For years, Switzerland was synonymous with neutrality, banking secrecy, and digital privacy. It was there that companies like Proton built their reputation with the slogan “data protected by Swiss law.” But that scenario is collapsing. The Swiss government has proposed a revision of the surveillance law, known as OSCPT, that threatens to destroy the country’s image as a safe haven for online privacy. The proposal mandates the retention of metadata for six months, forces communication services with more than five thousand users to verify people’s real identities, and introduces so-called assisted decryption — any company holding encryption keys can be compelled to collaborate with the State to decipher communications. In practice, Switzerland, which for decades was marketed as an alternative to mass surveillance regimes, is now walking in the same direction as countries that legalize digital spying.
Proton’s reaction
Proton, creator of ProtonMail and ProtonVPN, didn’t stand still. It admitted publicly that it can no longer rely on the protection of Swiss law and began migrating its infrastructure to other European countries. The first move was with its new service Lumo, now hosted on servers located in Germany and Norway. The headquarters remain in Geneva, but the strategic plan is clear: diversify to escape the direct reach of the new law.
Germany and Norway in contrast
For years, the mantra was that the European Union was hostile to privacy and Switzerland was the fortress. Today, it’s the opposite. Germany tried to impose massive data retention through Vorratsdatenspeicherung, but German and European courts blocked the measure for violating fundamental rights, killing off any generalized surveillance. Norway, though not in the European Union, is part of the European Economic Area and also attempted to impose data retention, but its Supreme Court struck it down in 2021. In these countries surveillance still exists, but it’s restricted to specific judicial orders, not in bulk. The irony: these two countries, not Switzerland, now provide stronger guarantees for privacy services.
Direct consequences
For users, the impact is immediate. Data may now fall under German and Norwegian jurisdictions, where courts still defend privacy against State abuse. Switzerland, meanwhile, is paving the way for a regime of metadata collection and mandatory identification, shattering the idea of anonymity. The image of the “Swiss digital fortress” is badly compromised.
Conclusion
The game has flipped. Switzerland is no longer a digital sanctuary. Companies that always waved the Swiss flag as marketing are fleeing before the law solidifies. Germany and Norway, backed by their constitutions and courts, have become safer options. But let’s not fool ourselves. Intelligence organizations already control everything in secret, and now it’s all just being legalized step by step. Real privacy never existed — only the illusion of privacy. What we see today is the transformation of that illusion into law, the official recognition of what intelligence services have been doing in the shadows for decades. This point was already developed in another text, where I explain how the idea of digital security and privacy was never more than a manufactured illusion: Passwords, 2FA and Hardware Security Keys- Everything Is Already Compromised and Chat Control- The Legalization of What Already Exists.
September 2025
This article is in English. Read the Portuguese version ⇒ Ler em português