Different countries differ significantly in terms of laws regulating data protection, privacy, and freedom of expression. Your needs for privacy and security may be better served by hosting your email in one country in preference to another.
Recognizing this, we now offer a choice of email hosting in Switzerland or the USA, and are working to bring online email servers in other countries soon.
You are currently viewing the US site. If you would like to switch to the Swiss site, click here.
According to the EPIC / Privacy International survey of Privacy & Human Rights (2003), the right to privacy is guaranteed by the constitution of Switzerland:
Article 36(4) of the 1874 Constitution guaranteed, "[t]he inviolability of the secrecy of letters and telegrams." This Constitution was repealed and replaced by public referendum in April 1999. The new constitution, which entered into force on January 1, 2000, greatly expanded the older privacy protection provision. Article 13 of the Constitution now states: "All persons have the right to receive respect for their private and family life, home, mail and telecommunications. All persons have the right to be protected against abuse of their personal data."
The Federal Act of Data Protection of 1992 (Loi fédérale sur la protection des données or LPD) regulates personal information held by federal government and private bodies. The Act requires that information must be legally and fairly collected and places limits on its use and disclosure to third parties. Private companies must register if they regularly process sensitive data or transfer the data to third parties. Transfers to other nations must be registered and the recipient nation must have equivalent laws. Individuals have a right of access to correct inaccurate information. Federal agencies must register their databases. There are criminal penalties for violations. To date, the Parliament is discussing a revision of the act, which in its main parts provides better regulations for the protection against the transfer of data especially by private bodies. It also tries to adapt Swiss data protection law to the standards of the European Union Data Protection Directive. However, the government also proposes a major change in a new Article 17a, which allows federal authorities to create new data banks and to process personal data without previous regulation by the law, "if major public interest does not allow a postponement of data processing or if a testing phase, before the law enters into force, is required." In this case, the government only has to produce a decree. There are also separate data protection acts for the "cantons" (states). However there are still some cantons that do not have data protection laws and thus do not have data protection commissioners.
In June 1999, the European Union Data Protection Working Party determined that Swiss law was adequate under the European Union Directive. In July 2000, the European Commission formally adopted this position, thereby approving all future transfers of all personal data transfers to Switzerland.
The LPD created the office of a Federal Data Protection Commissioner (the Commissioner). The Commissioner maintains and publishes the Register for Data Files, supervises federal government and private bodies, provides advice, issues recommendations and reports, and conducts investigations. The commissioner also consults with the private sector. In a report covering the period from April 2000 to March 2001, the Commissioner addressed in detail, the use of video surveillance in the public and private sectors, monitoring of employee e-mails and Internet use, employee drug testing, DNA profiling by law enforcement, privacy in e-commerce, seal programs and the adequacy of Safe Harbor. The report also criticized certain practices of the postal service, and called for increased compliance of the medical sector with the legal requirements on the processing of personal information. Finally, it addressed the need for strong technologies and amendments to the law to combat the increasing threat to privacy posed by the Internet. These issues continue to be of primary relevance to the Commissioner, as exhibited in its 2002 report. Of particular concern is the use of genetic testing, as well as privacy in telecommunication data storage. In previous reports, the Commissioner has recommended the introduction of legislation, similar to that in Germany, providing an explicit right to anonymity. In 2001, the commission also issued guidance on surveillance of Internet and e-mail use in the workplace and the use of video surveillance technologies. There are currently twenty-one people employed by the Commissioner, most of them, however, working part-time.
Until the beginning of 2002, telephone tapping was governed by Article 179 octies of the Penal Code and corresponding regulations in the federal, the military and the cantonal Penal Procedure Codes. Due to liberalization of the Telecom sector by the 1997 Telecommunication Act, the government issued a decree that established a specialized agency, Le Service des Tâches Spéciales (STS), within the Department of the Environment, Transport, Energy and Communications, to administer wiretaps. Until then, the technical procedures for wiretapping were carried out by a special service within former Telecom PTT (now Swisscom), the state monopoly company. The STS now has the function of a connecting link between the special services of the different private and state owned telecommunications companies and the public prosecutors, who issue an interception order. Already under the old legal regulation, every interception order had to be confirmed by the allowance of a prosecution chamber of the federal court or the cantonal high court respectively.
On April 1, 2003, a new Federal Law on the surveillance of mail and telecommunications became fully binding. Having been enacted in January 2002, this law is the product of parliamentary debates that started in 1999, when the federal Department on Justice and Police (Justice Ministry) presented a first draft for that law, which replaces federal and cantonal regulations. The Law Commission of the National Council (Great Chamber of the federal Parliament) rejected this draft and prepared its own, which constitutes the basis of the new law. Whereas, until then, interception was possible in all investigations relating to crimes and offences (crimes for which a prison sanction can be issued), the new law prohibits any preventive interception and provides, for the first time, for a catalogue of offences. The requirements for an order by a prosecutor and the respective allowance of a prosecution chamber are more precise.
The new law also provides for the surveillance of e-mails, which are treated as every other telecommunication. Swiss Internet service providers (ISPs) are now required to keep a six-month log of all e-mails sent by their customers. These providers must log customer activity, including connection times, e-mails sent, addresses and senders, but not the content of the e-mails. Many ISPs will thus have to create the respective interfaces to make surveillance possible. However, legal authorities will only be able to access this data as necessary for an ongoing investigation into suspected criminal activity. To access the provider's electronic log, an investigating judge must issue a search warrant, and in some cases, the suspects will have to be informed of the proceedings.
We believe that this traditional respect for privacy, both guaranteed in the Swiss Constitution and reinforced by many legislative and judicial decisions, makes Switzerland an ideal location for premium private email hosting.
According to the same EPIC / PI report:
There is no explicit right to privacy in the United States Constitution. The Supreme Court has ruled that there is a limited constitutional right of privacy based on several provisions in the Bill of Rights. This includes a right to privacy from government surveillance into an area where a person has a "reasonable expectation of privacy" and also in matters relating to marriage, procreation, contraception, family relationships, child rearing and education. Some states within the country have incorporated explicit privacy protections into their state constitutions.
However, the United States has taken a sectoral approach to privacy regulation so that records held by third parties, such as consumer marketing profiles or telephone calling records, are generally not protected unless a legislature has enacted a specific law. The Court has also recognized a right of anonymity and the right of political groups to prevent disclosure of their members' names to government agencies.
The US has passed comprehensive medical privacy legislation:
In April 2003, the first federal regulation protecting individually identifiable health information became effective for enforcement. The Standards for Privacy of Individually Identifiable Health Information, commonly known as the "HIPAA Privacy Rule," provide basic protections for individually identifiable health information and give individuals rights with respect to the information about them.
The report notes that many large US companies don't take customer privacy seriously (and often actively violate it):
Internet privacy has remained the hottest issue of the past few years. Several profitable companies, including eBay.com, Amazon.com, drkoop.com, and Yahoo.com have either changed users' privacy settings or have changed privacy policies to the detriment of users. A series of companies, including Intel and Microsoft, were discovered to have released products that secretly track the activities of Internet users. Users have filed several lawsuits under the wiretap and computer crime laws. In several cases, TRUSTe, an industry-sponsored self-regulation watchdog group ruled that the practices did not violate its privacy seal program.
The report also notes that in recent years, privacy protections in the USA have been significantly weakened:
In December 2001, the FBI confirmed the existence of a technique called "Magic Lantern." This device would reportedly allow the agency to plant a Trojan horse keystroke logger on a target's computer by sending a computer virus over the Internet.
In July 2000, it was revealed that the FBI had developed a system called "Carnivore" that is placed at an ISP's offices and can monitor all traffic about a user including e-mail and browsing. Earthlink, a major ISP, announced that it refused to install the system in its network. After the system was discovered, Attorney General Reno promised to conduct a review of its privacy protections. In the fall of 2000, the Justice Department commissioned a team of experts at the Illinois Institute of Technology Research Institute (IITRI) and the Illinois Institute of Technology Chicago-Kent College of Law to undertake an independent review of the carnivore system. The IITRI group issued its final report on Carnivore in December 2000 and made several recommendations for changes to the system. These recommendations have not yet been implemented by the Justice Department and the system remains in use today. In May 2002, EPIC obtained Freedom of Information Act (FOIA) documents on Carnivore that indicated that the program may have hindered the government's anti-terrorism investigation by overcollecting data in violation of wiretapping laws.
The USA PATRIOT Act, which passed in the wake of the September 11, 2001 attacks, significantly weakened privacy protections in federal wiretapping statutes. The Act extended the "pen register" portions of federal wiretapping law, allowing Carnivore to be used to collect traffic data based on a mere certification of a prosecutor that it would collect information relevant to an ongoing investigation. The bill made computer crimes and terrorism predicate offenses for initiation of a federal wiretap. The bill authorizes national application of a wiretap order, that is, a court in one jurisdiction can issue a warrant that could apply anywhere in the country. Courts can issue roving wiretaps, giving law enforcement the ability to monitor many different devices that a suspect may use. Although supporters of the USA PATRIOT Act claimed that a sunset provision in the bill would limit police power, only some of the new surveillance authority will expire. Also, several states followed suit by passing state legislation that loosens protections against wiretaps.
Following the USA PATRIOT Act, Congress further weakened privacy protections against wiretapping in passing the Cyber Security Enhancement Act (CSEA). The CSEA allows communications providers to voluntarily provide government agents with access to the contents of customer communications without consent based on a "good faith" belief that an emergency justifies the release.
Despite the USA's long history of respect for privacy and the legal precedents mentioned above, it is clear that civil liberties, free speech and individual privacy in the USA have been put in serious jeopardy by recent legislation. Customers seeking email hosting in a jurisdiction with strong legal safeguards for their privacy and freedom of expression rights would be better served by our servers in Switzerland.