The Swiss government could soon require service providers with more than 5,000 users to collect government-issued identification, retain subscriber data for six months and, in many cases, disable encryption.

The proposal, which is not subject to parliamentary approval, has alarmed privacy and digital-freedoms advocates worldwide because of how it will destroy anonymity online, including for people located outside of Switzerland. 

A large number of virtual private network (VPN) companies and other privacy-preserving firms are headquartered in the country because it has historically had liberal digital privacy laws alongside its famously discreet banking ecosystem.

Proton, which offers secure and end-to-end encrypted email along with an ultra-private VPN and cloud storage, announced on July 23 that it is moving most of its physical infrastructure out of Switzerland due to the proposed law.

The company is investing more than €100 million in the European Union, the announcement said, and plans to help develop a “sovereign EuroStack for the future of our home continent.” Switzerland is not a member of the EU.

Proton said the decision was prompted by the Swiss government’s attempt to “introduce mass surveillance.”

Proton founder and CEO Andy Yen told Radio Télévision Suisse (RTS) that the suggested regulation would be illegal in the EU and United States.

"The only country in Europe with a roughly equivalent law is Russia," Yen said.

One of the Swiss officials spearheading the effort told a Swiss news outlet that strict safeguards will be used to protect against mass surveillance. The official, Jean-Louis Biberstein, described the effort as necessary to fight cyberattacks, organized crime and terrorism.

It is unclear when the proposed regulation will be implemented. The Swiss government must give the public the right to comment during a “consultation” process before imposing the rule, NymVPN chief operating officer Alexis Roussel told Recorded Future News. 

“There is a great worrying paradox, when the need for privacy tech is becoming so important to protect citizens to have a state that actively destroys its own local privacy industry," Roussel said.

Nym is among a coalition of industry players, politicians and digital-freedoms organizations opposing the measure.

Roussel believes the government will tweak the proposal in response to the intense backlash, but said he doesn’t think the changes will be significant enough to address his concerns.

The metadata the regulation would allow law enforcement to seize is “where most value for surveillance resides, in who you speak to and when,” Roussel said.

Internet users would no longer be able to register for a service with just an email address or anonymously and would instead have to provide their passport, drivers license or another official ID to subscribe, said Chloé Berthélémy, senior policy adviser at European Digital Rights (eDRI), an association of civil and human rights organizations from across Europe. 

The regulation also includes a mass data retention obligation requiring that service providers keep users’ email addresses, phone numbers and names along with IP addresses and device port numbers for six months, Berthélémy said. Port numbers are unique identifiers that send data to a specific application or service on a computer.

All authorities would need to do to obtain the data, Berthélémy said, is make a simple request that would circumvent existing legal control mechanisms such as court orders.

“The right to anonymity is supporting a very wide range of communities and individuals who are seeking safety online,” Berthélémy said. 

“In a world where we have increasing attacks from governments on specific minority groups, on human rights defenders, journalists, any kind of watchdogs and anyone who holds those in power accountable, it's very crucial that we … preserve our privacy online in order to do those very crucial missions.”