In a statement on Thursday, EU judges said the data-sharing agreement doesn’t sufficiently protect the privacy of the bloc’s citizens. “The limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities… are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law,” the court said in a statement.

— EU Court of Justice (@EUCourtPress) July 16, 2020 The case stems from a complaint lodged by Austrian privacy activist Max Schrems about Facebook transferring his data to servers in the US. Schrems argued that Washington’s prioritization of digital surveillance over privacy contravened EU laws and rights. In a statement, Schrems said he was “very happy about the judgment.” “It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market,” he added.

The US will have to engage in serious surveillance reform to get back to a “privileged” status for US companies. More details here: https://t.co/t7LFgE7LmT#ThanksToEveryone! — Max Schrems ???? (@maxschrems) July 16, 2020 The decision will deal a significant blow to Facebook and the thousands of other companies that rely on the Privacy Shield to move data from the EU to the US. However, they will still be allowed to use another data transfer mechanism known as standard contractual clauses (SCC). The judges ruled that SSCs remained a valid method of sending data to a country outside the bloc, so long as the country “ensures an adequate level of data protection.”