The European Court of Justice has declared the Privacy Shield agreement with the USA invalid. This means the previously common practice of exporting data is no longer legal in many cases. Transferring personal data to a country outside the EU is now only permitted if the destination country guarantees equivalent data protection to the EU GDPR. This requirement was not met by the USA or other insecure third countries, which is why the “EU Privacy Shield” was invalidated by the ECJ in the “Schrems II” case. The white paper uses the example of IT security to analyse the impact of this decision on the deployment of non-EU service providers. Many companies use software solutions and “as-a-service” offerings from larger, more established providers from the USA to defend against cyberattacks or load handling via a Content Delivery Network (CDN). In this cooperation, personal data of suppliers or business partners, for example, may be stored on servers outside the EU. Data protection officers and IT teams in companies must quickly find solutions to these data protection problems. There is a need for immediate action. If not, there is the threat of fines.