[turc1656]

I'd like to point out one thing. The people at ProtonMail are clearly under the belief that they are only subject to Swiss law because they are located in Switzerland. That's not my understanding of the law at all. Granted, it seems like an obvious conclusion but legally the truth seems to be different.

For instance, at my employer we had training on the GDPR rules and how they relate to us. We are a US based company with many global clients. However, we do have a physical presence in some EU countries so that does differ with the ProtonMail situation. However, in our training we were told that our business presence in the EU is irrelevant to the actual law because we would still be bound by it as it relates to our global clients. The layman's explanation we were given was that if you are using the internet to conduct digital business across country borders then you are pretty much subject to the laws of both nations between the client and the service provider.

That generally translates to defaulting to whichever law is more restrictive. For companies like Facebook and Google, they've rolled out GDPR style protections for everyone globally because it's much easier to do so than to only have it apply to a portion of their users, but that's a separate story.

I think everyone intuitively understands and knows this to be true. We can all think of cases where hackers have committed crimes that may only violate, for example, US laws and have been tried and convicted of such crimes even though they were committed overseas but the aggrieved party is the US or its citizens.

I think what ProtonMail is really saying is that because Switzerland doesn't have laws similar to China in this regard, China won't be able to convince Switzerland to extradite them to China for prosecution.

That's also why Russia threatened to ban them - because they know there is zero chance they will be willingly handed over to Russian authorities for this.

[vorpalhex]

Not all countries handle international law violations the same. ProtonMail makes this clear in the above explanation - other foreign countries are welcome to make claims, but they must do so under Swiss law and Swiss courts. Swiss law, afaik, does not allow the Russians to simply claim all user records.

[pkilgore]

> The people at ProtonMail are clearly under the belief that they are only subject to Swiss law because they are located in Switzerland.

What led you to believe this is so clear?

[turc1656]

These excerpts taken together:

1) "As a Swiss company, when it comes to the data of Proton users, we will only comply with the laws of Switzerland, the jurisdiction of our headquarters and where all of our servers are located. As we have always consistently stated in our terms and conditions and privacy policy, any requests which fall outside of Swiss law will be politely refused"

2) "Proton does not have offices, employees, subsidiaries, or any permanent establishments in China or Russia, and as such, we do not fall under the scope of these laws, nor can these laws be enforced against us. However, this does not mean authorities in these countries would not try to enforce the laws anyways."

[protonmail]

It's actually a bit more nuanced. Any government in any country can at any time decide that their laws apply to you (because hey, it's a government, they can do whatever they want). However, unless you are operating in that country, there is very little they can do in terms of enforcing that upon you.

[turc1656]

Yes, that's the point I was trying to make - your country would have to be willing to participate. That's risky, albeit to varying degrees, depending on the country a person/business reside in because governments can change their opinion at any moment or enter in new agreements to combat whatever they may deem as "global crime".