I’ve been asked this question more than once, funnily enough. The fact is that even the Safe Habor experts don’t have concrete answers 😉
Basically it’s business as usual until some way forward is found. For those companies that are following Safe Habor practices today and tomorrow, they will not going to be penalized for this. It’s not their fault that what was considered legal last week is not this week!
There is a revised Safe Habor that has been worked on for a couple of years now which includes the restriction on U.S. government (intelligence) access to personal data of non-Americans, but it has not been finalized yet. From what I understand, it is not agreed precisely because the U.S. want this exact point removed, which is exactly the motivation of the ruling on Safe Habor! I guess the EU and U.S. must fix this now.
I can imagine that Binding Corporate Rules (BCRs) will gain a new momentum from hereon. However this is significant work for any company working across legal jurisdictions, and today it is only some of the really large global corporations who have BCRs in place and working.