The way in which technology giants like Facebook transfer data between the US and EU could be under threat after a pact was ruled "invalid" by a European court.
The European Court of Justice said the Safe Harbour pact, signed 15 years ago, does not remove the need for privacy regulators to check that US firms were carrying out correct data protection procedures.
The ruling comes after Austrian privacy campaigner, Max Schrems, launched a legal battle over concerns that Facebook may have been passing on data about EU users to US spy organisations.
"I very much welcome the judgement of the court, which will hopefully be a milestone when it comes to online privacy," said Mr Schrems.
Facebook stressed that is clear of any wrongdoing.
"This case is not about Facebook," said a spokeswoman.
"What is at issue is one of the mechanisms that Europeanlaw provides to enable essential transatlantic data flows.
"We will of course respond fully to any enquiries by our regulator the Irish Data Protection Commission as they look at how personal data is being protected in the US.
"The outcome... will have significant implications for all Irish companies who transfer data across the Atlantic."
What is Safe Harbour?
EU laws prevents personal data to be transferred or processed where "adequate" privacy protection measures are used.
The Safe Harbour pact was set up to allow US businesses to 'self-certify' that they are following correct privacy procedures, in order to get their hands on European data that is crucial to the way they work.
At the moment, around 5,000 US firms use Safe Harbour to get hold of European data.
How did it get to court?
When Edward Snowden leaked details about the NSA's Prism surveillance scheme, Max Schrems asked the Irish Data Protection Commissions to investigate Facebook's part in the surveillance.
The Commissions refused on the grounds that Facebook was covered by Safe Harbour. Mr Schrems contested the decision and it was referred to the European Court of Justice.