I really hope this will have consequences that shake up ad tech, but the cynic in me says: They're just going to add another disclaimer in their cookie banner and exactly nothing will happen.
Well part of the ruling is that the "standard contractual clauses", basically an attempt to contract away the regulation is not valid. From the article, it seems to be just conceptually, which gels with my understanding of the GDPR, so it's not going to be just adjusting/appending the legal wording in the TOS to fix that.
This is only sort of a half-truth though. The SCC's are created by the European Data Protection Board, and it works for transfers to third countries because the companies legally say "ok we won't do anything shady with your data" - but you have to actually prove that they can't be compelled to do anything shady under local law - which you can in the US.
So the SCC's are a perfectly fine tool, but you just need more than that.
of course, companies will try their luck right up until somebody loses a meaningful amount of money. I assume this ruling is gearing up and posturing towards major judgements against google should they fail to follow through
Judgements against Google and Facebook have started, which I assume will get increased for being repeat offenders the more they try to weasel out of complying: https://news.ycombinator.com/item?id=29821386
That's what is great about the GDPR. Just adding another disclaimer in a cookie banner absolves them of nothing.
In fact, this whole case is exactly about that. Some Austrian website tried to use Google Analytics and just added another disclaimer in their cookie banner. Now they are facing the consequences.
