Switzerland Is Forcing Backdoors on Encrypted Email—So Proton Is Leaving

The End of Swiss Privacy

Switzerland's government is advancing a surveillance regulation that would fundamentally change the relationship between privacy technology companies and the state. The proposed update to the Ordinance on the Surveillance of Postal and Telecommunications Traffic (OSCPT) would force any email, VPN, or messaging service with more than 5,000 users to:

• Collect government issued identification from all users
• Retain subscriber data including email addresses, phone numbers, IP addresses, and device port numbers for six months
• Disable encryption when required by authorities

The most controversial element is Article 50a, which obliges providers to be able to decrypt any data they have encrypted. For services built entirely around end to end encryption, this is not a technical adjustment. It is an existential threat.

Proton's Response: Leave Switzerland

Proton, the company behind Proton Mail, Proton VPN, and Proton Drive, announced that it is relocating most of its physical infrastructure out of Switzerland. The company is investing over €100 million to build what it calls a "sovereign EuroStack" in the European Union, with facilities being developed in Norway.

Proton founder Andy Yen compared the proposed Swiss law to Russian surveillance standards. "The only country in Europe with a roughly equivalent law is Russia," Yen stated, adding that the company has "no choice but to leave" if the amendment passes.

The decision marks a dramatic reversal. Proton was founded at CERN in 2014 specifically because Switzerland's privacy protections made it the ideal location for an encrypted email service. The country's reputation as a privacy haven attracted dozens of other privacy focused companies over the past decade.

Why Encryption Backdoors Do Not Work

Security experts and cryptographers have consistently warned that encryption backdoors cannot be limited to authorized users. A backdoor built for Swiss authorities would inevitably become a target for hackers, foreign intelligence agencies, and criminal organizations.

The requirement to decrypt data on demand would also undermine the fundamental architecture of end to end encryption, where even the service provider cannot access message contents. Rebuilding these systems with backdoor capabilities would make every user less secure, not just those targeted by law enforcement.

Who This Affects

The impact extends well beyond Proton's user base. Switzerland hosts a concentration of privacy focused services that chose the country specifically for its legal protections. VPN providers, secure messaging platforms, and encrypted cloud storage services would all fall under the new rules.

Chloé Bérthélémy from European Digital Rights emphasized that mandatory identification eliminates anonymous registration, undermining protections for journalists, human rights defenders, and vulnerable communities seeking online safety.

For journalists operating in hostile environments, the ability to communicate through encrypted channels without revealing their identity is not a convenience. It is a safety requirement. The proposed law would make Switzerland based services unusable for anyone with a serious threat model.

A Global Pattern

Switzerland is not acting in isolation. Governments around the world have been pushing to weaken encryption, often citing national security and child safety concerns. The UK's Online Safety Act includes provisions that could force platforms to scan encrypted messages. Australia's Assistance and Access Act already gives authorities the power to compel companies to build interception capabilities.

What makes Switzerland's proposal notable is that it comes from a country that built an entire industry on privacy protections. If Switzerland dismantles its own privacy framework, the message to other governments is clear: even the strongest privacy reputations are negotiable.

What Happens Next

The Swiss proposal must go through a public consultation period before it can take effect. Privacy advocacy groups and technology companies are expected to push back aggressively during this process.

Meanwhile, Proton's infrastructure migration is already underway. The company's move signals to users that relying on any single jurisdiction for privacy protection is inherently risky. True privacy requires both strong encryption and a legal environment that respects it.

Regardless of where your email provider is headquartered, protecting your communications starts with tools that keep your data private by design. Email tracking pixels, which reveal when and where you read messages, remain one of the most common privacy violations in everyday communication, and one you can block today.