Nearly Three Years In, a Verdict on Switzerland's nFADP
On September 1, 2023, Switzerland's revised Federal Act on Data Protection (nFADP) — replacing a framework from 1992 — entered into force. As of mid-2026, the Federal Data Protection and Information Commissioner (FDPIC) has concluded dozens of investigations, issued binding corrective orders, published landmark guidance on cookies and AI, and signed Switzerland's first international data protection memorandum of understanding, with the UK's ICO. The architecture of the regime is becoming visible. So are its constraints.
The FDPIC's 32nd Annual Report, published in January 2026 and covering fiscal year 2024/2025, announced a roughly 30 percent increase in staff assigned to data protection violations and reported a 53 percent surge in mediation requests — processing backlogs included. The enforcement caseload is real and growing. But the instrument set available to the Commissioner is fundamentally different from its European counterparts, and the gap matters.
What the Casebook Shows
The FDPIC's enforcement portfolio since the nFADP took effect has covered a striking breadth of actors and issues.
PostFinance AG became one of the most consequential decisions to date. Concluded in August 2025, the investigation found that PostFinance had created voiceprints for customer authentication without obtaining explicit consent — a violation of nFADP's data minimisation and lawfulness requirements. The FDPIC ordered deletion of non-consented voiceprints. PostFinance appealed, and the case is now before the Federal Administrative Court. It will be a bellwether for biometric enforcement.
Cembra Money Bank, in a January 2025 ruling, was reprimanded for responding to data access requests with standardised letters listing only data categories rather than the actual personal data requested, and for repeatedly missing the statutory 30-day deadline — by as much as nine months in some instances. This case reaffirms Article 25 of the FADP as an active enforcement priority.
The Xplain ransomware breach — involving the Federal Office of Police and the Federal Office for Customs and Border Security, whose IT processor Xplain suffered a 2023 attack that pushed personal data onto the darknet — produced an FDPIC finding that all three entities had fallen short of minimum data security standards. The case illustrated that the commissioner is willing to hold federal bodies accountable, not merely private companies.
Platform X and Grok: In March 2025, the FDPIC concluded its preliminary investigation into X's use of Swiss users' public posts to train the Grok AI model. The resolution — X introduced an opt-out mechanism — avoided a formal order but demonstrated the FDPIC's willingness to engage directly with frontier AI platforms. In June 2024, Meta had separately committed not to use Swiss Facebook and Instagram user data for AI training following FDPIC scrutiny.
Digitec Galaxus, Switzerland's largest online retailer, implemented a one-click opt-out for advertisement personalisation in November 2025 following an FDPIC investigation into its cross-platform tracking practices.
The Coop Group AI checkout camera case, concluded in October 2025, ended differently: the FDPIC found that AI-supported video surveillance at automatic checkout lanes was processed in compliance with the FADP. This matters — it establishes that the nFADP is not inherently hostile to AI-powered retail surveillance when basic proportionality conditions are met.
The Fine Structure Problem
Here is where a fair-minded analysis must spend time. Critics of Switzerland's approach — and they are not wrong — note a fundamental structural difference from the EU's General Data Protection Regulation. Under GDPR, data protection authorities can impose administrative fines directly on companies of up to 4% of global annual turnover. Under Switzerland's nFADP, the FDPIC cannot impose administrative fines on legal entities at all. Criminal penalties of up to CHF 250,000 target individuals — and only for wilful violations. Companies face fines of only up to CHF 50,000 in limited circumstances. The FDPIC's primary tool is the corrective order: comply, or appeal.
The steelman of this criticism is compelling. Without the threat of eight-figure fines, large multinationals may rationally calculate that Swiss enforcement risk is manageable — that a corrective order requiring an opt-out or a deletion is a bounded compliance cost, not a deterrent. This is not a hypothetical: the Digitec Galaxus resolution and the X/Grok outcome both involved no monetary penalty whatsoever.
The pro-innovation counterpoint is not that penalties are irrelevant, but that the GDPR's fine-maximisation model has produced perverse outcomes: over-lawyered consent pop-ups, data minimisation theatre, and SME compliance burdens that do not commensurate with actual harm. Switzerland's nFADP pushes toward outcome-oriented enforcement — does the processing cause harm? Is the consent mechanism effective? — rather than checklist gatekeeping. The approach can produce genuine remediation, as the PostFinance voiceprint deletion and the X opt-out show.
Switzerland Diverges from Brussels on AI
The divergence is sharpest on artificial intelligence. On February 12, 2025, the Federal Council declined to adopt an EU AI Act equivalent, choosing instead to ratify the Council of Europe's Framework Convention on Artificial Intelligence. Sector-specific legislative amendments are now expected by end of 2026, with parliamentary implementation unlikely before 2029.
This is a deliberate bet on a lighter, principles-based approach rather than Brussels' risk-tier compliance architecture. The FDPIC has reinforced this by clarifying, in a May 2025 position statement, that the FADP is directly applicable to AI-supported data processing in a technology-neutral manner — meaning DPIA requirements, transparency obligations, and lawfulness conditions apply to AI systems without awaiting AI-specific legislation. In February 2026, the FDPIC co-signed a joint statement with 60 data protection authorities globally on AI-generated images, calling for erasure mechanisms and child protection safeguards.
Swiss AI governance is thus emerging as a hybrid: existing data protection law applied proactively to AI, backstopped by the Council of Europe Convention's human-rights framing, with sector-specific rules to follow. Whether this is sufficient — particularly for foundation models, autonomous systems, and real-time biometric identification — remains an open question the 2026 legislative drafts will need to answer.
Cookie Guidance and Compliance Infrastructure
The FDPIC's January 2025 cookie guidelines — updated in October 2025 and accompanied by a March 2026 factsheet — applied a technology-neutral consent standard to cookies, browser fingerprinting, pixels, and ID graphs alike. Non-essential tracking requires prior consent. The guidance also addressed "consent or pay" models: they can be lawfully deployed, but conditions apply.
This is not maximalist regulation. The FDPIC did not replicate France's CNIL approach of proactively auditing hundreds of top websites. It published clear, practical guidance and expects the market to self-calibrate — with enforcement reserved for cases that present material privacy risks.
What Switzerland Gets Right
The nFADP represents a thoughtful middle path: substantive obligations modernised to include biometric data, privacy by design, breach notification, and high-risk profiling regulation, without the compliance overhead that has made GDPR a burden on the smallest operators. The FDPIC's risk-prioritisation principle — focusing resources on cases with significant impacts on fundamental rights — is how a well-resourced regulator should operate.
The fine structure is a real weakness that future Swiss legislative revision should address. But the regime's record at nearly three years — actionable cases across biometrics, AI, access rights, security, and retail tracking — is more substantive than critics of Switzerland's "soft" approach have credited. The outstanding question is whether corrective orders alone are sufficient as the data processing environment grows in scale and risk.