Proton

Why Switzerland? An analysis of Swiss privacy laws

No matter where you live in the world, whether you’re living under an authoritarian government or looking to break away from Big Tech surveillance, using Proton puts your data under the protection of Swiss privacy laws. We are often asked why Proton(new window) is based in Switzerland and whether there are real advantages to being a Swiss company.

This article explains the main privacy advantages of being a Swiss company, including these key benefits: 

  • Outside of US and EU jurisdiction: Swiss companies are not allowed to share information with foreign law enforcement under criminal penalty.
  • Politically neutral: Switzerland has a long history of neutrality, which shields us from pressure of foreign governments.
  • Strong privacy protections: Switzerland has a constitutional right to privacy and strict data protection laws. Unlike companies in other countries, Proton cannot be compelled by foreign or Swiss authorities to engage in bulk surveillance.
  • Advanced infrastructure: Many other countries with strong privacy laws lack the IT infrastructure and talent pool required to reliably operate a major tech company like Proton. Switzerland has the best of privacy protections, infrastructure, and world-class human resources.

Switzerland is where the web and Proton were born

Proton’s roots(new window) are in Proton Mail(new window), which began at the European Organization for Nuclear Research (CERN) in Geneva, Switzerland, where many of our early team members worked together on particle physics experiments. CERN was also the research center where Sir Tim Berners-Lee invented the World Wide Web in 1991, which led to the internet as we know it (Sir Tim is now a member of Proton’s advisory board).

To benefit from Swiss jurisdiction, it is not sufficient to just have a mailbox there, as the government that has effective jurisdiction over a company is the one where an organization’s center of activity is. Switzerland is not just where we are incorporated, it is also the location of our headquarters, the majority of Proton’s leadership and board members, our main datacenter, and the country where we have the greatest number of employees. This is important because if a company was legally incorporated in Switzerland but has the majority of staff in the US, the US government would still effectively control that company. For Proton, Switzerland is not just the legal jurisdiction, but also the place of effective jurisdiction. 

Culture of neutrality and strong individual rights

Switzerland’s political culture of neutrality, discretion, and personal freedom is well-suited for privacy. 

Unless you host your servers on a boat in international waters, you must be under some legal jurisdiction. Choosing one is particularly important because, as the Lavabit example(new window) shows, local laws can have an existential impact on the service. In Lavabit’s case, their US jurisdiction proved to be fatal.

Given that we serve people with highly sensitive privacy and security requirements from around the world, Switzerland has the advantage of being a neutral location outside of US, EU, and NATO jurisdiction. Swiss neutrality means that Switzerland is not a party to any binding intelligence-sharing agreement, such as the Five Eyes, Nine Eyes, or Fourteen Eyes agreements(new window) or the NATO intelligence programs(new window).

Legal differences between Switzerland and other countries

Switzerland has strong legal protections for individual rights, and in fact the Swiss Federal Constitution(new window) explicitly establishes a constitutional right to privacy. (In the US, this right is merely implied.) Specifically, Article 13 safeguards privacy in personal or family life and within one’s home, and the Swiss Civil Code(new window) translates this right into statutory law in Article 28.

In the US and EU, authorities can issue gag orders to prevent an individual from knowing they are being investigated or under surveillance. While this type of order also exists in Switzerland, the prosecutors have an obligation to notify the target of surveillance, and the target has an opportunity to appeal in court. In Switzerland, there are no such things as national security letters(new window), and all surveillance requests must go through the courts. Warrantless surveillance, like that practiced in the US where the FBI conducts 3.4 million searches per year(new window) with little oversight, is illegal and not permitted in Switzerland.

Switzerland also benefits from a unique legal provision with Article 271 of the Swiss Criminal Code(new window), which forbids any Swiss company from assisting foreign law enforcement, under threat of criminal penalty. While Switzerland is party to certain international legal assistance agreements, all requests under such agreements must hold up under Swiss law, which has much stricter privacy provisions. All foreign requests are assessed by the Swiss government, which generally does not assist requests from countries with poor rule of law or lack an independent judiciary.

Swiss law has several more unique points. First, it preserves end-to-end encryption, and unlike in the US, UK, or EU, there is no legislation that has been introduced or considered to limit the right to encryption. Second, Swiss law protects no-logs VPN(new window) meaning that Proton VPN does not have logging obligations. While numerous VPNs claim no-logs, these claims generally do not stand up legally because in most jurisdictions, governments can request that the VPN in question starts logging. So the VPN is only no-logs until the government asks. However, in Switzerland, the law does not allow the government to compel Proton VPN to start logging.

Recent court rulings enhance Swiss privacy

We’ve also fought to ensure that Switzerland remains a legal jurisdiction that respects and protects privacy. 

Nearly every country in the world has laws governing lawful interception of electronic communications for law enforcement purposes. In Switzerland, these regulations are set out in the Swiss Federal Act on the Surveillance of Post and Telecommunications (SPTA), which was last revised on March 18, 2018. In May 2020, we challenged a decision of the Swiss government over what we believed was an improper attempt to use telecommunications laws to undermine privacy. 

In October 2021, The Swiss Federal Administrative Court ultimately agreed with us and ruled that email companies cannot be considered telecommunication providers(new window). This means Proton isn’t required to follow any of the SPTA’s mandatory data retention rules, nor are we bound by a full obligation to identify Proton Mail users. Moreover, as a Swiss company, Proton Mail cannot be compelled to engage in bulk surveillance on behalf of US or Swiss intelligence agencies(new window).

Additional privacy through encryption

While Proton benefits from strong legal protections within Switzerland, we have also built in technological safeguards against surveillance, such as utilizing end-to-end encryption(new window).

We do not possess the keys required to decrypt users’ emails, calendar events, files, photos, login details, and many kinds of metadata. Even emails between non-Proton Mail accounts cannot be decrypted on our servers thanks to our use of zero-access encryption(new window). As a result, even if Proton were forced to turn over all our computer systems, your email contents, items in cloud storage, calendar events, and other data would continue to be encrypted.

These technical safeguards are the strongest privacy protections because unlike national laws, the laws of mathematics cannot be changed or altered.

Multi-layered privacy protection

Neither legal protections nor technical protections on their own are sufficient to protect privacy. Even the strongest technical protection can fail because technology is developed by people who are subject to the laws of the country in which they reside. 

We believe comprehensive security can only be achieved through a combination of technology and legal protections, and Switzerland provides the optimal combination of both. Because of Switzerland’s advanced IT infrastructure and its unique legal environment, Proton can deliver a service that is both reliable and secure.

For more information about requests for information made to Proton from Swiss authorities, please view our Transparency Report(new window).

Related articles

Email etiquette: What it is and why it matters |
Find out what email etiquette is with key rules and examples, why it is important, and how Proton Mail can help.
A cover image for a blog about how to create an incident response plan that shows a desktop computer and a laptop with warning signs on their screens
Do you have an incident response plan to protect your business from financial and reputational damage? Find out how Proton Pass for Business can help you stay safe.
Shared with me in Proton Drive for desktop user interface
  • For business
  • Product updates
  • Proton Drive
We've improved Proton Drive for Windows to make it easier to securely collaborate with others from your desktop.
Smart glasses that have been modified for facial surveillance and dox you in real time, finding your personal information after seeing your face.
Students modified smart glasses to find someone’s personal data after just looking at them. This is why we must minimize data collection.
The cover image for a blog explaining what password encryption is and how Proton Pass helps users with no tech experience benefit from it
Password encryption sounds complicated, but anyone can benefit from it. We explain what it is and how it’s built into Proton Pass for everyone to use.
How Proton can help with DORA compliance
We look at how DORA will affect your organization and how Proton’s services can help you meet its compliance requirements.