With the new E-Government Act (EGovG), the Canton of Lucerne aims to structurally advance the digital transformation of public administration. During its May 2026 session, the Cantonal Parliament clearly endorsed the Government Council’s counterproposal to the popular initiative “Digitalisation Now!”, while simultaneously emphasising that digitalisation must not result in a “digital only” administration. Public authorities must remain accessible through analogue channels. This political consensus is both correct and necessary.
The proposed legislative framework — in particular the new E-Government Act (EGovG) — is intended to form the foundation of a modern, digitally interconnected administration. At the same time, the debate demonstrates that the real legal and strategic challenges are only beginning. The key question is no longer whether public administration should be digitalised, but how. Concepts such as “digital first” and “once only” raise significant concerns relating to data protection and fundamental rights which must be addressed more precisely during the legislative process.
Digitalisation Is Not an End in Itself
The Lucerne proposal pursues understandable objectives: more efficient administrative procedures, standardised core services, digital workflows and the reduction of repeated data entry. In particular, the so-called “once-only principle” initially appears both citizen-friendly and economically sensible.
From a legal perspective, however, this principle is highly sensitive. If citizens and businesses are expected to provide data only once, this inevitably means that different administrative units will gain access to data already collected elsewhere. This gives rise to the central constitutional question: which authority may access which data, for what purpose, and on the basis of which statutory provision?
At present, the proposal remains too vague in this respect. Swiss public law continues to be governed by the principle of purpose limitation: personal data may only be processed for the purpose for which it was originally collected or where a sufficiently clear legal basis exists. Any serious approach to digital government therefore requires an equally serious assessment of which authorities genuinely require access to which categories of data. Transparency towards affected individuals is essential. Citizens must be able to understand which public bodies access their data and for what reason.
Generalised interconnection of administrative data without a clearly identified operational need creates the risk that data will be used beyond its original purpose. Such an approach would be difficult to reconcile with the constitutional right to informational self-determination under Article 13 paragraph 2 of the Swiss Federal Constitution. Under Swiss data protection law, it is not sufficient that data is merely technically accessible. What matters is whether its use is proportionate, transparent and sufficiently defined by law.
Digital Sovereignty: Switzerland Must Not Repeat the Cloud Mistake
The debate surrounding the EGovG also raises a strategic issue extending far beyond Lucerne: digital sovereignty.
For many years, Switzerland underestimated the implications of dependencies in the cloud sector. Today, both public institutions and private organisations face the reality that critical digital infrastructures increasingly depend on a small number of international technology providers. This dependency cannot easily be reversed.
From the perspective of the Cantonal Government, there appears to be little immediate regulatory need in this area. Yet developments surrounding artificial intelligence suggest that history may repeat itself. Because technological progress is complex and dynamic, there is a real risk that regulatory and strategic decisions will once again be taken too late. This makes it all the more important to establish technologically neutral and sustainable principles at an early stage.
Depending on the criticality of the systems involved, such principles may include:
- clear interoperability requirements,
- avoidance of unnecessary vendor lock-ins,
- transparent governance structures,
- and consideration of a “second source” principle in order to reduce critical dependence on individual IT service providers.
Digital sovereignty does not mean technological isolationism. Rather, it means retaining effective control over data, systems and strategic decision-making capabilities. Genuine digital sovereignty requires more than organisational coordination alone.
Digital Administration (“Digital First”) — A Paradigm Shift
The EGovG follows a clear approach: public services are to be delivered primarily through digital channels (“digital first”), based on a centralised e-government infrastructure. User accounts, authentication systems and standardised interfaces are intended to facilitate seamless interaction between administrative entities. The Government’s commitment not to pursue a “digital only” approach demonstrates a welcome degree of proportionality.
Nevertheless, the constitutional right to privacy and protection of personal data under Article 13 paragraph 2 of the Federal Constitution requires state data processing activities to be clearly defined, proportionate and purpose-specific. In this regard, the Lucerne proposal remains partially too broad. In particular, concerns arise as to whether the planned interconnection of administrative data is sufficiently limited by law. Combined with pilot projects developed without an explicit statutory basis, this risks undermining public trust. Without clearly defined purposes, there is a danger of gradual expansion of state data use, with corresponding implications for informational self-determination.
There is also a structural transparency problem: the greater the flow of data between authorities, the more difficult it becomes for affected individuals to understand who processes which information and at what time. This places one of the central pillars of data protection law under pressure: the individual’s ability to retain control over their personal data.
Criticism by the Data Protection Authority: Correctly Focused
The Cantonal Data Protection Commissioner has identified several key weaknesses:
unclear purpose limitations, insufficient legal specificity, lack of transparency and inadequately defined security requirements.
From a constitutional and rule-of-law perspective, this criticism is entirely justified. It reflects core principles of Swiss data protection law: legality, purpose limitation, proportionality and data security. In a system designed around extensive data interconnection, these principles must not merely be referenced politically; they must be precisely codified and technically implemented.
Digitalisation Requires Democratic Debate — Not Merely Technical Implementation
It is encouraging that the political debate within the Lucerne Cantonal Parliament has recognised the risks of purely technocratic digitalisation. Several parliamentarians stressed that digitalisation must not lead to the exclusion of analogue access channels. This principle is fundamental: digitalisation must serve people — not the other way around.
The EGovG therefore provides an important basis for discussion. Not because it already contains all the answers, but because it opens the necessary debate: where does digitalisation create genuine added value? Where does it create new risks? And what constitutional safeguards are required for a modern digital administration?
Particularly in data-driven administrative processes, efficiency alone is insufficient. What matters is that digitalisation is implemented transparently, proportionately and in compliance with fundamental rights. Only then can long-term trust be established among both citizens and businesses.
Where the Legislature Must Tighten the Framework
The Cantonal Parliament now faces an important strategic choice. If digitalisation of public administration is to succeed in a sustainable and legally compliant manner, the following issues require particular attention:
- clear statutory limits on data use instead of broad general clauses,
- binding rules governing the once-only principle combined with transparency obligations,
- traceable data flows and effective control rights for citizens,
- concrete safeguards for digital sovereignty, particularly in relation to cloud services and IT outsourcing,
- mandatory privacy and security standards, including Privacy by Design.
Conclusion: Efficiency Requires the Rule of Law
The Lucerne proposal represents an important step towards a modern digital administration. Politically, it is more realistic and balanced than a rigid constitutional “digital first” obligation. At the same time, it demonstrates how closely digitalisation, data protection and fundamental rights are interconnected.
Efficiency gains must not come at the expense of informational self-determination. Sustainable digital transformation can only succeed if it rests on a clear legal foundation — transparent, controllable and technologically sovereign. It must not result in core questions of data protection and digital sovereignty remaining unresolved.
The upcoming legislative debates provide an opportunity to transform a pure digitalisation project into a constitutionally robust model of modern governance. This requires clear limits on data use, transparent data flows and strategic safeguards against new technological dependencies. Digitalisation should not occur merely because it is technically possible, but because it is proportionate, meaningful and democratically legitimate.
Artificial intelligence (AI) has long been part of our everyday lives. AI has become indispensable in schools, universities and businesses. Given the rapid development of artificial intelligence and its increasing presence in everyday life, it is becoming increasingly important to examine its opportunities and risks.
On February 23, 2026, the Federal Data Protection and Information Commissioner and around 60 other national data protection authorites worldwide published a joint statement on AI-generated images. This statement marks an important step in the international discussion on privacy and data protection in the digital age.
Deepfakes and AI: Why Data Protection Authorities Worldwide Are Issuing Warnings
Data protection authorites have expressed serious concerns about systems that use artificial intelligence to generate realistic images or videos of identifiable individual without their consent. Such technologies carry a high risk of abuse, for example through the creation of non-consensual, intimate depictions (known as deepfakes). Childern and other vulnerable groups are particularly at risk of becoming targets of cyberbullying, sexual exploitation or identity theft.
Laws in Switzerland: Are AI-generated images permitted?
In many juristictions – including Switzerland – the creation or distribution of images that have not been created with consent can have criminal consequences. From a data protection perspective, that use of AI systems to create realistic images raises significant questions regarding the legality of data processing and the protection of privacy. Personal data my only be used if there is a legal basis for doing so or if the data subject has given their expressed consent. Companies offering such systems must ensure that appropriate technical and organizational measures are taken to prevent misuse and unauthorized processing.
Recommendations for working with AI
The joint statement by the data protection authorities sets out several key principles that all organizations should follow:
- Impementation of robust protective measures to prevent the misuse of personal data and the creation of non-consensual intimate depictions and other harmful content, especially involving children.
- Ensuring meanigful transparency regarding the capabilities of AI systems, the protective mechanisms implementet, permissible uses, and the potential consequences of misuse.
- Provision of effective and easily accesible procedures through which data subjects can request the removal of harmful content relating to them.
- Special protection for children and other vulnerable groups.
Conclusion: Techological progress requires responsibility
The risks posed by AI-generated images are global and require urgent regulatory action. While AI offers enormous opportunities, technological progress must not come at the expense of privacy, data protection and other fundamental rights.