On 16 July 2020, the Court of Justice of the European Union (“CJEU“) examined the validity of the European Commission’s Privacy Shield Decision (Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield) as well as the validity of the European Commission’s Decision 2010/87/EC on Standard Contractual Clauses between the data exporter in the EEA and the data importer in the third country (“SCCs“). While the CJEU ruled that the Privacy Shield Decision is invalid, it explicitly upheld the decision on the SCCs. So what does that mean for personal data transfers to the US and other non-EEA countries that do not guarantee an adequate level of data protection similar to the one in the EEA?