Switzerland’s New Surveillance Law: A Privacy Crisis for Encrypted Services

Switzerland, long admired for its tradition of privacy, is on the brink of passing surveillance legislation more intrusive than the United States. A proposed revision of the country’s VÜPF (Ordinance on the Surveillance of Postal and Telecommunications Traffic) could dramatically reshape the landscape for anyone relying on VPNs, encrypted chat, or email providers based in Switzerland.

Why This Law Is a Game Changer

The proposed VÜPF update would require Swiss VPN and email providers with as few as 5,000 users to log IP addresses and keep that data for six months. For comparison: in Germany, such data retention is outright illegal for email providers. The law would also mandate ID verification—think driver’s license or phone number—making anonymous access to digital services nearly impossible.

But perhaps most alarming, the legislation demands that providers be able to decrypt user data on demand (with the exception of end-to-end encrypted messages exchanged between users). That means backdoors for encryption, a move privacy advocates say would undermine the very security these services promise.

What’s more, this sweeping expansion of surveillance powers is being introduced not by Switzerland’s parliament, but by executive decree—bypassing the country’s famed direct democracy. Ironically, a 2016 referendum saw the Swiss public vote for greater surveillance, but this time, the scope and technical details go far beyond what most citizens likely envisioned.

A History of Growing Surveillance

Swiss privacy laws have evolved rapidly over the past decade. In 2016, Switzerland updated its data retention law (BÜPF), forcing telecom companies to log communication data. A 2018 revision of VÜPF extended surveillance obligations, but carved out exemptions for smaller providers and those offering anonymous services—think Proton Mail or Threema.

The new proposal aims squarely at closing those loopholes. Article 50a, the most controversial clause, obliges providers to be able to decrypt any data they’ve encrypted—essentially demanding backdoor access. Even Swiss-based privacy pioneers like Proton Mail have warned that the new law would make Switzerland’s surveillance regime stricter than those in the US or EU. In response, Proton has started moving its infrastructure out of Switzerland, citing legal uncertainty and a loss of competitiveness.

The Fallout: Privacy and Innovation at Risk

The backlash from privacy advocates, legal experts, and the open source community has been swift. Critics warn that the reform constitutes a direct attack on privacy, undermining Switzerland’s reputation as a safe haven for secure digital communication. If passed, the law would force not only large providers but also small companies and open source projects to collect and potentially hand over sensitive user data.

As the Digitale Gesellschaft told Heise, “In the future, it would hardly be possible to use a chat app, for example, without directly or indirectly providing an official ID. The revision represents a frontal attack on fundamental rights, the rule of law, and the possibility of secure and protected communication.”

Legal experts also note that the law conflicts with Switzerland’s own Data Protection Act and could breach constitutional guarantees of privacy.

Why This Matters for the World

For years, Switzerland was the gold standard for privacy-respecting services. If the new VÜPF is implemented, it will erode trust in Swiss providers—while global giants like WhatsApp and Gmail, based in Silicon Valley, remain unaffected.

Switzerland’s slide toward mass surveillance should serve as a warning: even countries with strong privacy traditions can undermine digital rights through policy. For everyone concerned about privacy, encryption, and the future of secure communications, the Swiss debate is a critical one to watch.

At PixelUnion, we stand with organizations and individuals fighting to keep the internet private, secure, and free from government overreach.