Swiss Surveillance Ordinance Sparks Backlash from Privacy Tech Firms

A proposed revision to Switzerland's digital surveillance ordinance threatens to undermine the country's thriving privacy tech sector, with firms like Nym, Proton, and Threema warning of irreversible damage to their operations and user trust.

The changes, introduced by the Swiss Federal Council in January 2025 as part of a partial revision of the Ordinance on the Surveillance of Correspondence by Post and Telecommunications (OSCPT), would impose stricter monitoring obligations on telecom and derived communication service providers (FSCDs). The ordinance, currently in consultation until May 6, 2025, includes contentious measures such as mandatory user identification for services exceeding 5,000 users and the requirement to decrypt content when a provider holds an encryption key.

Privacy tech startup Nym, which recently launched its privacy-centric NymVPN, has raised the alarm about what it sees as an existential threat to digital rights in Switzerland and beyond. In a public statement authored by COO Alexis Roussel, the company criticized the Federal Council's decision to bypass a referendum on the ordinance. “This ordinance profoundly alters the spirit of the law,” Roussel stated, adding that it could dismantle an entire sector that has gained both domestic and international credibility.

The ordinance mandates that providers in the FSCD category with more than 5,000 users must collect identification documents from their users and retain this data for six months after the end of service. It further requires that FSCDs with over one million users or 100 million CHF in annual revenue comply with comprehensive obligations, including 24/7 responsiveness to surveillance demands, automated data disclosure, and real-time or retroactive monitoring of communications.

From safe haven to surveillance state

Switzerland has long positioned itself as a safe haven for privacy, with success stories like Proton Mail and Threema — the latter even adopted by the Swiss army — reinforcing this image. The new ordinance appears to contradict that legacy. According to the explanatory report accompanying the ordinance, the changes aim to align regulatory categories with operational realities and court rulings, particularly the 2021 Federal Tribunal decision involving Threema's refusal to hand over user data.

However, critics argue the ordinance's technical framing and bureaucratic implementation obscure its impact from public scrutiny. The requirement to decrypt communications, even where only partial keys are held, is seen as opening the door to backdoors and broader systemic vulnerabilities.

Nym's concerns are echoed by a broader coalition of privacy advocates, who argue that the ordinance imposes disproportionate burdens on small providers, many of whom operate with limited resources. The requirement to classify and comply based on economic size and user count risks excludes innovative startups from the Swiss privacy ecosystem entirely. Nym warns that no new privacy-focused project would consider launching in Switzerland under such conditions.

The law does offer a graduated framework of obligations based on provider size, but the thresholds are steep and the implications severe. Identification obligations apply even to non-commercial entities like associations running Mastodon instances if their user base exceeds 5,000. This not only affects privacy companies but could extend to grassroots digital communities and NGOs.

The public and affected companies can still respond to the consultation process before the May 6 deadline. Nym urges Swiss residents to contact federal representatives and demand transparency and restraint. EU residents are advised to remain alert as similar legislative trends are emerging across the continent.