The Court of Justice for the European Union (CJEU) has invalidated the EU-U.S. Privacy Shield, a mechanism designed to ensure the privacy of EU citizens’ data when conveyed to other nations in a manner consistent with the EU’s General Data Protection Regulation (GDPR). Makers of drugs and devices are not without recourse in transferring patient data to the U.S. for clinical trials conducted in Europe, but industry must revisit their standard contractual clauses to ensure those protocols provide the necessary privacy provisions, or face fines that could amount to tens of millions of euros.