Life sciences companies who routinely transfer personal data, typically sensitive personal health data, from within the EU to the U.S. commonly rely — in addition to consent, model clauses and public health benefit exemptions — on safe harbor to validate such transfers. A recent case may require that strategy to be reconsidered.