It comes as no surprise that the CJEU has ruled against extensive surveillance laws in the EU. The ruling is consistent with the approach taken in Schrems II.
In a nutshell, the ruling requires Member States to practice what the EU preaches when it comes to privacy and setting boundaries to national surveillance.
It has also made it very clear that EU law supersedes any national legislation that allows for the general and indiscriminate transmission or retention of traffic data and location data for the purpose of combating crime in general or of safeguarding national security. Which means that if a rule is against the EU privacy principles, it is not ok.
In the current situation, even though the ruling only applies to Member States, it does beg the question of how this will impact the UK's bid for adequacy post Brexit.
Whereas the decision does not have a direct effect on the UK’s adequacy assessment, the precedent set by this case and Schrems II make it more difficult for the UK to make the adequacy grade.
So for the time being, we will need to hope for the best (that the UK will get adequacy) but prepare for the worst: assess on a case by case basis how SCCs can be implemented to cover transfers in a way that is considered adequate and lawful.
The directive does not authorise the Member States to adopt, inter alia for the purposes of national security, legislative measures intended to restrict the scope of rights and obligations provided for in that directive, in particular the obligation to ensure the confidentiality of communications and traffic data, unless such measures comply with the general principles of EU law, including the principle of proportionality, and the fundamental rights guaranteed by the Charter.