Has ProtonMail ever complied with Swiss or foreign law‑enforcement data requests and what were the outcomes?

1. How Proton frames legal compliance: Swiss courts bind Proton, foreign authorities do not

Proton’s official transparency and privacy pages state explicitly that the only legally binding orders it recognizes are those from competent Swiss authorities and that it rejects direct requests from foreign law‑enforcement, requiring foreign governments to seek assistance through Swiss mutual legal assistance procedures (MLATs) where Swiss law must be satisfied before any data is produced ^{[4] [7] [5]}. Proton also points to Article 271 of the Swiss Criminal Code as a structural safeguard: Swiss companies may not transfer information directly to foreign authorities under penalty, so any foreign request must be evaluated and approved under Swiss processes ^{[4] [8]}.

2. What Proton can — and cannot — hand over when compelled

When a valid Swiss criminal order exists, Proton can be compelled to collect and disclose limited account metadata that it retains or can log on demand, such as IP addresses, account profile details, login times, storage use and certain unencrypted metadata; however the company says it cannot decrypt end‑to‑end encrypted message bodies or provide decrypted copies because it does not hold the necessary keys ^{[9] [3] [7]}. Reporting and Proton’s own statements emphasize that while content encrypted end‑to‑end remains out of reach, server‑accessible metadata required by protocols (sender/recipient/timestamp) and IP logs can be produced when Swiss law authorizes it ^{[3] [6]}.

3. The French activist case: a concrete compliance and its outcome

In 2021 Swiss courts ordered Proton to log IP information for a French activist’s account after French authorities, with assistance routed through Swiss channels (via Europol/MLAT processes), requested the data; Proton complied with the Swiss order, supplied the logged IP and device information, and French authorities used that information to identify and arrest the individual ^{[1] [2] [10]}. Proton publicly acknowledged it had been unable to successfully appeal the Swiss court demand in that case and subsequently revised its website, notification policy, and public explanations to clarify how Swiss criminal investigations can override default no‑log promises in “extreme” or legally authorized cases ^{[6] [3]}.

4. Scale, transparency, and the company’s response

Proton’s published transparency reporting and outside coverage indicate a sharp increase in the volume of Swiss orders it receives, and the company discloses that a subset of those are linked to foreign requests that were processed via Swiss authorities rather than sent directly to Proton ^{[2] [4]}. After the 2021 incident Proton emphasized both the limits of its technical capabilities to hand over encrypted content and the protections afforded by Swiss law — while critics pointed out that Swiss cooperation still allowed foreign jurisdictions to obtain actionable metadata ^{[3] [11]}. Proton also updated user‑notification procedures to reflect that notice can sometimes be delayed by Swiss court order or when immediate notice would cause harm ^{[5] [1]}.

5. Bottom line: yes, but constrained and contested

ProtonMail has complied with legally binding Swiss orders that resulted in disclosure of limited account data (notably IP logs) and those disclosures have in at least one high‑profile instance enabled identification and arrest, while the company continues to reject direct foreign requests, maintain that encrypted contents cannot be decrypted by Proton, and rely on Swiss legal safeguards and transparency reporting to limit and explain compliance ^{[1] [4] [3]}. Reporting shows the outcomes are mixed: legal process produced actionable metadata for law enforcement, prompting Proton to tighten public disclosures and clarify its limits, and prompting debate about how much privacy protection Swiss jurisdiction really affords when serious criminal procedures are invoked ^{[6] [9]}.