Data transfer regulations: Impact on Swiss and USA companies

Summary: Key takeaways for busy Readers

• Switzerland follows a unified approach under the Federal Act on Data Protection (FADP), similar to the EU’s GDPR.
• The USA lacks a single federal law, relying on sector-specific rules and new national security-driven restrictions.
• Swiss companies must assess international transfer compliance based on adequacy decisions or legal safeguards.
• The Swiss-U.S. Data Privacy Framework (DPF), effective September 2024, simplifies transfers to certified U.S. companies.
• New U.S. regulations (2024-2025) restrict transfers of sensitive personal data to "countries of concern," affecting business operations.
• Third-Party Risk Management (TPRM) and cybersecurity are critical for both Swiss and U.S. companies handling global data transfers.
• The future of data transfers remains uncertain, with growing trends in data localization and evolving regulations.

Introduction

Data transfer regulations are rapidly shaping global business strategies, especially for companies in Switzerland and the USA. With the rise of cybersecurity threats, privacy concerns, and government intervention, businesses must navigate an increasingly complex regulatory environment.

Switzerland has a structured, GDPR-inspired data protection law (FADP), ensuring clear guidelines on international data transfers. In contrast, the USA operates within a fragmented legal system, with a mix of federal, state, and industry-specific regulations.

Recent developments—including the Swiss-U.S. Data Privacy Framework and new U.S. restrictions on transfers to "countries of concern"—have significantly impacted companies dealing with cross-border data. This article breaks down these regulations, their effects on businesses, and what compliance strategies organizations should adopt.

Switzerland’s unified approach: The Federal Act on Data Protection (FADP)

Switzerland’s Federal Act on Data Protection (FADP), effective September 1, 2023, is designed to protect personal data and align with international best practices, particularly the EU’s GDPR. (for more information about FADP, please visit https://www.dlapiperdataprotection.com/)

Key features of the FADP

• Applies to personal data of natural persons (not legal entities).
• Provides data subjects with enhanced rights, including access requests and correction rights.
• Mandates data breach notifications, requiring companies to report incidents promptly.

The FADP ensures that Swiss companies transferring personal data abroad adhere to strict compliance rules, adding complexity but also fostering greater trust in data protection.

Swiss data transfer rules: Compliance and challenges

Swiss companies must comply with stringent rules when transferring personal data internationally. The law divides countries into two categories:

1. Adequate Countries: The Swiss Federal Council maintains a list of countries deemed to have equivalent data protection standards. These include all EEA nations, the UK, and—since September 2024—the USA (for certified companies under the DPF).
2. Non-Adequate Countries: Transfers to these locations require additional safeguards, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).

Challenges for Swiss companies

• Assessing destination country compliance and implementing safeguards when necessary.
• Ensuring contractual obligations for third-party vendors handling personal data.
• Managing remote access risks, as accessing Swiss data from abroad is considered a transfer under FADP.

Supplier Shield’s managed services can assist Swiss companies in conducting due diligence on destination countries, drafting effective contracts with third-party vendors, and ensuring compliance with both domestic and international regulations.

The Swiss-U.S. Data Privacy Framework (DPF)

To simplify data transfers, Switzerland and the USA established the Swiss-U.S. Data Privacy Framework in September 2024. This agreement mirrors the EU-U.S. Data Privacy Framework, offering a structured system for businesses.

Key benefits for Swiss companies

• Transfers to certified U.S. companies are legally recognized, avoiding complex adequacy checks.
• Companies gain structured legal remedies, ensuring Swiss data subjects have redress mechanisms in case of misuse.
• Reduces administrative burdens for Swiss firms working with American businesses.

However, Swiss companies must still verify that their U.S. partners are DPF-certified and remain compliant with evolving Swiss and EU data protection expectations. Supplier Shield’s cloud platform can simplify the technical side of this process by automating data transfer assessments and providing monitoring of cross-border data flows.

USA’s complex data protection landscape

Unlike Switzerland, the USA does not have a unified federal data privacy law. Instead, businesses must navigate a patchwork of regulations, including:

• Sector-specific laws like HIPAA (healthcare) and GLBA (finance).
• State privacy laws, such as California’s CCPA, Virginia’s CDPA, and Colorado’s Privacy Act.
• New federal rules focusing on national security and foreign data transfers.

The fragmented nature of data protection laws in the U.S. makes compliance especially challenging for multinational businesses.

USA’s new data transfer restrictions to “countries of concern”

In 2024 and 2025, the U.S. government introduced major restrictions on international data transfers:

• Executive Order 14117 (February 2024): Prohibits transferring sensitive U.S. personal data to "countries of concern" for national security reasons.
• DOJ Final Rule (December 2024): Implements strict regulations on sensitive data types, including financial, biometric, and geolocation data.

Impact on U.S. companies

• Limits business partnerships with organizations in restricted countries (e.g., China, Russia).
• Adds compliance requirements for companies dealing with foreign subsidiaries.
• Pushes companies toward data localization, increasing infrastructure costs.

Comparing Swiss and USA data transfer regulations

Switzerland offers clarity, while U.S. companies must adapt to evolving security-driven regulations.

The rise of Third-Party Risk Management (TPRM) in data compliance

With increasing regulations, companies must ensure that third-party vendors comply with data protection laws.

Key TPRM considerations

• Conduct regular vendor audits for compliance with FADP, GDPR, and U.S. laws.
• Ensure third-party contracts include data protection clauses.
• Implement real-time monitoring to prevent unauthorized data transfers.

Whether you need to implement, enhance, or gain visibility of your supply chain, we at Supplier Shield are here to help. Contact us.

Cybersecurity considerations for cross-border data transfers

With growing cyber threats, businesses must enhance data security during transfers.

Essential cybersecurity measures

• End-to-end encryption for data in motion.
• Access control and multi-factor authentication for critical systems.
• Continuous monitoring and incident response plans for data breaches.

Future trends: Where are data transfer laws heading?

• Switzerland: The FADP remains stable, but EU-driven changes could emerge.
• USA: Ongoing debate about a federal data privacy law could lead to further regulatory shifts.
• Global: Data localization and sovereignty laws may increase, affecting international business strategies.

What businesses need to do now

• Swiss companies should align with FADP rules and leverage the Swiss-U.S. Data Privacy Framework.
• U.S. businesses must comply with sectoral regulations and new national security-driven restrictions.
• All companies must prioritize TPRM and cybersecurity to avoid regulatory penalties and data breaches.

As the regulatory landscape evolves, businesses must stay informed, adaptable, and proactive to ensure data transfer compliance without disrupting global operations. With Supplier Shield’s expertise in data compliance, risk management, and secure cloud solutions, businesses can simplify the complexity of global data transfers and protect themselves against regulatory challenges.

FAQs

1. What is the main difference between Switzerland’s FADP and the EU’s GDPR?

‍The Federal Act on Data Protection (FADP) in Switzerland is inspired by the EU’s General Data Protection Regulation (GDPR), but there are some differences:

• The FADP applies only to natural persons, whereas the GDPR covers both individuals and legal entities.
• The FADP has no transition period—companies needed to be compliant immediately when it came into effect on September 1, 2023.
• Swiss companies must ensure data protection for remote access from abroad, which is treated as a data transfer under the FADP.

Despite these differences, the FADP aligns closely with the GDPR, making it easier for Swiss companies to work with EU partners.

2. How does the Swiss-U.S. Data Privacy Framework help companies?

‍The Swiss-U.S. Data Privacy Framework (DPF), effective from September 15, 2024, simplifies data transfers between Switzerland and the USA.

• It allows certified U.S. companies to receive Swiss personal data without requiring additional legal safeguards (e.g., standard contractual clauses).
• Swiss companies benefit from legal remedies if certified U.S. companies violate the framework’s terms.
• It reduces the compliance burden for Swiss companies engaging in business with American counterparts.

However, Swiss companies must confirm that their U.S. partners are properly certified under the framework.

3. What are the USA’s new restrictions on data transfers?

‍In 2024 and 2025, the U.S. government introduced significant new rules on data transfers:

• Executive Order 14117 (February 28, 2024): Prohibits the transfer of sensitive U.S. personal data (e.g., financial, biometric, health data) to "countries of concern" (like China and Russia) due to national security risks.
• DOJ Final Rule (December 27, 2024): Implements the executive order, broadening the definition of sensitive data to include anonymized or encrypted information.

These rules mean that U.S. companies must carefully monitor where data is being transferred and who has access to it—especially for high-risk data types.

4. How can businesses manage third-party data risks?

‍Managing third-party risk (TPRM) is essential for both Swiss and U.S. companies handling personal data. Best practices include:

• Vendor audits: Conduct regular assessments to verify that third-party partners comply with relevant regulations (FADP, GDPR, CCPA, etc.).
• Contractual safeguards: Ensure that data protection clauses are built into contracts with vendors, including security protocols and liability terms.
• Data access limits: Restrict vendor access to sensitive data to only what’s necessary for operational purposes.
• Continuous monitoring: Use automated tools to monitor data transfers and detect potential security breaches in real-time.

5. Will the USA introduce a unified federal data privacy law?

‍There have been ongoing discussions in the U.S. about introducing a comprehensive federal privacy law, but no legislation has passed yet.

• As of March 2025, 20 states have enacted their own data privacy laws, creating a complex regulatory environment.
• Federal initiatives like the American Data Privacy Protection Act (ADPPA) have stalled due to disagreements over state preemption and enforcement authority.
• However, rising concerns over national security and foreign data access could accelerate efforts toward federal regulation in the near future.

For now, U.S. businesses must manage compliance with a mix of state laws, sectoral regulations, and national security rules.

‍