At the heart of yesterday's case before the CJEU was the question of whether the EU standard contractual clauses for transfers of personal data from controllers based in the EU to processors based outside the EU (Commission Decision 2010/87/EU) (the SCCs or Model Clauses) are a valid mechanism for lawfully exporting personal data from the EU, given the possibility that the national security and law enforcement authorities at the destination country may oblige the data importer to disclose the EU personal data to them. Furthermore, the case also extended to the question of the validity of another key EU data exports mechanism – the EU-US Privacy Shield (Decision 2016/1250).
It's a little early to speculate on enforcement risk while this new decision is digested and its ramifications fully considered. However, businesses will need a time to review and, where necessary, adjust their approaches. A more detailed commentary from my colleagues: Antonis, Nick, and Simon, among others can be found at the attached link.
The CJEU invalidated the EU-US Privacy Shield and re-emphasised the requirements for lawfully relying on the SCCs by clarifying that it is not enough simply to rely on signing the SCCs to legitimise data exports.