Switzerland’s reputation as a privacy haven for digital services is currently facing significant challenges due to a proposed overhaul of its surveillance laws.
While Switzerland is not a member of the EU and is therefore not directly subject to the EU’s Digital Services Act (DSA) or Product Liability Directive (PLD), it has its own domestic legislation governing data retention and surveillance.
The most critical update concerns the proposed revision of the Swiss Ordinance on the Surveillance of Postal and Telecommunications Traffic (VÜPF) and the Federal Act on the Surveillance of Post and Telecommunications (BÜPF).
Key Updates on Mandatory User Logging in Switzerland
The proposed revisions, which have been met with strong opposition from privacy groups and Swiss-based tech companies (like Proton), aim to significantly expand surveillance obligations.
| Area of Change | Proposed New Requirement (VÜPF Revision) | Impact on Services |
|---|---|---|
| Mandatory Data Retention | Services with 5,000 or more users (including VPNs, encrypted email, and chat services) may be required to log and retain user IP addresses for six months, regardless of existing no-log policies. | Eliminates the legal basis for “no-log” claims for many Swiss providers and mandates proactive data collection for non-commercial activity. |
| Identity Verification | Services may be required to verify a user’s identity using official documents (e.g., ID, phone number) for registration. | Makes anonymous access to many Swiss digital services, including VPNs and secure email, nearly impossible. |
| Decryption Obligations | Providers may be required to be technically able to decrypt any data they encrypt on the user’s behalf upon request from authorities. | Creates a de-facto requirement for backdoors or key escrow for provider-side encryption. Note: This excludes end-to-end encrypted (E2EE) messages exchanged directly between users. |
| Scope of Affected Providers | The scope is significantly broadened to target “derived service providers,” closing previous loopholes that exempted many smaller privacy-focused services (like ProtonMail). | Broadens the legal compliance burden from just large ISPs to a much wider range of online services. |