Twenty-first century commerce depends on the unencumbered flow of data around the globe. At the same time, however, individuals everywhere are clamouring for governments to do more to safeguard their personal data. A prominent outgrowth of this global cacophony has been reinvigorated regulatory focus on cross-border data transfers. Russia made headlines because it enacted a law in September 2015 that requires companies to store the personal data of Russians on servers in Russia. While this is an extreme example of ‘data localisation’, the Russian law is not alone in its effort to create impediments to the free flow of data across borders. The Safe Harbor framework, which was a popular tool used to facilitate data flows from the EU to the US for nearly 15 years, was invalidated by the Court of Justice of the European Union (CJEU) in October 2015, in part as a result of the PRISM scandal that arose in the wake of Edward Snowden’s 2013 revelations. The invalidation of Safe Harbor raised challenging questions regarding the future of transatlantic data flows. A successor framework, the EU–US Privacy Shield, was unveiled by the European Commission in February 2016 and in July 2016 was formally approved in Europe. In January 2017, the Swiss government announced its approval of a Swiss–US Privacy Shield framework.