On April 7, 2026, Switzerland's Federal Data Protection and Information Commissioner (FDPIC, known by its German acronym EDÖB) published a warning that fraudulent emails are circulating in its name. The messages target website operators, falsely assert that the recipient has breached the revised Federal Act on Data Protection (nFADP), and pressure the target to either pay a fee or hand over personal data. The regulator says it will file a criminal complaint against persons unknown with the Office of the Attorney General, and it urges recipients to watch for spoofed sender domains, demands for payment, and links of unclear origin.
The scam itself is unremarkable — impersonating an authority to extract money is among the oldest tricks online. What makes this episode worth analysing is why it is plausible enough to attempt. The fraud works because Switzerland's data-protection regime is both new and widely misunderstood, and because the regulator's actual powers look nothing like the caricature the scammers are selling.
Why the impersonation is credible
The nFADP entered into force on 1 September 2023, replacing a 1992 statute. For the average Swiss SME or sole-trader website operator, that means roughly two and a half years of living under obligations — breach notification, records of processing, tightened transparency duties — that they only half understand. Into that uncertainty steps an email bearing official-looking branding and a deadline. A recipient who knows the law exists, but not how it is enforced, has little basis to call the bluff.
That is the real vulnerability the fraud exploits: not a flaw in the law, but a gap between the law's existence and the public's literacy about it. Every new compliance regime opens a window of this kind. The GDPR spawned an entire cottage industry of fake "compliance certificates" and cookie-consent shakedowns in its first years; Switzerland is now living through its own version.
The tell the scammers get wrong
Here is the detail that should let any informed operator dismiss the email instantly: the FDPIC does not work this way. Unlike a GDPR data-protection authority, the Swiss commissioner cannot impose administrative fines at all. Criminal penalties under the nFADP — up to CHF 250,000 — are imposed by cantonal prosecution authorities on responsible individuals, not levied by the FDPIC as an invoice, and not as a fee a website owner can simply pay to make a problem disappear.
Nor does the FDPIC bill website operators for investigations or compliance. There is no "settle now to avoid escalation" payment channel because no such channel exists in Swiss law. An unsolicited email demanding a transfer to clear an alleged breach is, by the structure of the statute itself, impossible to reconcile with how the regulator actually operates. The fraud is defeated not by vigilance alone but by understanding the enforcement architecture.
The steelman for tougher rules
There is a fair argument on the other side. Proponents of GDPR-style direct fining powers would say that a regulator able to issue binding penalties commands enough public recognition that impersonation becomes harder — people know what a real enforcement notice looks like because they have seen the genuine article. A more visible, more feared regulator is, on this view, a less impersonable one. And mandatory breach-notification duties, whatever friction they add, do push firms toward security hygiene that reduces the underlying attack surface. These are not trivial points.
But the Swiss model is the better answer, and this incident illustrates why. Switzerland deliberately chose criminal liability for culpable individuals over administrative fines on companies, keeping enforcement proportionate, court-supervised, and aimed at genuine wrongdoing rather than revenue generation. That design has a quiet anti-fraud dividend: because the regulator never sends pay-to-resolve demands, any such demand is self-evidently fake. A system that fined firms by administrative letter would, paradoxically, make the scammers' letters look more legitimate.
The proportionate fix
The lesson is not that Switzerland needs heavier privacy rules — it is that it needs better-communicated ones. The FDPIC's response so far is exactly right in tone: a clear public warning, concrete red flags, and a criminal referral rather than a knee-jerk call for new statutory powers. The most valuable thing the regulator can now do is what costs the least: state, prominently and repeatedly, that it never demands payment, never invoices operators, and cannot itself fine anyone.
Fraud thrives in the fog of an unfamiliar law. The durable defence is regulatory literacy — making the enforcement model so widely understood that the impersonation collapses on contact. That is a far cheaper, and far more pro-innovation, remedy than another tier of compliance obligation layered on the businesses that are themselves the victims here.