The Safe Harbour agreement, introduced 15 years ago, allows thousands of US companies to process the data of EU citizens with the understanding that the same privacy rights in the EU are applied across the pond.
Now, the European Court of Justice has made a landmark ruling saying the deal is invalid, after a challenge by Austrian law student and privacy campaigner Max Schrems.
Following the Snowden NSA surveillance revelations, Schrems argued that Ireland's data regulator, which oversees Facebook in Europe, failed to protect users from "snooping". However, the Irish Data Protection Commissioner argued the information fell under the Safe Harbour agreement.
The ruling means US companies, including some of the world's biggest tech companies, may no longer be able to handle the data of anyone in the EU under the agreement. Safe Harbour essentially operated as a shortcut, cutting through the red tape of differing EU and US regulation.
“This is extremely bad news for EU-US trade," said Richard Cumbley, the global head of technology, media and telecoms at law firm Linklaters.
"Thousands of US businesses rely on the Safe Harbor as a means of moving information to the US from Europe. Without Safe Harbor, they will be scrambling to put replacement measures in place."
Safe Harbour is one of several rules under which data transfers are processed by companies including Facebook.
But Facebook denied the ruling was aimed at it.
“This case is not about Facebook. The Advocate General himself said that Facebook has done nothing wrong," said a Facebook spokesperson.
What is at issue is one of the mechanisms that European law provides to enable essential transatlantic data flows. Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbour.
It is imperative that EU and US governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security.
Google has yet to comment on the ruling.
Businesses will seek clarity on the decision, added the CBI's Matthew Fell.
The ability to transfer data easily and securely between Europe and the US is critical for businesses in our modern data-driven digital economy. Businesses will want to see clarity on the immediate implications of the ECJ's decision, together with fast action from the Commission to agree a new framework. Getting this right will be important to the future of Europe's digital agenda, as well as doing business with our largest trading partner.