Switzerland has long been viewed as a global symbol of privacy, with its banking system and data protection standards often held up as models of confidentiality. But that reputation is now being tested. A proposed update to the country’s surveillance rules—specifically the Ordinance on the Surveillance of Postal and Telecommunications Traffic (VÜPF)—has sparked intense criticism from encrypted email providers, digital rights groups, legal scholars, and everyday users who rely on Swiss tech services for anonymity and security.
The reform, still under discussion by the Swiss Federal Council, would significantly expand the state’s ability to monitor online communications. It would impose new obligations on privacy-focused platforms like VPN providers, encrypted messaging services, and secure email companies. For Swiss-based organizations such as Proton Mail, Threema, and Tuta Mail, the proposal represents what they view as an unprecedented overreach.
A Sharp Boost in State Surveillance Powers
New Requirements Raise Concerns Among Encrypted Service Providers
The core of the debate lies in the sweeping nature of the proposed changes. Critics argue that if implemented, the updated VÜPF would grant the Swiss government surveillance capabilities that exceed those in countries like the United States, which already has some of the strongest monitoring laws in the world.
One major provision would compel encrypted email and VPN providers with as few as 5,000 users to begin logging IP addresses and storing the data for six months. This marks a significant departure from current Swiss rules and sharply contrasts with Germany, where such data retention is illegal for email providers. Privacy advocates argue that mandatory logging undermines secure communication and could expose users to misuse or hacking.
Another controversial requirement is that many services would have to collect verified identification during user registration, such as a government-issued ID or driver’s license. This would effectively remove the possibility of anonymous signups—a core reason many people choose Swiss-based privacy tools in the first place.
Possibly the most contentious element is the expectation that providers must furnish data in plain text when requested by authorities. In practice, this means companies must maintain the technical ability to decrypt user information on demand, even if they market themselves as offering encrypted services. Although the rules would not apply to end-to-end encrypted messages exchanged directly between users, privacy advocates argue that the distinction is too narrow to protect overall security.
A Legislative Shortcut Raises Democratic Concerns
Critics Question Why Parliament Is Being Bypassed
Another factor drawing concern is the way the reform is being pushed forward. Instead of going through Parliament for public debate, the changes are being advanced administratively by the Federal Council and the Federal Department of Justice and Police. This move is unusual in a country known for its participatory political culture and frequent referendums.
Many observers recall that in 2016, Swiss voters approved broader surveillance rules as part of an update to the data retention law known as BÜPF. That law laid the foundation for expanded monitoring of postal, phone, internet, and email data. But critics emphasize that the current VÜPF update goes far beyond what voters directly approved.
The 2018 version of the VÜPF had already increased obligations for telecom operators but allowed exemptions for smaller providers such as Proton Mail and Threema, as these services weren’t classified as traditional telecommunications operators. The new proposal appears intended to close those gaps. In doing so, it directly targets privacy-centric companies and even small open-source projects operating out of Switzerland.
Encryption Backdoors Could Hurt Switzerland’s Digital Economy
Tech Companies Warn of Reputational and Financial Harm
A critical flashpoint is Article 50a of the proposed update, which would require providers to remove “encryption provided by them or on their behalf.” Privacy experts interpret this language as a demand for backdoor access—something widely condemned in the cybersecurity community.
Tech companies argue that forcing providers to decrypt user data weakens digital safety and makes systems more vulnerable to exploitation. Such requirements could push users to abandon Swiss services for companies based in jurisdictions with stronger privacy protections.
Proton Mail has already begun moving much of its physical infrastructure to EU data centers, citing concerns about the Swiss government’s push toward surveillance measures that would not be permitted under European Union rules. The company has stressed that legal uncertainty alone is enough to threaten Switzerland’s status as a hub for secure digital services.
Digital rights organizations, legal experts, and civil liberties advocates have raised alarms about the broader implications of the update. They warn that requiring official identification for basic communication tools erodes the right to privacy embedded in Swiss law. They also note that the proposal conflicts with principles in the country’s Data Protection Act, including requirements for data minimization.
Advocacy groups argue that the burdens placed on small companies and volunteer-run open-source projects could be severe. Meanwhile, major international platforms such as WhatsApp and Gmail—companies not subject to Swiss law—would be unaffected. This imbalance, critics say, would weaken Switzerland’s digital economy without meaningfully improving surveillance effectiveness.
