When regulators publish annual reports, the private sector usually bears the brunt of criticism. Switzerland's Federal Data Protection and Information Commissioner (FDPIC) broke that convention in its 33rd Annual Report, released June 30, 2026: the most pointed warning was aimed at federal government bodies whose institutional cultures are actively suppressing disclosures under both data protection law and the Freedom of Information Act.
The report — covering nFADP enforcement from April 2025 through March 2026 and FoI activity through December 2025 — documents a regulator operating at significantly higher tempo than in the law's introductory phase. The FDPIC received more than 2,000 reports of potential violations under the revised Federal Act on Data Protection (nFADP), which entered into force on September 1, 2023. Of those, 156 prompted advisory interventions — direct communications encouraging voluntary compliance — while 22 cases were escalated to preliminary investigations. Nine formal investigations were completed under the new law, a milestone signalling that the nFADP's supervisory regime has moved beyond initial setup into sustained enforcement. In one case involving a private company's refusal to cooperate, the FDPIC filed a formal criminal complaint.
The Problem Inside Government
The numbers tell one story; the institutional critique tells another. The FDPIC's report flags that certain federal agencies are resisting pressure to surface systemic data protection risks to their political superiors or to the public. The language is unusually pointed for a Swiss government document: the Federal Administration, the FDPIC writes, "is finding it more difficult to address the systemic potential for surveillance and external control that can arise from the seamless processing of ever-larger and more complex volumes of personal data." Management culture, the report concludes, is discouraging officials from escalating risks upward.
This matters because enforcement tools are most effective against external actors. The nFADP gives the FDPIC binding powers — it can mandate modifications to data processing, order deletion of unlawfully held records, and in deliberate non-cooperation cases, refer matters for criminal prosecution. But these mechanisms function through formal adversarial proceedings. When a federal agency's own management culture suppresses internal disclosure of systemic risks, the enforcement chain breaks before the FDPIC even learns there is a problem. The regulator is an oversight body, not a superior agency; persuasion and escalation have to substitute for coercive authority.
To steelman the agencies' position: large-scale data integration across government systems is genuinely complex, and not every systemic risk is clearly articulable as a legal violation. Some management reluctance may reflect uncertainty about legal thresholds rather than bad faith. But the FDPIC, having been involved in 306 inter-departmental consultations on major digital projects in the reporting year alone — covering a national police IT platform, the AGOV authentication service, the e-ID rollout, and electronic court communications — is well-positioned to distinguish genuine ambiguity from institutional avoidance.
Freedom of Information: Requests Rising, Exemptions Rising Faster
The management culture problem compounds a parallel concern on the FoI side. Requests to federal bodies have tripled over the past decade, reflecting sustained and growing public interest in administrative transparency. Yet statutory exemptions from FoI disclosure rose to 13 during the reporting period, with 11 more planned. That trajectory — tripling demand, expanding grounds for denial — runs directly counter to what the Freedom of Information Act (BGÖ) was enacted to achieve.
The FDPIC has been explicit that it views these exemptions critically. After more than 20 years on the books, the BGÖ has accumulated structural gaps, and the expanding list of agency exclusions represents institutional self-protection rather than principled privacy balancing. This is worth taking seriously as a distinct problem from data protection enforcement: transparency and data protection are not in tension here. Both are being obstructed by the same dynamic — agencies that prefer opacity when the legal framework permits any ambiguity.
Enforcement Design vs. Enforcement Culture
Switzerland's approach to data protection enforcement is deliberately proportionate. Unlike the EU's GDPR, which authorises national data protection authorities to impose administrative fines of up to 4% of global annual turnover, the nFADP does not give the FDPIC direct sanctioning power. Intentional violations by natural persons carry criminal fines of up to CHF 250,000, enforced by cantonal prosecutors rather than by the FDPIC itself. The Federal Administrative Court upheld the FDPIC's core decision-making practices in an October 6, 2025 ruling, providing legal certainty to the new enforcement model — but that model still relies heavily on binding recommendations and voluntary compliance rather than financial deterrence.
From a pro-innovation standpoint, this proportionate design has real advantages. Organisations engaging in good-faith data stewardship are not subject to the existential fine exposure that has chilled some legitimate data use under GDPR. The 306 inter-departmental consultations during the year reflect the FDPIC's preference for getting privacy protections right at design stage — a far more efficient intervention than post-hoc enforcement. The model is sound. The problem is that it depends on a cooperative institutional counterpart, and that counterpart is missing inside parts of the federal administration.
The Right Fix Is Political, Not Regulatory
The tempting policy response is to expand the FDPIC's coercive tools — adopt GDPR-style administrative fines, impose mandatory timelines for federal agencies to report systemic risks, create penalties for management non-disclosure. Some of these measures may be worth considering. But the 33rd Annual Report's core finding is not a gap in legal authority; it is a gap in political accountability.
Federal agencies that suppress systemic risk disclosures are not doing so because the nFADP permits it. They are doing so because no political consequence currently follows. The Xplain ransomware incident of 2023, in which a federal IT contractor's breach exposed government data partly because data-sharing arrangements among agencies and contractors were opaque, illustrated precisely this failure mode. The FDPIC concluded formal proceedings in that case. The report suggests institutional lessons were only partially absorbed.
The fix must come from political principals. The Federal Council and Parliament need clearer requirements for agencies to surface systemic data risks to supervisory ministries — and those ministries need to act when they do. The FDPIC can investigate and recommend; only elected decision-makers can change the institutional incentives that make silence easier than disclosure.