International transfers of personal data are more important than ever. Most, if not all, global companies need to transfer personal data across geographies simply to maintain their basic operations. When it comes to companies and products related to digital services or internet, this becomes essential. Having said that, in a post Schrems II world, tracking such transfers in detail, applying some restrictions and adequately documenting those activities, is also a must-have for global companies (as most of them need to comply with the GDPR and other similar laws in different parts of the world) to maintain compliance. From the EU perspective, but this approach is also increasingly shared by other jurisdictions, the data can freely flow only to the countries and regions which essentially protect personal data to a similar extent or at least so that there are no additional substantial risks to the rights and freedoms of persons concerned, when compared with the country of the exporter of personal data. Otherwise, such transfers can only take place provided that additional measures, such as for example contractual measures, are put in place to compensate relevant deficiencies related to the level of protection of personal data. With the Schrems II ruling this is obviously not sufficient any more as even in such case the legal system and practices of such importing country need to be scrutinized to make sure that the compliance measures, such as contractual measures, which in most cases mean standard contractual clauses, are truly effective and thus adequate level of protecting individual rights is fully ensured.
Of course such measures and compliance assessments are essentially not needed when the EU already recognized a country as providing adequate protection of personal data. Most notably both Switzerland and the UK benefit currently from such status. Such recognition comes obviously with a price, meaning that in practice such country or jurisdiction needs to ensure similar, high threshold for further transfers of personal data, otherwise the country risks loosing adequacy during the next assessment. In addition to that, global companies operating in Switzerland and the UK most often than not are also very much engaged in conducting business in the EU and because of the sheer proportion of the relevant markets, it is always the GDPR which seems to be the first and most obvious priority.
Both Switzerland and the UK in one way or the other seem to be well aware of these opportunities and limitations and both have a long history of being recognized as business-friendly and pragmatic jurisdictions, which very aptly maintain a delicate balance between needs of the business, societal expectations and overall compliance requirements as reflected in their distinct and differing legal systems. Most recently both of these countries had to deal with the topic of Schrems II, as well as the EU response in terms of new guidance documents and, later, new and revised standard contractual clauses. Both countries are also in the process of updating their data privacy laws. Switzerland updates its old act and ordinance to meet the GDPR threshold and to maintain in future the adequacy status, as well as to be fully able to become party of the 108+ convention. At the same time UK, which left the EU, successfully obtained the EU adequacy status, essentially transitioned to its own, but still very similar, version of the GDPR and looks further to substantially update its legal system to be more modern, more apt of innovation, but this will also mean a much higher level of divergence from the GDPR.
In terms of international transfers of personal data and what is the appropriate compliance mechanism to export such data to countries and jurisdictions which do not provide adequate level of protection of personal data, both Switzerland and the UK mimic the EU post Schrems II approach to require additional assessments and scrutiny to make sure that the relevant measures, and most notably contractual clauses, are truly effective and cannot be simply ignored without any consequence by authorities or companies of the importing country. At the same time both Switzerland and the UK accepted the EU standard contractual clauses themselves and recognized them to serve as a transfer compliance mechanism also for the purpose of transfers out of Switzerland and the UK. This is of course something very much welcomed by the business, greatly facilitates drafting, reviewing and executing the relevant contracts and sounds very logical, given that both Switzerland and the UK are very much aiming to preserve the same level of privacy and individual rights as in the EU. This, however, is not so simple and straightforward as it might seem in the first place. The EU standard contractual clauses for transfers of personal data to third countries are obviously drafted with a specific focus on EU compliance only. This is reflected in the contractual language, in all the provisions, and essentially very little room, if any at all, is left for flexibility. Both Switzerland and the UK had to deal with this problem and they did it in a slightly different way and, as it turned out, the Swiss approach is way more simple and easy to implement, which in turn has very practical consequences for the entire process of contracting and contract execution.
To go in more detail, both countries, while accepting the EU standard contractual clauses as a compliance transfer mechanism to transfer personal data from them to third countries not providing adequate protection of personal data, still requires the clauses to be amended to reflect their own legal requirements, such as obviously what is the relevant jurisdiction, data protection authorities and some further, less salient features differing from the EU requirements.
The big difference is that the Swiss requirements are very simple, do not essentially contradict the EU legal requirements, and, because of their brevity, can easily be incorporated in the contract itself, either as part of the main body or in a form of short appendix. In contrast to that, the UK requires many pages long standard appendix available on the ICO website to be used alongside the EU standard contractual clauses. While the document itself is readily available, it requires substantial filling out and customization efforts, not to say reading the document itself, which adds much to the amount of work one must spend to draft and review the contract. With this, the document and approach also puts companies at risk of breaching the GDPR, as it clearly prioritizes the UK law in contradiction to the express provisions of the EU standard contractual clauses on that matter. While one can argue this is only for the transfers in scope of the UK law, but, with the GDPR and UK law following similar extraterritorial approach, the risk might be more tangible as it first seems. Swiss authorities decided to rest more silent on that matter, which, sometimes, is much better and one more headache less when analysing ever more complicated landscape of international data transfer compliance.
All things considered, with other jurisdictions aiming to maintain or obtain the EU adequacy status, or, sometimes, wanting to mimic EU approach just for the benefit of being business-friendly for companies doing business and maintaining compliance globally, this example could form a useful lesson of what are the dos and donts of business-friendliness when privacy contracting and international transfers of personal data are concerned.

