A system enabling data transfers from the EU to the US by thousands of companies is invalid, the EU's highest court held in a landmark ruling on Monday that is expected to send firms rushing to seek alternatives.
"The Court of Justice declares that the Commission's US Safe Harbor Decision is invalid," it said in a statement.
The decision will jeopardise the Safe Harbor framework established 15 years ago to help companies on both sides of the Atlantic conduct everyday business but which had taken heavy flak following 2013 revelations of mass US snooping.
Without Safe Harbor, personal data transfers are not allowed, or only allowed via costlier and more time-consuming means. EU laws forbid data-sharing with countries deemed to have lower privacy standards, of which the US is one.
According to the Court of Justice of the EU (ECJ), US companies were "bound to disregard, without limitation," the privacy safeguards provided in Safe Harbor where they come into conflict with the national security, public interest and law enforcement requirements of the US.
"This is extremely bad news for EU-US trade," said Richard Cumbley, Global Head of technology, media and telecommunications at law firm Linklaters. "Without Safe Harbor, (businesses) will be scrambling to put replacement measures in place," Reuters reported.
According to commentators, although most big multinational companies and their lawyers had already secured side agreements with the EU, allowing them to continue moving data for now, the ruling of the court could have significant implications down the road.
It will empower data-privacy regulators in each of the union's 28 nations to evaluate how data is moved from their countries to the US, and will permit the national authorities to impose tougher restrictions on specific data transfers.
The biggest US tech companies are under intense scrutiny by European regulators, with - pressure that could potentially limit their profits in the region and affect their operations around the world.
''Legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life,'' the European Court of Justice said in a statement today.