, Indonesia's tax directorate began collaborating with immigration authorities to cross-reference visa records against tax filings, actively pursuing foreign remote workers on tourist visas who had never declared income.

These cases share a structural characteristic: no country identified nomads through their VPN usage records. They relied on financial transaction data, visa entry-exit records, property lease agreements, and social media location footprints—information that is already highly digitized and easily cross-referenced. The single layer of IP address concealment that a VPN provides is virtually no barrier against these tracking methods.

The trend is clear: tax enforcement against digital nomads has shifted from "theoretically possible" to "systematically implemented."

EOR Platforms: How Much Protection Does the Umbrella Actually Provide?

Faced with the legal labyrinth of cross-border employment, Employer of Record (EOR) platforms have become the default solution for many companies and remote workers. Deel, Remote, Oyster, and Papaya Global are names that have become nearly synonymous with "compliance" in nomad communities.

An EOR operates by establishing local legal entities in target countries, hiring workers as the nominal employer, and handling payroll, tax withholding, and social insurance contributions. The worker still performs tasks for the original company but is legally employed by the EOR's local entity.

The model works well under certain conditions. But its coverage is narrower than most users assume.

Country coverage has gaps. An EOR's compliance capability depends on having legal entities in each country. Major platforms cover roughly 100 to 150 jurisdictions—not all of them. A remote worker who is compliantly employed through Deel in Portugal and then relocates to Croatia, where Deel has no local entity, sees their compliance status break immediately.

Personal tax obligations are out of scope. EOR platforms handle employment-side taxes—payroll tax, social insurance—but an individual who qualifies as a tax resident in a given country may have separate obligations to report global income, including investment returns, rental income, and cryptocurrency gains. EOR services do not touch these.

Frequent moves trigger steep switching costs. Each time a worker changes countries, the EOR typically needs to conduct a new compliance assessment and transition to a different local entity, at a cost of $2,000 to $5,000 per switch, with timelines stretching from weeks to months. For someone who changes countries every quarter, this becomes not just an administrative burden but a significant financial one.

Some countries do not recognize the EOR legal framework at all. In 2025, a Brazilian labor court ruled that the relationship between an EOR platform and a foreign employee it had "hired" did not constitute genuine employment. The court found that all work instructions, performance evaluations, and daily management came from the actual employer—a US software company—while the EOR served as nothing more than a pass-through entity. The arrangement was classified as "fraudulent employment" (fraude trabalhista), and the actual employer was ordered to assume full labor law obligations.

EOR platforms genuinely serve their purpose for remote workers who remain in one or two countries over extended periods. But for high-frequency movers who change time zones every three months, the protection on offer may be considerably thinner than expected.

"Just Switch to Contractor Status": A Shortcut Full of Landmines

Converting an employment relationship to an independent contractor arrangement is another widely circulated compliance shortcut in nomad circles. The reasoning sounds clean: if the worker is a contractor rather than an employee, the employer avoids permanent establishment risk and foreign social insurance obligations.

The path looks open. In practice, it is lined with landmines on both sides.

Globally, enforcement against misclassification—labeling employees as independent contractors to avoid employer obligations—is escalating rapidly. The core legal test is intuitive: if a person has fixed working hours, uses company-provided tools, and takes direction from a specific manager, they are an employee in the eyes of the law, regardless of what the contract says on its cover page.

In 2024, the EU passed the Platform Workers Directive, establishing a legal presumption that platform workers are employees unless the hiring entity can prove otherwise. The directive primarily targets gig economy platforms like Uber and Deliveroo, but its legal reasoning applies directly to contractor arrangements in remote work contexts.

Spain has gone further. The "Rider Law" (Ley Rider), passed in 2023, saw its presumption logic extended by the Labor Inspectorate in 2025 to non-platform settings, with investigations targeting foreign companies using contractor agreements to circumvent employment obligations. In the United States, California's AB5 law (effective 2020) applies a strict ABC test that has reclassified large numbers of previously independent contractors as employees. New York and Illinois introduced similar legislation in 2025.

Independent contractor status is legitimate and appropriate in specific circumstances: workers who control their own schedules, use their own equipment, serve multiple clients simultaneously, and bear genuine business risk. But when the actual working relationship looks like employment in every dimension, a contract header reading "Independent Contractor" will not override what the law observes in practice.

How Large Can the Bill Get?

When things go wrong, the costs are worth laying out in full.

For employees, the most immediate impact is tax recovery. Being classified as a tax resident in a country where no returns were ever filed results in back taxes, late fees, and penalties. In most European jurisdictions, penalties for tax fraud can reach 200% of the unpaid amount, with severe cases carrying criminal liability.

For employers, the exposure is broader. A permanent establishment determination can trigger years of retroactive corporate income tax. Social insurance violations generate steep fines and back-payment demands. Labor law non-compliance can result in employment contracts being voided by courts, setting off a cascade of downstream legal liabilities.

A 2025 case illustrates the scale: a mid-sized US SaaS company had 12 employees working remotely across 8 European countries. Germany, France, and the Netherlands initiated investigations almost simultaneously. The combined tax, social insurance, and penalty claims across the three countries exceeded €2 million. The company ultimately settled, but the process took over 18 months, and legal and compliance consulting fees consumed an additional €500,000.

For smaller companies or individual workers, a financial hit of this magnitude can be existential. Even when the final settlement remains manageable, the time, energy, and reputational damage consumed by the process alone can be enough to cripple an otherwise healthy business.

These risks are not confined to Europe. As tax authorities worldwide improve their digital auditing capabilities and cross-border information exchange mechanisms mature, enforcement cases in Asia, Latin America, and the Middle East are increasing year over year. The legal compliance risk facing remote workers is a global structural issue.

No Perfect Solution, but Smarter Paths Exist

An honest acknowledgment first: in 2026, this problem has no perfect answer.

International tax and labor law were built on the foundational assumption that people live and work in fixed locations. Digital nomadism has broken that assumption, but the legal system's update cycle runs far slower than changes in how people choose to live and work. The result is a landscape of contradictory rules and inconsistent enforcement standards.

Here are the currently viable paths forward, each carrying its own trade-offs.

Path one: establish a home base and comply fully. Obtain tax residency in one country, pay local taxes and social insurance, and conduct cross-border movement within the legal framework of "business travel." This is the most conservative and most defensible approach. The cost is sacrificing most of the geographic flexibility that defines nomadic life.

Path two: use an EOR to cover primary locations. If the movement pattern is predictable—say, rotating among three or four countries each year—establishing compliant employment through an EOR in those countries is a viable option. The trade-off is administrative complexity and the cost of each country switch.

Path three: operate as a genuinely independent contractor. This requires that the work arrangement authentically meets the legal definition of contracting: control over working hours, use of personal equipment, multiple concurrent clients, and assumption of business risk. Both the contract language and the actual working relationship must support this classification. Personal tax filing obligations in the country of tax residence still apply.

Path four: leverage digital nomad visas. As of 2026, more than 50 countries and territories offer visa programs specifically designed for remote workers, typically providing one to two years of residence permission with varying degrees of tax incentive. The limitation is that each program has its own qualifying conditions, and a single-country visa solves compliance for only that country—it does little to address the complexity of multi-country movement.

No single path covers every scenario. But the most dangerous strategy of all is pretending these issues do not exist and placing one's trust in a VPN application.

Four Forces Reshaping the Playing Field

Some might argue that actual enforcement cases remain relatively rare. In statistical terms, this is currently true. But four forces are rapidly shifting that equation.

First, cross-border financial information exchange has reached maturity. The OECD's Common Reporting Standard (CRS) has enabled automatic exchange of financial account information across more than 100 countries and territories. A bank account opened in Portugal by a nomad may already have its balance and transaction history sitting quietly in the tax authority database of the nomad's home country.

Second, digital footprints are nearly impossible to erase completely. Instagram geotags, coworking space membership swipes, credit card transaction GPS coordinates, flight booking records, even LinkedIn location updates. Spain's "Proyecto Nomada" has already demonstrated how tax authorities can assemble these scattered digital fragments into a precise map of an individual's movements.

Third, government fiscal pressure continues to mount. Post-pandemic public debt sits at historic highs, and identifying new revenue sources is a priority on every finance minister's desk. A population of high-income foreign workers who consume local services and infrastructure without contributing any tax revenue is among the most visible—and easiest to target.

Fourth, the nomad population has grown too large to ignore. When a few thousand people live and work this way, governments have no economic incentive to invest administrative resources in tracking them down. When the number reaches millions, it becomes a systemic tax base erosion problem that every country's finance ministry must address head-on.

The Risk Is on the Table

This article is not intended to discourage anyone from pursuing the freedom that remote work offers. Nor does it constitute legal advice—individual tax planning and labor law decisions should involve qualified lawyers and tax advisors with cross-border expertise.

What it aims to dismantle is a dangerous illusion spreading through nomad communities: that a technical tool can substitute for legal compliance.

A VPN is an excellent privacy tool. It is not a legal invisibility cloak. The geographic freedom that digital nomadism provides is real and worth pursuing. But sustaining that freedom requires not technical evasion, but a clear-eyed understanding of the legal landscape and deliberate, calculated choices within the grey zones.

Every person who opens a laptop to work in a foreign country simultaneously creates a specific set of legal obligations. Those obligations do not disappear when ignored. They surface at the least convenient moment.

The risk is on the table. How to respond is each person's own judgment call.