Switzerland's independent data protection authority just delivered an unusually pointed message to its own government: the problem with the country's flagship digital-identity projects isn't the law — it's the people running them.
A regulator stretched across 306 projects
On 30 June 2026, the Federal Data Protection and Information Commissioner (FDPIC) published its 33rd Annual Report, covering data protection activity from April 2025 to March 2026 and freedom-of-information matters for calendar 2025. Commissioner Adrian Lobsiger's office reported consulting on 306 inter-departmental digital initiatives over the period, including the nationwide rollout of electronic communications in the courts and welfare system, the AGOV authentication service that increasingly functions as the shared login layer for federal digital services, the e-ID electronic identity system, and a new IT platform for police investigations shared between the Confederation and the cantons.
The report's core finding is not that these systems are unlawful. It is that federal "management cultures" handle conventional information-security risk competently — encryption, access controls, breach response — but, in the FDPIC's own words, "find it more difficult to address the systemic potential for surveillance and external control that can arise from the seamless processing of ever-larger and more complex volumes of personal data."
Steelmanning the concern
This is a fair worry, and Switzerland has more reason than most countries to take it seriously right now. A separate but parallel debate over revising the country's telecom surveillance ordinance — which would require services with more than 5,000 users to collect government ID and retain metadata for six months — prompted Geneva-based Proton to announce in September 2025 that it was moving most of its infrastructure into the EU, with CEO Andy Yen arguing the closest European analogue to the proposed regime was Russia's. That is a different dossier from the FDPIC's report, but it captures the same underlying anxiety: once a state builds infrastructure that links identity, authentication, and investigative data across agencies, the marginal cost of surveillance creep drops sharply. AGOV was designed to be a single sign-on for e-government; a system built for convenience is, almost by definition, also built for correlation. "We followed the security checklist" is not the same claim as "we protected against misuse of scale."
Why the enforcement numbers argue for proportion, not a pause
But the report's own statistics undercut the case for treating this as a crisis requiring new legislation. The FDPIC received more than 2,000 reports of potential violations in the reporting year, intervened informally 156 times, opened 22 preliminary investigations, and escalated only 9 to formal investigations. That is a regulator triaging aggressively and reserving its heaviest tool for a small fraction of complaints — not one drowning in unaddressed abuse. On 6 October 2025, the Federal Administrative Court upheld the FDPIC's enforcement practice in a closely watched case over an online "clergy check" database, confirming that the revised Data Protection Act gives the office real teeth without requiring a rewrite.
The e-ID timeline tells a similar story about a system correcting itself before regulators have to force the issue. Also on 30 June 2026, the Federal Office of Justice confirmed it is delaying the identity system's public rollout — originally planned for the second half of 2026 — because "security considerations take precedence," pushing the underlying trust infrastructure to the first half of 2027 to harden defenses against malware and deepfake-enabled fraud. That is close to the sequencing critics of centralized digital ID should want: a voluntary delay driven by internal risk review, not a regulator forcing a shutdown after harm has occurred. It suggests the FDPIC's consultative role — exercised across all 306 projects it reviewed this year — is functioning as an early-warning system, not being ignored.
The freedom-of-information flank is weaker
Where the report's criticism lands harder is transparency. Freedom-of-information requests have tripled over the past decade, and the Federal Administration's refusal rate has held under 10% — a genuinely strong record. But the FDPIC also flagged that 13 new statutory exemptions were added during the reporting period, with 11 more under consideration, quietly narrowing the Act's scope two decades after it took effect. A regulator that is simultaneously this permissive on refusal rates and this alarmed about carve-outs is describing legislative drift, not enforcement failure — and that is Parliament's problem to fix, not a reason to expand the FDPIC's own mandate.
The right fix is governance, not a moratorium
The proportionate response to this report is to take the "management culture" critique literally: build privacy engineering and proportionality review into digital projects at the design stage — where the FDPIC's consultative role already sits — rather than treat every centralizing government IT project as inherently suspect. Switzerland does not need to slow e-ID and AGOV to a crawl; it needs the agencies building them to internalize systemic risk with the same seriousness they already give to encryption. The FDPIC's own numbers show a regulator with functioning tools, real court backing, and an enforcement touch light enough that innovation is not the casualty. If there is a casualty here, it is public trust — and that is best protected by taking Lobsiger's diagnosis seriously while the infrastructure is still being built, not after it ships.