This is our concern, as a small business using a very small but non-zero set of US services, all of which were previously covered by Safe Harbor provisions.

This ruling is something we have always been concerned about from a business point of view, because ever since it became untenable to claim US companies could actually protect any personal data at all the basic legal premise on which Safe Harbor was built has been shaky. We don't know now whether it will still be sufficient to merely disclose our commercial partners in our privacy policy (which we do, by name and with an indication of what we use them for) or whether we need some sort of more active consent.

I haven't had chance to speak to our lawyer yet, but I'm expecting him to tell us something along the lines of: the law now requires us to add yet another prominent notice at the conclusion of a sale. On top of all the consumer protection rubbish from the recent EU changes there -- which again were well-intentioned but actually impose silly things that help neither us nor our customers -- the number of such notices we need by law is making our sales pages almost comical now. I can't believe all these notices really help to protect anyone from much of anything in practice, and anyone reading this on HN probably knows what effect compliance has on conversions.

The second to worst possible outcome is probably that we are now required to seek active consent from our existing customers before continuing to use things like US-based payment services. The worst is that it actually becomes illegal to use those services at all, though I don't think that is going to happen.

It's sad, because from a personal point of view this mess is long overdue for being cleaned up. But the authorities are so clumsy about handling these issues that a lot of the time they just hurt small businesses and legitimate international trade.

Is the "required to seek active consent" actualy a bad outcome? From a customer point of view it seems better than "I assumend you wanted me to do x" regardless of what x is

Think about this from a non-IT point of view. If you went to a store and paid for your groceries with a card, would you expect to go to the checkout, hand over the card, and then have the cashier stop you for thirty seconds while reading a form disclaimer that by paying by card you were consenting to information about the ___location and amount of your purchase together with your own identity and the details of your card being sent to the operators of the card scheme, who may be based outside Europe, for the purposes of completing the transaction, and only then (assuming you haven't given up in frustration) ask you to put in your PIN to confirm the purchase?

I kind of get your point however I believe that the inconvenience of having to make decisions based on actual information is preferable to implicitly trusting any country or company that the store chooses to use, especially in the IT case where most of the time (if you live in EU) you also have to agree that your information should be handled and protected by a foreign power (which have showned itself to be hostile on several occasions, it's bascily the same as US citizens trusting there personal data to russia) with no legal obligations towards you.

The big issue is the fact that we have become accustomed to being relived of both the choice and the information about which choices thats been made for us. Which of course makes us a bit lazy since it's hard to make informed choices which probably is going to make a system like the one you described a hassle to implement but id say it's worth it to bring back at least a small resemblance of choice and control of your own information.