A Spanish commercial court has issued rulings compelling NordVPN and Proton VPN to block access to 16 websites accused of illegally streaming La Liga broadcasts, in what the football organization is calling a worldwide first. Both VPN providers say they were given no opportunity to participate in the proceedings - a claim that cuts to the heart of a much larger debate about due process, digital infrastructure, and the limits of intellectual property enforcement online. The orders, issued by Commercial Court No. 1 of Córdoba, cannot be appealed.
A Legal Maneuver Neither Provider Saw Coming
Due process is not a technicality. It is the foundational principle that no party should be bound by a judgment rendered without their knowledge or the chance to defend themselves. Both NordVPN and Proton VPN have made clear that they had no awareness of any judicial proceedings until the announcements became public.
Proton VPN was direct in its response, stating that any judicial order issued without proper notification to affected parties - and therefore denying those parties the opportunity to be heard - would be procedurally invalid under fundamental principles of due process. It further noted that Spanish courts, like all courts operating under the rule of law, are bound by procedural safeguards designed to ensure fairness before binding judgments are rendered.
NordVPN echoed the concern, confirming it had not been part of any Spanish judicial proceedings to its knowledge and therefore had no opportunity to mount a defense. The provider described the approach taken by rightsholders as unacceptable, particularly given the broader implications for how the internet functions. Without having seen the actual judgment, NordVPN said it was not in a position to comment on which specific measures had been ordered or against whom.
Why Blocking VPNs Is a Technically Flawed Strategy
Even setting aside the procedural concerns, the technical logic underlying these orders is fragile. NordVPN pointed out several structural weaknesses. The 16 websites named in the court order could simply migrate to new domains, rendering the IP blocks obsolete almost immediately. Users in Spain who want to circumvent the restrictions could subscribe to any of the dozens of other VPN providers not named in the ruling. And reputable VPN services, including both named here, operate under strict no-logging policies - meaning they do not track user locations or monitor activity, which makes targeted enforcement of this kind particularly difficult to execute in practice.
There is also significant collateral damage to consider. Proton VPN's general manager noted that La Liga had already been ordering Spanish internet service providers to block thousands of IP addresses on a near-weekly basis. Because services like Cloudflare distribute traffic across shared IP addresses, this kind of blunt blocking regularly disrupts thousands of unrelated websites, applications, and essential services - all as a result of decisions made by a private corporation rather than through any transparent regulatory process.
A Pattern Emerging Across Europe
Spain is not acting in isolation. Courts in France have issued similar orders requiring VPN providers to block unauthorized streams of major sporting broadcasts and other events. NordVPN is currently appealing one such ruling. The broader pattern suggests that rights-holding organizations across Europe are increasingly turning to the courts - sometimes in proceedings conducted without the knowledge of the named parties - as a mechanism for controlling digital access.
This creates a significant tension. VPNs exist, in large part, as tools for privacy and for bypassing censorship in environments where free expression is restricted. Governments and civil society groups around the world recommend their use for journalists, dissidents, and ordinary citizens concerned about surveillance. Compelling VPN providers to act as de facto gatekeepers for intellectual property enforcement places them in a role that conflicts directly with the core purpose of the technology - and, if normalized, could set a precedent with implications far beyond piracy.
What Compliance Would Actually Require
For a VPN provider to block specific IP addresses for users in a specific country, it would need to do something it has deliberately designed itself not to do: identify where users are located and filter their traffic accordingly. Implementing country-level IP blocking would require logging or monitoring user data in ways that directly contradict the privacy commitments these services market as foundational. Compliance with the order, in other words, is not just a legal question - it is an architectural one that would require dismantling privacy protections built into the product itself.
Whether either provider ultimately complies, mounts a legal challenge, or simply argues the order is unenforceable remains to be seen. What is already clear is that the ruling has exposed a collision between intellectual property enforcement, procedural fairness, and the technical realities of privacy infrastructure - a collision that European courts and regulators will be forced to confront more directly as these cases multiply.
