Encryption is under threat worldwide. Online Safety Act in the UK, TOLA in Australia, Bill C-2 in Canada - the list of legislation that has the potential to undermine encryption is increasing. In this study, we’ve put together an overview of the legal situation in democratic countries so that you can better understand whether your data is safe there.
In this political trends study we focus on anti-encryption legislation worldwide, covering laws or proposals that aim at weakening or breaking end-to-end encryption in communication services. While secure communication has been under threat in autocratic countries such as Russia and China for long time already, it now increasingly comes under pressure in democratic countries such as the USA, UK, and the European Union as well. These…
Encryption is under threat worldwide. Online Safety Act in the UK, TOLA in Australia, Bill C-2 in Canada - the list of legislation that has the potential to undermine encryption is increasing. In this study, we’ve put together an overview of the legal situation in democratic countries so that you can better understand whether your data is safe there.
In this political trends study we focus on anti-encryption legislation worldwide, covering laws or proposals that aim at weakening or breaking end-to-end encryption in communication services. While secure communication has been under threat in autocratic countries such as Russia and China for long time already, it now increasingly comes under pressure in democratic countries such as the USA, UK, and the European Union as well. These laws against encryption usually try to force communication providers to implement a backdoor to their encryption so that law enforcement can filter the data for suspicious activity. A prime example for such a backdoor is the heavily criticised Chat Control proposal, which is still being discussed in the EU, but now without any backdoor requirement.
The problem with these backdoors is that they create a severe security vulnerability. Once a backdoor is there, it’s not a matter of WHETHER the backdoor will be abused, but only a matter of WHEN. That’s why we need to look at global encryption legislation and check the current status in democratic countries.
Turn ON Privacy in one click.
Encryption legislation global status
Encryption legislation global status: Australia and Uk are worst, then Canada, then USA and Switzerland, and best location is the EU.
The legal situation worldwide is changing, particularly when it comes to monitoring and surveillance powers. Discussions on this topic, particularly in the online community, can get very heated as many tech experts are strong believers in the right to privacy and passionately fight for this. Nevertheless, governments around the world are pushing back trying to frame the discussion in such a way as if breaking encryption was inevitable, for instance for fighting terrorism or for protecting children.
This framing of the discussion is a push by the ruling to convince citizens that breaking encryption would be necessary and good, and that it could even be achieved without monitoring everyone (for instance by introducing AI-powered surveillance). Of course, this narrative is wrong, and we extensively discuss this in our updated criticism on Chat Control, but let’s look at the current status of encryption laws in the EU, in Switzerland the USA, in Canada, as well as in Australia and the UK in this global encryption trends study.
Legal status in the EU
These last three years, Europe has seen a strong fight over the question whether it should or should not undermine encryption with the Chat Control legislation, or as the EU calls it, the Child Sexual Abuse Regulation (CSAR). While the EU Council - under changing Presidencies - repeatedly tried to push a version of the law with the obligation for communications providers such as email services and chat apps to undermine or circumvent the services’ end-to-end encryption, heavy push-back from citizens, organizations, and businesses such as Tuta finally pressured the EU Council to agree on a draft CSA law that states that scanning of users’ communications is voluntary and that it is not required to undermine end-to-end encryption. This draft now needs to be discussed with the European Parliament.
That Chat Control - despite the global trend to undermine encryption - no longer requires breaking encryption is a huge win for Europe, and particularly for Germany. Germany is historically a country where the privacy community, particularly among tech-savvy people, is very strong. This is not surprising given the German history with the Stasi and the GeStaPo monitoring Germans and imprisoning them for reasons as simple as having a different political view than the ruling class. In Germany, the society is very much supporting end-to-end encryption, there’s a strong civil society involvement in digital politics, and the legal framework in Germany sees privacy as a fundamental right, which is also stated in the German constitution.
Five Eyes and beyond: where things get complicated
UK and Australia have laws to mandate breaking encryption.
In contrast to this, the Five Eyes countries UK and Australia recently passed some of the worst surveillance bills in history, namely the UK Online Safety Act and the Australian TOLA.
TOLA in Australia and the Online Safety Act in the UK enable the authorities to require service providers to backdoor their encryption. And this is not a theoretical threat: In 2025, the UK Home Office department demanded from Apple to remove the cloud encryption for all users. While Apple could have secretly done so, it instead leaked the UK government’s request, which led to a huge public outcry. In the end, Apple was not forced to break its encryption for all users. But no one can know whether other closed source services have already complied with similar orders. Given encryption legislation like the Online Safety bill in the UK, one must assume that closed-source encrypted services can no longer be trusted.
TOLA not just allows the authorities to demand that encryption must be broken for reasons of “national interest”, but they can also issue “technical capability notices” with even broader surveillance demands directed at tech service providers.
Canada’s bill C-2 could enable government to undermine encryption.
Canada, another Five Eye, is also planning a bill that threatens end-to-end encryption: Bill C-2. If passed, this risks compelled decryption via undefined ‘systemic vulnerabilities’, and would threaten compliance with the European GDPR for Canadian service providers.
USA encryption legislation: risk of secret orders.
In the USA, end-to-end encryption can (not yet) be legally broken, however, laws like the CLOUD Act and FISA give the authorities excessive rights for data requests to American tech providers, sometimes even without a court order. This is also why “sovereign clouds” by US providers are nothing else but “sovereign washing” and must not be trusted. While a reform of FISA was planned in 2024, privacy-rights were not strengthened then. To the contrary, FISA still gives the NSA and FBI a blank check for surveillance overreach and abuse. However, the US government was not able to pass proposed laws like the Lawful Access to Encrypted Data Act due to heavy push back from civil society, which is very strong in the USA.
Switzerland: not as safe as one might think.
Already in 2016, Swiss citizens themselves voted for more surveillance, and now the Swiss Bundesrat is discussing a regulation that could put Switzerland on the same step as Australia and the UK. The draft demands to break end-to-end encryption as well as to log IP addresses of communication and VPN providers. While it is not yet certain whether this regulation will pass, it is obvious that Switzerland is no longer the safe haven for encrypted and privacy-first providers as some providers try to make you believe.
In fact Swiss privacy is an illusion - or just a very good marketing stunt. So now, even Protonmail, an alternative to Tuta Mail announced that they will move servers from Switzerland to Germany.
Turn ON Privacy in one click.
Privacy: from Europe, for the world
When it comes to encryption legislation and global trends, jurisdiction matters more than ever for secure communications providers like encrypted chat apps and email services like Tuta Mail. That’s why we at Tuta follow the legal situation worldwide closely, and will keep you posted on our blog and our social channels about threats to end-to-end encryption, but also about victories for privacy rights.
In 2025, we joined the heated Chat Control discussion and made clear that we at Tuta would never undermine our encryption. In fact, we would have rather sued the EU than broken our encryption. This is now no longer needed as the Chat Control draft that’s now being debated does not require undermining or breaking end-to-end encryption.
Tuta statement: We’d rather sue the EU than break our encryption.
This success was only possible because of several factors that are present in the EU, and particularly in Germany:
- Constitutional privacy protections
- Strong data-protection legislation (GDPR)
- High civil society engagement in digital rights
- High resistance to backdoors from civil society and businesses
All in all, we at Tuta are very happy that despite global trends Europe has finally come together to build on its reputation it gained when passing the General Data Protection Regulation: Respect and protection for citizens’ privacy. This is the right step, particularly now that Europe is trying to become digitally sovereign. However, it is not a given that Europe will continue on this path - but we are going to be here to keep an eye on global encryption trends and on political developments to make sure that end-to-end encryption in Europe remains unbroken.
Let’s fight for privacy together!
Turn ON Privacy
Secure Fast Ad-free