Data protection and freedom of information: Management cultures make enforcement difficult
Berne, 30.06.2026 — The Federal Data Protection and Information Commissioner (FDPIC) has criticised management cultures that play down systemic data protection risks in large-scale digital projects and undermine the Freedom of Information Act, which, after 20 years, has numerous gaps in its coverage. These are key points in the 2025/2026 Annual Report, published today.
Over 2,000 reports of potential data protection violations were received during the reporting year. The FDPIC intervened 156 times to advise data controllers of issues that had arisen and conducted 22 preliminary investigations and 9 investigations. In most cases, an amicable solution was reached. Where this was not possible, the FDPIC issued rulings for the data processing operations to be stopped; in response a number of companies filed appeals with the Federal Administrative Court. The first final judgment on these appeals, issued on 6 October 2025, represents a milestone: around two years after the revised Data Protection Act (FADP) came into force, the court upheld the FDPIC’s decision-making practices, thereby strengthening legal certainty following the revision of the FADP. In addition, the FDPIC filed a criminal complaint against a private company that refused to cooperate as required by law.
Reluctance to disclose systemic data protection risks
In the course of 306 inter-departmental office consultations, the FDPIC expressed his views on the Federal Administration’s legislative proposals and provided regulatory advice on the associated major digital projects. These projects include the nationwide roll-out of electronic communications on legal matters in the court and welfare systems, the IT platform for police investigations, electronic mail, the AGOV authentication service and the e-ID.
In the course of its work on these projects, the Commissioner has generally observed a keen willingness on the part of federal agencies to identify information security risks, such as data breaches or unauthorised access, and the measures required to mitigate them. The Federal Administration, however, is finding it more difficult to address the systemic potential for surveillance and external control that can arise from the seamless processing of ever-larger and more complex volumes of personal data. The FDPIC has found it challenging, as a result of their management culture, to encourage certain federal agencies to disclose systemic risks to higher-level political bodies or to the public.
Erosion of the principle of freedom of information
Over the past 20 years, the principle of freedom of information has become firmly established. Requests for access to official documents have more than tripled in the last ten years, while the number of cases in which the Federal Administration refuses any access at all has stabilised at just under ten per cent. The paradigm shift that Parliament was seeking when the Freedom of Information Act (FoIA) came into force in 2004 has therefore taken place. However, the FDPIC has noted with concern that an increasing number of heads of federal offices are adding provisions to the legislation that their offices draft to exempt their official documents from public access under the FoIA. The number of FoIA exemptions rose to 13 during the reporting period, and a further 11 are planned.
The FDPIC’s annual report documents the authority’s activities over the reporting period and features a special focus on the FoIA to mark its 20th anniversary. A further key topic covered by the annual report is AI.