The European Court of Justice for the European Union’s recent decision in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (Case C-311/18) is of significance to organizations who transfer data out of, or receive it from, the European Union. As well as addressing the adequacy of Standard Contractual Clauses (a mechanism for lawful data transfers under the European Union’s General Data Protection Regulation), the Court has invalidated the EU-US Privacy-Shield mechanism for data transfers, striking a major blow to the thousands of U.S.-based organizations that currently rely on the shield to receive data transfers from the EU.