On 16 July 2020, the Court of Justice of the EU delivered one of the most anticipated decisions on data protection, ruling on the validity of standard contractual clauses. These clauses are widely used legal instruments for transferring personal data outside the European Economic Area (EEA). The court held that the clauses are valid, but that data protection authorities in the EU can prohibit or suspend transfers under these clauses if the third country's legal system does not provide a level of personal data protection essentially equivalent to that in the EU. The ruling also addressed the validity of the EU-US Privacy Shield framework, facilitating personal data transfers to the US. The court invalidated Commission Decision 2016/1250 on the adequacy of the protection provided by this mechanism due to the limitations of data protection safeguards in US law in the national security context. On the one hand, the ruling clarifies the uncertainty surrounding these two mechanisms for personal data transfer, but on the other it marks another watershed in the governance of cross-border transfers to the US.