Doesn’t look like Proton did anything wrong, they can’t fight these requests and he was caught by identifying information he linked to his account.
They could disclose the fact that they might need to give that info to authorities and warn users of that.
They never mention it here for example https://proton.me/blog/protonmail-threat-model
They do mention it on that page:
However, if presented with a valid order from a Swiss court involving a case of criminal activity that is against Swiss law, Proton Mail can be compelled to share account metadata (but not message contents or attachments) with law enforcement.
The only ever claim to encrypt message contents and attachments. And explicitly call out account meta data here as something they can hand over if requested by law enforcement. They also mention they are not good vs targeted and governmental level attacks:
There are, however, some risks for users facing a strong adversary, such as a government focusing all its resources on a very specific target.
And explicitly mention they might be compelled to log and give up information like ip adresses:
if you are breaking Swiss law, a law-abiding company such as Proton Mail can be legally compelled to log your IP address.
https://proton.me/legal/law-enforcement
Here the mention clearly the data mentioned in the privacy policy which in turns clearly states that you MAY provide a recovery account which will be associated with your account. I also think that anybody that should be concerned for this should understand that law enforcement can get ALL the data the company has on you.