BÜPF revision 2025: From data protection paradise to surveillance state?

Federal Palace of Switzerland (Bundeshaus) - Switzerland Government Building house of the Federal Assembly and Federal Council - Bern, Switzerland

The Swiss government intends to toughen its surveillance law. With the revision of the BÜPF (Federal Act on the Surveillance of Post and Telecommunications), potentially far-reaching changes are on the horizon that could affect the data protection of millions of users. The supposedly safe haven for digital privacy is crumbling: in future, Swiss email providers with more than 5,000 users may be required to deliver metadata to authorities in real time. This would particularly affect those Swiss services that have until now advertised strict data protection.

The BÜPF and the planned revision: The digital overhaul

Since 2002, Switzerland's surveillance law has regulated the circumstances under which authorities may access communication data. However, the partial revision of the associated ordinances (VÜPF and VD-ÜPF) now sought by the Federal Council goes far beyond a mere update. Whilst official bodies present the changes as necessary adaptations to 5G technology, the draft contains measures that would significantly increase the level of state surveillance.

Digital X-ray: How deep the new surveillance would reach

The planned changes to the BÜPF would deeply encroach on digital privacy and would also affect users of Swiss email services. It is crucial for users to understand what authorities might see in the future and what they would not.

Future surveillance would encompass significantly more metadata, including IP addresses, recipient data and location information – data that is just as sensitive as content, as it can reveal movement and relationship profiles. Authorities would thus gain systematic access to information about who communicates with whom, when this happens and from which location. This metadata would be collected in real time and transmitted to authorities. For Swiss email services that have so far not stored IP addresses as standard, such data protection-friendly practices would no longer be possible. Last but not least, the processing deadlines for requests are to be shortened – from one working day to six hours for large providers and from two working days to one for smaller services.

End-to-end encryption through PGP remains untouched, meaning Swiss providers would still not be required to decrypt encrypted content. Anyone who consistently encrypts their emails with PGP would therefore continue to protect the content of their communications even after the potential legislative change.

What happens after the end of the consultation?

The deadline for the consultation – a Swiss procedure in which cantons, parties, associations and affected organisations could comment on the draft – expired on 6 May 2025. According to reports, this consultation is said to have met with widespread rejection. The Federal Department of Justice and Police (FDJP) is now evaluating the submitted statements and revising the draft if necessary. This process can take several months.

The Federal Council will decide on the final version no earlier than autumn 2025. If approved, the new regulations could come into force from 2026, although massive resistance from businesses and data protection organisations could delay the process or lead to substantial changes.

The great exodus has begun

In response to the impending regulations, leading providers have already begun relocating their servers abroad – primarily to Germany and Scandinavian countries. Some companies are even considering moving their headquarters completely out of Switzerland. This development shows how seriously the industry is taking the planned changes. Leading industry representatives particularly criticise that the planned measures would go far beyond the regulations in Germany and the EU.

Data protection in international comparison

Whilst Switzerland has long been known for its high standards in digital privacy, Germany now offers significantly stronger protection in some areas. Since 1997, Switzerland has permitted blanket, non-targeted data retention for six months, which would be extended to continuous real-time surveillance with the planned BÜPF revision. In Germany, on the other hand, the Federal Constitutional Court has repeatedly declared such blanket data retention unconstitutional. Here, surveillance measures generally require a judicial order and specific suspicion – basic principles that could potentially be diluted with the Swiss law revision.

Checklist: What users should check now

If you currently use a Swiss email service, you should check the following aspects in light of the possible legislative changes:

  • Encryption level of your emails: Is only transport encryption activated, or do you use end-to-end encryption like PGP?
  • Metadata protection: What metadata does your provider store, and how will they handle the potential real-time surveillance obligation?
  • Server locations: Has your provider already relocated servers abroad? If so, which law applies to your data stored there?
  • Future plans of the provider: Are there official statements on possible relocations or adjustments to data protection policies?
  • Examine alternatives: Consider switching to a German provider like mailbox.org, which is protected by strict constitutional court rulings and the GDPR.

Outlook: The price of security

The planned revision of Swiss surveillance law marks a turning point. What was once considered a data protection paradise is increasingly developing into a surveillance state that recalibrates the balance between security and privacy – and, in the view of many experts, goes too far. The threatened exodus of email providers is a wake-up call – not just for Switzerland, but for everyone who values digital fundamental rights. The debate shows once again that data protection is not a given, but a fragile asset that requires constant vigilance.

  • zurück
  • nach Oben