The U.S.-EU Safe Harbor was invalidated by the European Court of Justice (ECJ) last week in Schrems v. Data Protection Commissioner, meaning that the Safe Harbor no longer provides a legal basis for transfers of personal information from the EU to the United States. Companies that have relied on the Safe Harbor to justify the transfer of personal data from the EU to the United States now need to move quickly to put in place alternative bases for such transfers, so that they are not found out of compliance with European privacy laws. These mechanisms can include obtaining the unambiguous consent of data subjects, EU-approved model contract clauses, or binding corporate rules. But all of these options have drawbacks, and are susceptible to their own legal challenges. The ECJ’s decision does not immediately affect the U.S.-Switzerland Safe Harbor, but it may have implications for that scheme as well.