With the invalidation of the EU-US Privacy Shield, the Schrems II decision changed the way organizations manage personal data transfers overnight. To legally transfer personal data from the EU to a third country, it must be shown that the recipient country and company have an equivalent level of data protection to that of the GDPR.
With its judgment on the Schrems II case, the CJEU invalidated and cast doubt upon the two most common mechanisms relied on for transfers the United States: EU-US Privacy Shield and SCCs, respectively. While SCCs are still valid, they will require case-by-case consideration and it is unlikely that SCCs alone will establish GDPR equivalency.