A pact that helped tech giants and others send personal data from the EU to the US has been ruled invalid.
The European Court of Justice said that the Safe Harbour agreement did not eliminate the need for local privacy watchdogs to check US firms were taking adequate data protection measures.
It added that the ruling meant Ireland's regulator now needed to decide whether Facebook's EU-to-US transfers should be suspended.
The pact has existed for 15 years.
Facebook has denied any wrongdoing.
"This case is not about Facebook," said a spokeswoman.
"What is at issue is one of the mechanisms that European law provides to enable essential transatlantic data flows.
"We will of course respond fully to any enquiries by our regulator the Irish Data Protection Commission as they look at how personal data is being protected in the US.
"The outcome... will have significant implications for all Irish companies who transfer data across the Atlantic."
The ruling was the result of a legal challenge by an Austrian privacy campaigner concerned that the social network might be sharing Europeans' personal data with US cyberspies.
"I very much welcome the judgement of the court, which will hopefully be a milestone when it comes to online privacy," said Max Schrems on learning of the judgement.
"It clarifies that mass surveillance violates our fundamental rights."
Whistleblower Edward Snowden welcomed the ruling, but others warned it could have far-reaching consequences.
"Thousands of US businesses rely on the Safe Harbour as a means of moving information to the US from Europe," said Richard Cumbley from the law firm Linklaters.
"Without Safe Harbour, they will be scrambling to put replacement measures in place."
The European Commission said it would issue "clear guidance" in the coming weeks to prevent local data authorities issuing conflicting rulings.