What does this ruling by the European Court mean?
It means two things. First, it's now European law that the US is presumed not to protect European data privacy standards.
Second, the Irish Data Protection Commissioner (DPC) must now take action to protect European citizens' privacy in the US, up to and including the duty to "suspend or prohibit" transfers of EU citizens' personal data there.
So what will DPC do about it?
The DPC isn't spelling it out yet. And neither did the European Court of Justice. Max Schrems, who took the case in the first place, initially argued that Facebook couldn't transfer his personal data from the EU to the US because of openly-acknowledged surveillance of such personal data from US authorities. (The US says that this is a security requirement.)
Some legal commentators believe that the DPC may now have the power to order companies like Facebook and Google to stop sending EU citizens' personal data to US data servers.
Okay, but what about me using a normal cloud service like Dropbox or Microsoft, or using cloud services to serve my customers?
Those companies say that it's business as usual for their cloud services. The DPC may have a different view when she gets around each kind of service.
"We want to be clear," said Julie Brill, Microsoft's chief privacy officer. "If you are a commercial customer, you can continue to use Microsoft services in compliance with European law. The Court's ruling does not change your ability to transfer data today between the EU and US using the Microsoft cloud."
However, some data privacy experts such as Castlebridge's Katherine O'Keeffe say that big tech companies here may now have to get more explicit levels of consent to legally justify continued operations when their customers' personal data goes between Ireland and the US.