On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield, ruling, among other things, that U.S. domestic law governing law enforcement access to transferred data does not satisfy the GDPR’s requirements because, as the Court stated, U.S. surveillance programs are not limited to “what is strictly necessary to achieve the legitimate objective in question”. In a separate portion of the opinion, however, the CJEU upheld as valid Commission Decision 2010/87 on standard contractual clauses (SCCs) for the transfer of personal data to processors established in third countries. This is the second ruling (known commonly as “Schrems II”) by the CJEU overturning an established mechanism to transfer personal data from the EU to the U.S. Indeed, only five years ago the CJEU issued its “Schrems I” decision invalidating the long-standing EU-U.S. Safe Harbor, which had been a method to transfer data across the Atlantic without running afoul of the EU Data Protection Directive, a predecessor of the GDPR.