The ability of firms such as Facebook to easily transfer Europeans' data to the US was plunged into legal limbo today when the High Court asked the EU's top court for a detailed assessment of whether the methods were legal.
The High Court referral was published today and was due to be submitted to the European Court of Justice by the end of April.
It stems from a case brought by an Austrian privacy activist against the methods used by Facebook to store user data on US servers following revelations in 2013 of mass US surveillance practices.
Cross-border data transfers are an integral part of companies' business - be it for human resources purposes, completing credit card transactions or storing people's browsing histories.
But the referral casts renewed uncertainty on the legal mechanisms underpinning billions of dollars' worth of data transfers.
The High Court's five-page referral asks the Court of Justice if the Privacy Shield - under which companies certify they comply with EU privacy law when transferring data to the US - does in fact mean that the US "ensures an adequate level of protection".
EU data protection law prohibits personal data being transferred to a country with inadequate privacy protections.
Facebook has until April 30 to lodge an application to block the referral. Paul Gallagher, a lawyer for the US firm, said he was considering whether to request a delay or a possible appeal.
Facebook is under scrutiny after it emerged the personal information of up to 87 million users, mostly in the US, may have been improperly shared with political consultancy Cambridge Analytica.
Data privacy has been under major public scrutiny since the revelations in 2013 by former US intelligence contractor Edward Snowden of mass US surveillance caused political outrage in Europe.
Facebook CEO Mark Zuckerberg was grilled this week by US politicians on the privacy lapses, but came away mostly unscathed with little sign of a consensus emerging on whether regulation was needed to safeguard privacy.
The Privacy Shield was hammered out between the EU and the US after the European Court of Justice struck down its predecessor on the grounds that it did not afford Europeans' data enough protection from US surveillance.
High Court Judge Caroline Costello in October said she had decided to ask the ECJ for a preliminary ruling in the case, but the scope of the referral only became clear today.
Max Schrems, an Austrian law student who successfully challenged Safe Harbour - Privacy Shield's predecessor - subsequently brought a case against another legal instrument used by Facebook and other firms to transfer personal data to the US, so-called standard contractual clauses.
The High Court asked the ECJ whether personal data transferred from the EU to the US using such clauses, and the separate privacy shield, violated Europeans' fundamental right to privacy.
"Given the case law, the question in this case does not seem to be if Facebook can win it, but to what extent the Court of Justice will prohibit Facebook's EU-US data transfers," Schrems said in a statement.
The High Court also asked the ECJ whether European data protection authorities ought to suspend data flows if the company moving the data outside the EU is subject to "surveillance laws" that conflict with the EU's right to privacy.
Facebook has previously said the case could lead to a breakdown in transatlantic data transfers that could knock EU economic output by up to 1.3%.
A ruling from the ECJ is likely to take around 18 months.