With the new E-Government Act (EGovG), the Canton of Lucerne aims to structurally advance the digital transformation of public administration. During its May 2026 session, the Cantonal Parliament clearly endorsed the Government Council’s counterproposal to the popular initiative “Digitalisation Now!”, while simultaneously emphasising that digitalisation must not result in a “digital only” administration. Public authorities must remain accessible through analogue channels. This political consensus is both correct and necessary.

The proposed legislative framework — in particular the new E-Government Act (EGovG) — is intended to form the foundation of a modern, digitally interconnected administration. At the same time, the debate demonstrates that the real legal and strategic challenges are only beginning. The key question is no longer whether public administration should be digitalised, but how. Concepts such as “digital first” and “once only” raise significant concerns relating to data protection and fundamental rights which must be addressed more precisely during the legislative process.

Digitalisation Is Not an End in Itself

The Lucerne proposal pursues understandable objectives: more efficient administrative procedures, standardised core services, digital workflows and the reduction of repeated data entry. In particular, the so-called “once-only principle” initially appears both citizen-friendly and economically sensible.

From a legal perspective, however, this principle is highly sensitive. If citizens and businesses are expected to provide data only once, this inevitably means that different administrative units will gain access to data already collected elsewhere. This gives rise to the central constitutional question: which authority may access which data, for what purpose, and on the basis of which statutory provision?

At present, the proposal remains too vague in this respect. Swiss public law continues to be governed by the principle of purpose limitation: personal data may only be processed for the purpose for which it was originally collected or where a sufficiently clear legal basis exists. Any serious approach to digital government therefore requires an equally serious assessment of which authorities genuinely require access to which categories of data. Transparency towards affected individuals is essential. Citizens must be able to understand which public bodies access their data and for what reason.

Generalised interconnection of administrative data without a clearly identified operational need creates the risk that data will be used beyond its original purpose. Such an approach would be difficult to reconcile with the constitutional right to informational self-determination under Article 13 paragraph 2 of the Swiss Federal Constitution. Under Swiss data protection law, it is not sufficient that data is merely technically accessible. What matters is whether its use is proportionate, transparent and sufficiently defined by law.

Digital Sovereignty: Switzerland Must Not Repeat the Cloud Mistake

The debate surrounding the EGovG also raises a strategic issue extending far beyond Lucerne: digital sovereignty.

For many years, Switzerland underestimated the implications of dependencies in the cloud sector. Today, both public institutions and private organisations face the reality that critical digital infrastructures increasingly depend on a small number of international technology providers. This dependency cannot easily be reversed.

From the perspective of the Cantonal Government, there appears to be little immediate regulatory need in this area. Yet developments surrounding artificial intelligence suggest that history may repeat itself. Because technological progress is complex and dynamic, there is a real risk that regulatory and strategic decisions will once again be taken too late. This makes it all the more important to establish technologically neutral and sustainable principles at an early stage.

Depending on the criticality of the systems involved, such principles may include:

• clear interoperability requirements,
• avoidance of unnecessary vendor lock-ins,
• transparent governance structures,
• and consideration of a “second source” principle in order to reduce critical dependence on individual IT service providers.

Digital sovereignty does not mean technological isolationism. Rather, it means retaining effective control over data, systems and strategic decision-making capabilities. Genuine digital sovereignty requires more than organisational coordination alone.

Digital Administration (“Digital First”) — A Paradigm Shift

The EGovG follows a clear approach: public services are to be delivered primarily through digital channels (“digital first”), based on a centralised e-government infrastructure. User accounts, authentication systems and standardised interfaces are intended to facilitate seamless interaction between administrative entities. The Government’s commitment not to pursue a “digital only” approach demonstrates a welcome degree of proportionality.

Nevertheless, the constitutional right to privacy and protection of personal data under Article 13 paragraph 2 of the Federal Constitution requires state data processing activities to be clearly defined, proportionate and purpose-specific. In this regard, the Lucerne proposal remains partially too broad. In particular, concerns arise as to whether the planned interconnection of administrative data is sufficiently limited by law. Combined with pilot projects developed without an explicit statutory basis, this risks undermining public trust. Without clearly defined purposes, there is a danger of gradual expansion of state data use, with corresponding implications for informational self-determination.

There is also a structural transparency problem: the greater the flow of data between authorities, the more difficult it becomes for affected individuals to understand who processes which information and at what time. This places one of the central pillars of data protection law under pressure: the individual’s ability to retain control over their personal data.

Criticism by the Data Protection Authority: Correctly Focused

The Cantonal Data Protection Commissioner has identified several key weaknesses:
unclear purpose limitations, insufficient legal specificity, lack of transparency and inadequately defined security requirements.

From a constitutional and rule-of-law perspective, this criticism is entirely justified. It reflects core principles of Swiss data protection law: legality, purpose limitation, proportionality and data security. In a system designed around extensive data interconnection, these principles must not merely be referenced politically; they must be precisely codified and technically implemented.

Digitalisation Requires Democratic Debate — Not Merely Technical Implementation

It is encouraging that the political debate within the Lucerne Cantonal Parliament has recognised the risks of purely technocratic digitalisation. Several parliamentarians stressed that digitalisation must not lead to the exclusion of analogue access channels. This principle is fundamental: digitalisation must serve people — not the other way around.

The EGovG therefore provides an important basis for discussion. Not because it already contains all the answers, but because it opens the necessary debate: where does digitalisation create genuine added value? Where does it create new risks? And what constitutional safeguards are required for a modern digital administration?

Particularly in data-driven administrative processes, efficiency alone is insufficient. What matters is that digitalisation is implemented transparently, proportionately and in compliance with fundamental rights. Only then can long-term trust be established among both citizens and businesses.

Where the Legislature Must Tighten the Framework

The Cantonal Parliament now faces an important strategic choice. If digitalisation of public administration is to succeed in a sustainable and legally compliant manner, the following issues require particular attention:

• clear statutory limits on data use instead of broad general clauses,
• binding rules governing the once-only principle combined with transparency obligations,
• traceable data flows and effective control rights for citizens,
• concrete safeguards for digital sovereignty, particularly in relation to cloud services and IT outsourcing,
• mandatory privacy and security standards, including Privacy by Design.

Conclusion: Efficiency Requires the Rule of Law

The Lucerne proposal represents an important step towards a modern digital administration. Politically, it is more realistic and balanced than a rigid constitutional “digital first” obligation. At the same time, it demonstrates how closely digitalisation, data protection and fundamental rights are interconnected.

Efficiency gains must not come at the expense of informational self-determination. Sustainable digital transformation can only succeed if it rests on a clear legal foundation — transparent, controllable and technologically sovereign. It must not result in core questions of data protection and digital sovereignty remaining unresolved.

The upcoming legislative debates provide an opportunity to transform a pure digitalisation project into a constitutionally robust model of modern governance. This requires clear limits on data use, transparent data flows and strategic safeguards against new technological dependencies. Digitalisation should not occur merely because it is technically possible, but because it is proportionate, meaningful and democratically legitimate.