There is no doubt that SME’s will be hardest hit by this decision. Our right to privacy does come with a cost and this case certainly adds additional layers of complexities and costs. We will likely see a shift towards what is known as “data localisation”, meaning keeping personal data of EU residents in the EU or a third country that that has been recognised by the Commission as ensuring an adequate level of protection. However, this may be an impractical and not to mention extremely expensive solution for businesses that are primarily US based. Technology and the ease of transferring personal data has created this issue in a sense and it might be the right time for technology to address this situation and provide real and practical solutions, for example a wider adoption and use of data encryption. What this case demonstrates is that yes we can have wonderfully drafted agreements (the SCC’s are very comprehensive), but they are just words on a page and mean little if in reality they do not represent the situation on the ground. What the CJEU is saying here is that we all (including our own DPC that referred this case) have a responsibility to think about and assess the risks of transferring data to countries outside the EU and if those risks are too high, all of the fancy contracts etc. mean nothing! This case will also have a significant impact on BREXIT and the UK’s security and surveillance will be come under great scrutiny by the Commission in its assessment of whether to grant an adequacy decision by the end of 2020. That’s a tight timeline with everything that’s going in the world!