Switzerland Switzerland FDPIC nFADP data protection

Swiss Privacy Regulator's First Binding Court Win Cements Its Power — Its Own Agencies Are the Ones Still Resisting

A landmark ruling confirms the FDPIC's enforcement authority, even as its annual report finds federal agencies hiding data risks from decision-makers.

Switzerland's Data Regulator, By the Numbers People of Internet Research · Switzerland 2,000+ Data breach notifications Filed with the FDPIC, April 2025 t… 156 Formal FDPIC interventions Enforcement actions in the same 12… 24 FOIA exemptions, existing + planned 13 already in law, 11 more propose… peopleofinternet.com
Switzerland's Data Regulator, By the N… People of Internet Research · Switzerland 2,000+ Data breach notifications 156 Formal FDPIC interventions 24 FOIA exemptions, existing + plann… peopleofinternet.com

Key Takeaways

Switzerland's Federal Data Protection and Information Commissioner spent three years building enforcement powers it had never legally tested. On 6 October 2025, it finally found out they hold up. The Federal Administrative Court dismissed an appeal by the association Bürgerforum Schweiz against a processing ban the FDPIC had issued over its "Pfarrer-Check" campaign, which published online whether individual clergy members had responded to a religious-views questionnaire. The FDPIC's own account of the ruling frames it correctly: this is the first legally binding confirmation of how the office exercises its case-opening and order-issuing powers under the revised Federal Act on Data Protection (nFADP), in force since 1 September 2023.

That validation is the headline of the FDPIC's 33rd annual activity report, published 30 June 2026 and covering April 2025 to March 2026. But the more consequential finding sits deeper in the document: the regulator now has confirmed teeth, and it says federal agencies are making a habit of staying out of their reach.

The steelman: risk-hiding has real victims

Commissioner Adrian Lobsiger's report describes what it calls "counterproductive management cultures" — not a lack of technical expertise inside federal offices, but a reluctance to escalate residual data-protection risk to the political and executive decision-makers who are supposed to own it. The nFADP explicitly requires disclosure of substantial residual risk; the report finds offices declining to make that disclosure regularly.

This is not an abstract complaint. The report's own case file supplies a concrete example: cantonal police accessing the national RIPOL search system through the Multiple Applications Coordination Service received incomplete data for roughly two years before the FDPIC opened a preliminary investigation, forcing every cantonal query in the interim to be manually reconfirmed with the federal police office. Similarly, a follow-up review of the AGOV federal authentication service — commissioned after the Xplain data-leak scandal — found that recommended safeguards, including comprehensive data-flow documentation and independent technical audits, still haven't been fully implemented by the Digital Transformation and ICT Steering Sector. The FDPIC is also mid-review on the Justitia 4.0 e-court platform and the E-SOP social-security communication system, both processing sensitive personal data at national scale.

Given that pattern, the case for an assertive regulator with confirmed binding authority is strong. When a government office building shared infrastructure used by every canton, or a court digitisation project touching every litigant's records, treats a data-protection warning as something to route around rather than escalate, the people who bear the consequences are the residents whose records sit inside those systems — not the officials who declined to flag the risk. A regulator whose enforcement orders can be quietly appealed into irrelevance gives management exactly the incentive to keep downplaying residual risk. The October ruling removes that option.

Where the proportionate case cuts back

But the report's second theme deserves more scrutiny than the first, and it's where the FDPIC's own instincts are sound: the twentieth anniversary of the Freedom of Information Act. FOIA requests have roughly tripled over the past decade — 2,145 applications for access in 2025 alone, per the report's own statistics, with the federal administration granting full or partial access to about three-quarters of them and outright refusals holding under 10%. That is a genuine paradigm shift from the pre-2006 default of official secrecy, and it's working roughly as the 2004 legislature intended.

What isn't working is the Federal Council and Parliament's pattern of carving new sectors out of that presumption whenever an office finds the compliance burden inconvenient: 13 statutory exemptions already exist, and the report counts 11 more in the legislative pipeline — covering areas like civil aviation oversight and financial-assistance decisions during epidemics. Lobsiger says he will keep contesting these carve-outs in office consultations. He's right to. Transparency exemptions, unlike data-protection risk disclosures, don't require balancing against a legitimate competing security interest in most of these cases — they're mainly administrative convenience dressed up as necessity, and once granted they rarely sunset.

The useful distinction the report inadvertently draws is this: aggressive enforcement against agencies that hide risk from oversight is a proportionate, evidence-driven use of regulatory power — the October ruling earns its keep here. Aggressive exemption-granting that hides records from the public is the opposite: a quiet rollback of a legislative bargain that has otherwise delivered exactly the transparency gains it promised. Switzerland's digital-government projects — e-ID, Justitia 4.0, the police information-sharing platform under consultation since February 2026 — should keep moving; slowing federal digitisation to match the most risk-averse office's comfort level would be its own kind of harm. The fix for a management culture that won't self-report residual risk is a regulator that can act on it after the fact, which Switzerland now confirms it has. The fix for a legislature that keeps granting secrecy exemptions is not more enforcement power at all — it's Parliament declining to grant the next eleven.

Sources & Citations

  1. FDPIC 33rd Annual Report 2025/2026 (PDF)
  2. FDPIC: Federal Administrative Court confirms EDÖB practice
  3. FDPIC (EDÖB) press release
  4. Netzwoche: EDÖB hadert mit systemischen Risiken