Switzerland Switzerland FDPIC nFADP data protection

Switzerland's Data Protection Watchdog Names the Real Risk: Agency Culture, Not Technology

FDPIC's 33rd annual report says federal management cultures downplay systemic risk in digital projects and let FOIA gaps persist after 20 years.

Switzerland's 33rd FDPIC Report, By the Numbers People of Internet Research · Switzerland 2,000+ Violation reports received Potential data protection violatio… 31 Investigations opened 22 preliminary inquiries plus 9 fu… 3x FOI requests, decade growth Freedom of information requests ha… 20 yrs Freedom of Information Act age The law's 20th anniversary review … peopleofinternet.com
Switzerland's 33rd FDPIC Report, By th… People of Internet Research · Switzerland 2,000+ Violation reports received 31 Investigations opened 3x FOI requests, decade growth 20 yrs Freedom of Information Act … peopleofinternet.com

Key Takeaways

On 30 June 2026, Switzerland's Federal Data Protection and Information Commissioner (FDPIC) published its 33rd Annual Report, covering data protection activity from April 2025 to March 2026 and freedom-of-information matters for calendar year 2025. Its headline finding is not a fine or a breach — it is a diagnosis of institutional behavior. The FDPIC states plainly that federal agencies find it "challenging, as a result of their management culture, to encourage certain federal agencies to disclose systemic risks" to political bodies or the public, even as they readily flag conventional information-security incidents like breaches or unauthorised access, per the official press release.

The Case for Taking This Seriously

The steelman here is straightforward, and the FDPIC's own casework backs it up. The report distinguishes between two kinds of risk: the kind agencies are comfortable naming (a breach, a hack) and the kind they are not (the "systemic potential for surveillance and external control" that builds quietly as government systems process ever-larger, more complex volumes of personal data). That second category is harder to see coming and harder to walk back once entrenched — which is exactly why a culture that treats it as an inconvenient talking point, rather than a governance question for ministers or parliament, is a legitimate regulatory concern.

Two live federal projects illustrate why. The FDPIC has been supervising CEBA (Cloud Enabling Büroautomation) since the Federal Chancellery approved migrating the entire federal administration's office software to Microsoft 365 in February 2023. The Commissioner's demand — that the project examine "risks relevant to data protection law, in particular with regard to access by foreign authorities," and address growing dependency on a single dominant cloud provider — is not bureaucratic friction. It is the correct question to ask before, not after, tens of thousands of federal employees' working documents sit on infrastructure reachable under another country's law.

The Xplain case shows what happens when that question goes unasked. After a 2023 ransomware attack on the federal IT contractor Xplain exposed sensitive data from the police office fedpol and the customs authority FOCBS on the darknet, the FDPIC's investigation found that neither federal office had clearly agreed with Xplain on the terms under which personal data could sit on the contractor's servers in the first place — a basic governance failure, not a sophisticated attack. As swissinfo.ch reported, the government's own account acknowledged mistakes on both sides. That is the management-culture problem the 33rd report is naming: risk that was foreseeable, and a chain of command that didn't surface it until after it materialized.

Where the Report Overreaches the Remedy

None of that, however, supports treating digitalisation itself as the hazard. The report's own numbers show a regulator already functioning with real teeth under the new Federal Act on Data Protection (nFADP), in force since September 2023: over 2,000 reports of potential violations in the period, 156 interventions, and 31 preliminary and full investigations opened, per the FDPIC's own release. Switzerland's model is also, usefully, more proportionate than the EU's: the FDPIC cannot levy GDPR-style turnover-based fines against institutions at all — enforcement runs through corrective orders, with criminal penalties of up to CHF 250,000 falling on individuals via cantonal prosecutors, per ICLG's 2025/26 Swiss data protection guide. That structure already targets the right lever: accountable people, not blanket restrictions on modernization projects that make government services faster and cheaper to run.

The fix the report itself implies — and the one worth taking from this — is disclosure discipline, not a digitalisation slowdown. Large government IT projects should carry a standing obligation to report systemic-risk assessments to parliament or an independent oversight body before deployment, the way CEBA's data protection impact assessment already does in outline. That closes the gap the FDPIC is describing without treating cloud migration, AI adoption, or shared services as inherently suspect.

The Freedom of Information Half of the Story

The report's other anniversary finding deserves at least equal weight: the Freedom of Information Act turns 20 in 2026, and the FDPIC flags "numerous gaps in its coverage" even as demand for it has tripled over the past decade while refusal rates have held near 10%, per the same release. That is a transparency story, and it cuts toward more openness, not less. A regulator worried that agencies downplay systemic risk to political bodies should be a natural ally of a law that lets citizens and journalists surface exactly that risk independently. Parliament should treat the FOIA review as the more urgent half of this report — closing two decades of accumulated exemptions does more to expose management-culture problems than any new internal reporting requirement will.

The throughline is accountability, not caution. Switzerland doesn't need slower government IT projects; it needs the people running them to say the quiet part — the systemic risk, not just the security incident — out loud, and a transparency law with enough reach to catch them if they don't.

Sources & Citations

  1. FDPIC — Annual Report of the FDPIC (33rd Report, 2025/2026)
  2. FDPIC press release — Management cultures make enforcement difficult
  3. FDPIC — CEBA project supervision page
  4. Fedlex — Federal Act on Data Protection (nFADP)
  5. swissinfo.ch — Mistakes on both sides in Xplain government data breach
  6. ICLG — Data Protection Laws and Regulations Report 2025-2026: Switzerland