Data Protection Reports Double: Swiss Authorities and Companies Neglect Risks in IT Projects

Summary

The Swiss Federal Data Protection and Public Information Commissioner Adrian Lobsiger reports in his current activity report a drastic increase in data protection violations: in 2025, his office recorded almost 2,500 reports – more than double those from 2024. In 156 cases, Lobsiger had to intervene. A focus of his work lies in advising federal offices and private companies, where he observes that data protection risks are systematically neglected in large IT projects. In parallel, Lobsiger warns against new technologies such as intelligent glasses with video functionality and against the use of artificial intelligence without transparent regulations.

Persons

• Adrian Lobsiger (Swiss Federal Data Protection and Public Information Commissioner)

Topics

• Data protection violations
• IT security
• Artificial intelligence
• Transparency and public information law

Clarus Lead

The doubling of data protection reports within one year signals a turning point in Swiss data protection practice: not primarily a growing problem, but increased problem awareness among the population following the new data protection law. At the same time, the report reveals a critical governance gap – federal offices and large private corporations manage technical IT risks professionally, but systematically overlook the political and social consequences of networked data architectures. For decision-makers, this means: large projects will henceforth require not only IT security, but explicit risk assessment at management level before they are approved.

Detailed Summary

The increase in reports reflects two parallel phenomena: on one hand, Switzerland has had a modern data protection law since 2021 that provides citizens with concrete complaint procedures – they are increasingly exercising this right. On the other hand, this is not a crisis, but rather a normal aspect of digitalization: with every online contact, every state database, and every corporate IT system, data traces are created that harbor potential for abuse.

A central failing lies in the governance of larger IT projects. Lobsiger specifically criticizes that project teams do play out failure scenarios (hacker attacks, system failures), but do not communicate systemic risks in understandable language to political decision-makers: What new data networks are being created? Who gains access to what? What new surveillance risks are created for citizens? A prime example: police platforms that link cantonal data with federal data. Lobsiger intervened until the cantons more precisely described who could access which data for what purposes – and exempted minor crime categories.

A new risk focus area is artificial intelligence. Lobsiger tested intelligent glasses (Meta Ray-Bans): they film continuously and can stream recordings live to the internet – without this being visible. Meta has assured Switzerland that facial recognition will remain disabled and training data will not be transferred to Africa. According to Lobsiger's interpretation, the data protection law already contains rights for AI scenarios: the right to know whether you are communicating with a human or a machine; the right to object to data training; transparency in automated decisions. The Federal Council and Parliament do not need to wait for a separate AI law – the existing law is sufficient.

Parallel to his data protection role, Lobsiger is the Public Information Commissioner. The Public Information Act of 2006 established a presumption: government documents are fundamentally public, exceptions (ongoing negotiations, security) must be justified. So far this works well – only 10% of all requests are completely refused. However, Lobsiger warns of erosion: authorities and parliament are increasingly planning exceptions to the law (already eleven new exceptions are in force or planned). A current example is the customs dispute with the USA over telephone records of Federal Councillor Karin Keller-Sutter – the Economic Department refuses journalists access to files citing "ongoing negotiations" and even forbids Lobsiger himself from viewing the files in preparation for a mediation procedure. This contradicts the law and undermines the presumption of access.

Key Statements

• Data protection reports have doubled – not automatically a system failure, but an expression of increased legal awareness following the new law.
• IT projects suffer from communication gaps: technical teams describe failure risks but ignore the political and social consequences of data networking.
• Artificial intelligence is already regulable – existing data protection laws cover transparency, objection, and control rights; no separate AI law required.
• Public Information Act is eroding: executive and legislative branches are systematically planning exceptions; Lobsiger warns of loss of confidence in the transparency presumption.

Critical Questions

1. Evidence/Data Quality: Are the 2,500 reports in 2025 really comparable to those in 2024, or has changed reporting or marketing of the new law led to artificial growth?

2. Conflicts of Interest: Lobsiger negotiated with Meta over facial recognition – how were independent technical audits conducted, or does Switzerland rely on Meta's assurances without external control?

3. Causality: Does data protection review, as in the police platform case, really delay security, or was the original plan technically insufficient and the review corrected legitimate deficiencies (as the federal court later confirmed)?

4. Feasibility: How can Lobsiger communicate realistic risk assessments in "understandable language" to Federal Councillors without trivializing or distorting complex technology?

5. Side Effects: Do too many exceptions to the Public Information Act actually lead to increased secrecy, or are legal protected spaces (ongoing negotiations) substantively necessary?

6. Regulatory Pressure: If Swiss data protectors regulate more strictly than the EU, could companies deliberately shift their activities to EU countries – is the goal of stricter data protection achievable?

7. AI Interpretation: Does Lobsiger derive the right to object to AI training from the existing law or is he reinterpreting it? How will the court decide?

Sources

Primary Source: Daily Conversation: Adrian Lobsiger on Data Protection and Artificial Intelligence – SRF Radio, June 30, 2026

Verification Status: ✓ 2026-06-30

This text was created with the support of an AI model. Editorial Responsibility: clarus.news | Fact-Check: 2026-06-30