On 7 May 2026, the Swiss investigative outlet Republik published the Federal Council's secret revised draft of the VÜPF — the ordinance governing surveillance of postal and telecommunications traffic — and the revelation was awkward for Bern. Circulated quietly in February to a handful of selected IT firms by the Federal Department of Justice and Police under Federal Councillor Beat Jans, the so-called "VÜPF 2.0" still compels in-scope providers to identify their users by passport or phone number and to retain connection metadata for six months on a precautionary basis. That is precisely the design parliament had instructed the government to abandon.
What the leaked draft still demands
The original consultation ran from 29 January to 6 May 2025 and proposed extending heavy cooperation duties — identification, retention, and the ability to hand authorities data in readable form — to "derived" communication services such as VPNs, encrypted email, and messengers. The revised draft makes one real concession: it raises the user threshold from 5,000 to 100,000, sparing the smallest Swiss mail and hosting outfits. But for the providers that actually define Switzerland's privacy-tech reputation, the core obligations survive intact.
Proton's Edward Shone called the draft "completely unacceptable," warning of "systemic problems in the Swiss tech sector that undermine the rights of Swiss citizens." Nym's chief operating officer Alexis Roussel said that if the text stands, the Neuchâtel-based company would "definitively turn away from Switzerland." These are not idle threats. Proton has already begun relocating infrastructure — its Lumo product moved first, to servers in Germany and Norway — and CEO Andy Yen has said the only European country with a roughly equivalent law is Russia.
The case for the ordinance — stated fairly
The Federal Council's position is not frivolous. Serious-crime, terrorism, and child-exploitation investigations frequently dead-end at the moment of attribution: police can see an account or an IP address but cannot lawfully tie it to a person. Subscriber identification and a bounded retention window are, in many democracies, ordinary investigative tools, and the 2019 revision of the underlying surveillance act (BÜPF) expressly delegated to the executive the power to define which categories of provider must cooperate. From that vantage, the government is filling in a statutory blank, not inventing new powers, and a 100,000-user floor looks like a good-faith narrowing.
The problem is not that the state wants to solve crimes. It is that the chosen instrument is disproportionate, procedurally evasive, and self-defeating.
Why the instrument fails its own test
First, parliament has already ruled. The Gapany/Feller motion (25.4273), adopted by the Council of States on 10 December 2025 and by the National Council in March 2026, instructed the Federal Council to fundamentally revise the draft and run a fresh consultation — explicitly to protect competitiveness, jobs, and fundamental rights. A leaked text that preserves the contested mandates is not a fundamental revision; it is the same policy with a higher threshold. Pushing it through as an ordinance also means no referendum — the citizen check that defines Swiss lawmaking — which is why critics frame this as a sovereignty question, not merely a privacy one.
Second, blanket retention sits badly with European proportionality law. In La Quadrature du Net (Joined Cases C-511/18 and others, 6 October 2020), the Court of Justice held that EU law precludes the "general and indiscriminate" retention of traffic and location data for fighting crime, requiring instead targeting limited in scope and time. Switzerland is outside the EU, but it shares the Council of Europe's proportionality jurisprudence, and a precautionary six-month retention duty imposed on services chosen precisely because they minimise data is hard to square with a necessity test. Nineteen civil-society organisations — among them Statewatch, EDRi, Amnesty International Switzerland, and Privacy International — warned in early 2026 that the plan would "dramatically increase" retained personal data and create "huge security risks."
Third, the policy undermines the asset it claims to regulate. Switzerland's pitch to the global privacy market has always been legal credibility: strong neutrality, strong data protection, strong courts. An ordinance that makes a Swiss VPN or mail provider less confidential than a US hyperscaler — because the latter is not subject to these identification duties at the same threshold — destroys that differentiator. The likely result is not more lawful-access capability but capital flight: Proton's nine-figure EU investment and Nym's exit planning are leading indicators of a sector voting with its servers.
A proportionate path exists
None of this requires choosing between public safety and the privacy economy. Switzerland already has a functioning targeted-surveillance regime under the BÜPF: judicially authorised, suspect-specific orders that compel cooperation in concrete cases. Strengthening that — faster mutual legal assistance, clearer obligations to preserve data on receipt of a valid order, better-resourced investigators — would address the genuine attribution gap without conscripting every mid-sized provider into a standing data-retention apparatus.
The Federal Council still has room to comply with parliament's instruction in substance rather than form. That means dropping precautionary retention and blanket identification for derived services, narrowing duties to court-ordered, case-by-case access, and reopening a real consultation. Anything less invites the outcome Bern says it wants to avoid: a Switzerland that keeps the surveillance and loses the industry.