This mailbox.org articles (GER) sums up planned, but not yet passed, changes in the Swiss surveillance regulations. In short: in future services might need to store metadata (IP, locations, …) and provide them to authorities in almost realtime. In my understanding, this affects all digital products like Threema messenger or proton mail, VPN, …
The blog article is written by mailbox.org and thus contains obviously adds for mailbox.org. It might still affect people in choosing the proper services for them.
Deepl translation:
The Swiss government wants to tighten up the surveillance law. With the revision of the Federal Act on the Surveillance of Postal and Telecommunications Traffic (BÜPF), potentially far-reaching changes are imminent that could affect the data protection of millions of users. The supposed safe haven for digital privacy is crumbling: In the future, Swiss email providers with more than 5,000 users could already have to provide metadata to authorities in real time. This would particularly affect those Swiss services that have previously advertised strict data protection.
The BÜPF and the planned revision: the major digital overhaul
Since 2002, the Swiss Surveillance Act has regulated the circumstances under which authorities may access communications data. However, the partial revision of the associated ordinances (VÜPF and VD-ÜPF) now being sought by the Federal Council goes far beyond a mere update. While the official bodies present the changes as a necessary adaptation to 5G technology, the draft contains measures that would significantly increase the level of state surveillance.
Digital x-ray vision: This is how deep the new surveillance would go
The planned changes to the BÜPF would encroach deeply on digital privacy and would also affect users of Swiss email services. It is crucial for users to understand what the authorities will be able to see in future and what they will not.
In future, surveillance would include significantly more metadata, including IP addresses, recipient data and location information - data that is just as sensitive as content, as it can reveal movement and relationship profiles. This would give authorities systematic access to information about who is communicating with whom, when this is happening and from which location. This metadata would be recorded in real time and transmitted to the authorities. Swiss email services, which do not currently store IP addresses by default, would no longer be able to follow this data protection-friendly practice in future. Last but not least, the processing times for requests are to be shortened - from one working day to six hours for large providers and from two working days to one for smaller services.
End-to-end encryption using PGP will remain untouched, i.e. Swiss providers will still not have to decrypt encrypted content. This means that anyone who consistently encrypts their emails with PGP will continue to protect the content of their communication even after the potential change in the law.
What happens after the end of the consultation period?
The deadline for the consultation - a Swiss consultation process in which cantons, parties, associations and affected organizations were able to comment on the draft - expired on 6 May 2025. According to reports, this consultation was widely rejected. The comments received are now being evaluated by the Federal Department of Justice and Police (FDJP) and the draft will be revised if necessary. This process may take several months.
The Federal Council will decide on the final version in fall 2025 at the earliest. If adopted, the new regulations could come into force from 2026, although massive opposition from companies and data protection organizations could delay the process or lead to substantial changes.
The great exodus has begun
In response to the impending regulations, leading providers have already started to relocate their servers abroad - primarily to Germany and Scandinavian countries. Some companies are even considering moving their headquarters out of Switzerland completely. This development shows how seriously the industry is taking the planned changes. Leading industry representatives are particularly critical of the fact that the planned measures would go far beyond the regulations in Germany and the EU.
Data protection in international comparison While Switzerland has long been known for its high standards in terms of digital privacy, Germany now offers significantly stronger protection in some areas. For example, Switzerland has already allowed comprehensive, suspicion-independent data retention for six months since 1997, which would be extended even further with the planned revision of the BÜPF through continuous real-time monitoring. In Germany, on the other hand, the Federal Constitutional Court has repeatedly declared such nationwide data retention to be unconstitutional. Here, surveillance measures generally require a court order and concrete suspicion - basic principles that could potentially be weakened by the Swiss law revision.
Checklist: What users should check now
If you currently use a Swiss email service, you should check the following aspects in light of the possible changes to the law:
Encryption level of your emails: is only transport encryption enabled, or do you use end-to-end encryption such as PGP? Metadata protection: What metadata does your provider store and how will it deal with the possible real-time monitoring obligation? Server locations: Has your provider already moved servers overseas? If so, what law applies to your data stored there? Future plans of the provider: Are there any official statements on possible relocations or adjustments to the data protection guidelines? Check alternatives: Consider switching to a German provider such as mailbox.org, which is protected by strict constitutional court rulings and the GDPR. Outlook: The price of security
The planned revision of the Swiss Surveillance Act marks a turning point. What was once considered a data protection paradise is increasingly developing into a surveillance state that is readjusting the balance between security and privacy - and, in the view of many experts, overshooting the mark. The threatened migration of email providers is a wake-up call - not just for Switzerland, but for everyone who values basic digital rights. The debate shows once again that data protection is not a matter of course, but a fragile asset that requires constant vigilance.
Translated with DeepL.com (free version)
The law did not pass. All the parties from left to right were like: f* that shit idea. So nothing changes. And if it were to change I’m sure most parties would start an initiative and stop it.
Added info about the changes being planned, but not yet passed. Original article says there are still chances for it to come, and I cannot verify that info right now.
*The Federal Council’s plans to reform the monitoring of postal and telecommunications traffic have been rejected in the consultation process: All the major parties that have expressed an opinion on the matter reject the plan.
In their statements, the Greens, SP, Green Liberals, FDP and SVP speak of endangered data protection, a threat to Switzerland as a location for innovation, disproportionate interference by the state and unclear effects of the planned changes to the ordinance.
The Green Liberals and the FDP also see the planned changes as contradictory to current law. The Center Party declined to comment. Organizations such as the Swiss Digital Society and companies such as the Swiss messenger service Threema have also criticized the plans.
The Federal Council sent the partial revisions of two implementing decrees out for consultation at the end of January. This ended on Tuesday. According to the Federal Council, this involves a “clear definition of the categories of cooperation obligations” for providers of communication services, for example in the case of surveillance authorized by the authorities as part of criminal proceedings.
This primarily affects traditional telecommunications services such as Swisscom, Sunrise and Salt, but also service providers that provide communication services without their own infrastructure, such as messaging, VoIP, VPN, cloud or email services such as Whatsapp, Threema, Protonmail or Skype.
With the revision, the latter are to be divided into three new groups with different obligations, depending on the number of users and turnover. According to the federal government, this is intended to achieve a “more balanced gradation of obligations”.
Confederation plans to introduce new types of information and monitoring According to the Greens, companies that provide a service for 5,000 users would now have to be able to identify the latter by storing their IP address. Companies with more than one million users would be obliged to store marginal data such as the geolocation of customers for six months.
This “vastly expanded data retention” would make it impossible to operate secure messenger or email services and would be a “massive intrusion” into privacy. For the SVP, the new definition of obligations “obviously has the potential” to burden a number of SMEs instead of relieving them.
The federal government also plans to introduce new types of information and surveillance. It writes that the two revisions to the ordinances basically provide for the obligation to remove encryption. However, end-to-end encryption such as messenger services are exempt from this.
On Swiss television’s “Tagesschau” program, Jean-Louis Biberstein, deputy head of the Federal Postal and Telecommunications Surveillance Service, recently said that the requirements for service providers would not be tightened. They would be clarified.
After the revision, a company like Threema would have the same obligations as before. Threema contradicts this in a statement sent to various media at the end of April. The revision of the VÜPF would force the company to abandon the principle of “collecting only as little data as technically necessary”.
The Swiss internet service provider Proton also wrote to the news agency Keystone-SDA on request that the Federal Council’s proposals would “massively expand” state surveillance. In its statement, the association “Digitale Gesellschaft Schweiz” speaks of a “serious attack on fundamental rights, SMEs and the rule of law”.
Translated with DeepL.com (free version)*
That’s the translation from the article.
Has Proton written anything about how they are planning to address these proposed changes? I can’t seem to find anything on their blog about it.
Edit: apparently the law didnt pass, see the comment from kennystillalive https://feddit.org/comment/6607226
Added info about the changes being planned, but not yet passed. Original article says there are still chances for it to come, and I cannot verify that info right now.
