Switzerland, a country long marketed as a global haven for privacy and secure digital services, is advancing a surveillance law update that would require VPN providers, encrypted email services, and messaging apps to collect government-issued identification from users, log IP addresses for six months, and decrypt user data on demand.
🇨🇭Switzerland built its whole reputation on privacy. Now it's proposing a surveillance law that would force VPNs, email, and messaging providers to collect your ID, log your data for six months, and decrypt it on demand.
— MoneroWire (@MoneroWireHQ) June 2, 2026
Proton says it's worse than the US. pic.twitter.com/Y2Ji29LlXq
Don't use X? View this post on Xcancel
The proposed changes target the country's Ordinance on the Surveillance of Postal and Telecommunications Traffic, known by its German abbreviation VÜPF. The update is being pushed through by the Federal Council and the Federal Department of Justice and Police as an ordinance amendment rather than a full parliamentary law, meaning it could pass without a standard legislative debate or a public referendum.
Privacy advocates and affected companies have raised alarms about both the content of the proposal and the way it is being advanced, arguing it bypasses Switzerland's tradition of direct democracy.
What the Proposed Law Would Require
Under the proposed update, any email, VPN, or messaging service operating in Switzerland with more than 5,000 users would be required to comply with a sweeping set of new obligations.
Providers would be forced to collect government-issued identification from all users during registration, including passports, driver's licenses, or phone numbers, effectively ending the ability to use these services anonymously. Subscriber data including email addresses, phone numbers, IP addresses, and device port numbers would need to be retained for six months and made available to authorities on request.
The most controversial element of the draft is Article 50a, which would oblige providers to be able to decrypt any data they have encrypted and hand it over in plain text when requested. Critics argue this amounts to a mandatory backdoor into encrypted services, a technical and legal line that major privacy companies say they are not willing to cross.
Proton Calls It Worse Than the United States
Proton, the Geneva-based company behind Proton Mail and Proton VPN, has been one of the loudest voices opposing the legislation. CEO Andy Yen described the proposed amendment as a major violation of privacy rights and warned it would damage Switzerland's reputation as a technology hub.
"This revision attempts to implement something that has been deemed illegal in the EU and the United States. The only country in Europe with a roughly equivalent law is Russia." Andy Yen, Proton CEO
Yen also stated that if the law passes in its current form, Proton would have no choice but to leave Switzerland, adding that compliance would make the company less private than Google operating out of the United States, an outcome he described as impossible for Proton's business model.
According to reporting summarized by Tuta Mail, Proton told Swiss newspaper Der Bund that the proposed rules would make Swiss surveillance significantly stricter than what is currently required in the US or the EU, and that Switzerland would lose its competitiveness as a base for privacy technology companies.
Proton has reportedly already begun moving portions of its physical infrastructure out of Switzerland to Germany and Norway, citing legal uncertainty created by the proposed changes.
Other Swiss Privacy Companies Push Back
Proton is not the only company raising objections. Threema, the Swiss-based encrypted messaging app, and NymVPN have both publicly committed to fighting the legislation and warned they would consider relocating if the law passes.
NymVPN co-founder and COO Alexis Roussel argued that forcing service providers to identify all users would not improve security, it would undermine it by creating large centralized databases of user identity information that become targets for data breaches and cyberattacks.
"Less anonymity online is not going to make things better. Enforcing identification of all these small services will eventually push to leaks, more data theft, and more attacks on people." Alexis Roussel, NymVPN COO
Tuta Mail, a German encrypted email provider, also published a detailed criticism of the Swiss proposal, noting that the data retention requirements would go further than what German law allows, and that Germany has specifically made such retention illegal for email providers.
Bypassing Direct Democracy
Privacy advocates have also raised concerns about how the legislation is being advanced. Because the Swiss government is implementing it as an ordinance update rather than a parliamentary law, it does not automatically trigger Switzerland's referendum system, meaning Swiss citizens would not normally have the right to vote on it directly.
NymVPN's Roussel said the Federal Council had deliberately chosen a path that avoids a referendum in order to push through its demands, describing it as an approach that "profoundly alters the spirit of the law."
Swiss Government's Stated Justification
The Swiss government has defended the proposal as a necessary response to growing threats including cyberattacks, organized crime, and terrorism. Officials argue the current surveillance framework has gaps because it did not originally account for the rise of VPNs, encrypted messaging apps, and other privacy-focused services.
Swiss official Jean-Louis Biberstein stated the regulation includes safeguards designed to prevent mass surveillance, framing the initiative as a targeted tool for law enforcement rather than a broad monitoring program. A public consultation process was opened to allow stakeholders to submit input before any final decision.
Supporters of the law argue that metadata, information such as IP addresses, timestamps, and connection records, is sufficient for legitimate law enforcement purposes and that content encryption between users would still be protected.
What It Means for Users of Swiss-Based Services
If the law passes in its current form, users who rely on Switzerland-based services specifically because of the country's privacy reputation would face a significantly different threat model. Services that currently operate under strict no-log policies would be legally required to retain identifying data, and the anonymous use of VPNs or private email services would effectively become impossible under Swiss jurisdiction.
Providers like Proton, Threema, NymVPN, and PrivadoVPN would face a difficult choice: either weaken their core privacy guarantees to comply with Swiss law, or relocate their legal entities and infrastructure to jurisdictions with stronger protections.
Status of the Proposal
The public consultation phase closed in May 2025, with significant pushback submitted by privacy companies, civil society groups, and political parties. As of mid-2026, the Swiss Federal Council has not yet finalized the ordinance, and the outcome remains uncertain.
The situation continues to be closely watched by the global privacy community as a test case for whether governments can use administrative procedures to impose surveillance obligations on encrypted services that were specifically designed to resist them.
Sources
- Tuta Mail analysis of the VÜPF update: Tuta Mail
- Proton CEO interview and threat to leave Switzerland: TechRadar
- Impact on Swiss VPN providers: DoVPN
- NymVPN opposition and democratic concerns: NymVPN
This article was written by DigitalEscapeTools based on publicly available company statements, official government documents, and reporting available at the time of publication.
