In today’s digital economy, where data is the world’s most valuable asset, where your data is stored — and under whose laws — has become just as important as how it is secured. Amid growing concerns over surveillance, regulatory overreach, and inconsistent global standards, the contrast between U.S. and Swiss data protection laws appears even more stark. Here’s why the applicable jurisdiction matters more than ever.

The U.S.: Fragmented laws, global surveillance

The United States does not have a single, comprehensive data protection law covering all kinds of personal data. Instead, a patchwork of sector-specific regulations is applicable within the U.S. — like HIPAA (for health), GLBA (finance), and COPPA (children’s privacy) — along with enforcement powers granted to the Federal Trade Commission (FTC) under U.S. consumer protection laws.

More concerning for international businesses and individuals alike is the U.S. Cloud Act (2018), which gives U.S. authorities the power to access data held by American companies under specific legal prerequisites— even if that data is stored outside the U.S.

Though primarily aimed at foreign intelligence gathering, the Foreign Intelligence Surveillance Act (FISA) allows U.S. intelligence agencies to access data related to foreign nationals for national security purposes — without the need to notify the data subjects thereof or provide them with any legal recourse. Section 702 of FISA, in particular, has been widely criticized for enabling mass surveillance programs that operate beyond the protections of U.S. constitutional law.

The lack of a U.S. federal privacy standard on data protection, combined with powerful government access mechanisms like the U.S. CLOUD Act and FISA, has led the European Court of Justice to invalidate transatlantic data transfer agreements such as EU-US Privacy Shield, further eroding trust from European data subjects in U.S.-based services. However a new EU-U.S. Data Privacy Framework (DPF) has been set up in 2023, which aims to address some of the issues that were raised concerning its precursor in years prior to DPF. It needs to be noted that DPF, in its turn, is now under scrutiny, too.

Switzerland: Neutral, independent, and GDPR-aligned

In contrast to the U.S., Switzerland has codified its data privacy law into national law — the Federal Act on Data Protection (FADP) — which was totally revised in 2023 to mirror the European Union’s General Data Protection Regulation (GDPR)

Switzerland enforces strict rules on cross-border data transfers, allowing them only to countries deemed to have “adequate” legal protections. The U.S. is on that list of the safe countries, but only for DPF-certified U.S. companies. This makes it illegal for Swiss businesses to transfer personal data to U.S. providers without a DPF-certification or other additional safeguards or the individual consent of the data subjects .

Data privacy is overseen by the Federal Data Protection and Information Commissioner (FDPIC) — an independent Federal authority authorised to monitor compliance with data protection laws and address data violations. This institutional independence is a key reason that Switzerland continues to be recognized for digital trust and legal neutrality.

Why this matters more than ever

When you entrust your data to a service provider, you are also submitting the data to their applicable legal system. In Switzerland, personal data benefits from constitutional privacy rights and from the oversight by an independent Federal authority .

For privacy-conscious individuals and organizations, the choice of jurisdiction is thus not just an abstract question — it’s a strategic business decision. Choosing a cloud provider to whom U.S. laws are not applicable is increasingly important, not a luxury.