Proton has officially confirmed to CyberInsider that it is gradually relocating much of its physical infrastructure out of Switzerland, citing “legal uncertainty” created by the Swiss government’s proposed mass surveillance ordinance.
The move, which had been hinted at in last month’s launch announcement for Proton’s new service Lumo, marks a significant shift for one of the country’s best-known privacy tech companies.
“Because of legal uncertainty around Swiss government proposals to introduce mass surveillance — proposals that have been outlawed in the EU — Proton is moving most of its physical infrastructure out of Switzerland. Lumo will be the first product to move,” the company told CyberInsider.
The change comes in response to the planned revision of the Ordinance on the Surveillance of Correspondence by Post and Telecommunications (OSCPT), introduced by the Swiss Federal Council in January 2025. As previously reported by CyberInsider, the proposal would compel telecom and “derived communication service” providers (FSCDs) to impose mandatory user identification once they reach 5,000 users, retain this data for six months after service ends, and, where encryption keys are held, decrypt communications on request. Larger providers with more than one million users or CHF 100 million in annual revenue would face round-the-clock compliance obligations and real-time interception capabilities.
The proposed rules have drawn sharp criticism from the Swiss privacy sector. Firms like Nym, Threema, and Proton argued the measures threaten to dismantle Switzerland’s carefully cultivated image as a privacy haven, while introducing risks of systemic backdoors. In a recent CyberInsider interview, the decentralized messenger project Session said it was “keeping a close eye” on the ordinance’s progress, but noted that its architecture makes it less directly vulnerable to the proposed rules.
Proton, which operates services including Proton Mail, Proton VPN, Proton Drive, and Proton Pass, has been headquartered in Geneva since its founding in 2014. The company has long promoted Switzerland’s legal framework as a cornerstone of its security model, alongside its use of end-to-end encryption and no-logs policies. While the infrastructure move is a major operational change, Proton insists its privacy protections remain intact:
“It’s important to emphasize that we are not giving up the fight for privacy in Switzerland and will continue to fight proposals that we believe will be damaging. Regardless, it’s important to keep in mind that Proton’s products don’t rely solely on legal protections. Our use of end-to-end encryption and no logs policies remain as safeguards for our users’ privacy.” – Proton
The company did not specify the timeline for the migration of its other services besides Lumo, nor the countries where the new infrastructure will be located. All European countries offer strong privacy protections as they are bound by the EU’s General Data Protection Regulation (GDPR), but Germany is probably the best candidate for its long tradition of strong constitutional privacy rights, mature hosting ecosystem, and proximity to Switzerland.
The countries with so called privacy protection laws…are the laws really protecting privacy or just noninvasive? Meaning they don’t force surveillance but don’t actually have laws regarding privacy.