The European Union’s (EU) highest court has ruled that a “Safe Harbor” agreement negotiated between the EU and the United States, under which U.S. companies may transfer personal data from the EU without violating the EU’s strict privacy protection requirements, is invalid.

The ruling by the European Court of Justice (ECJ) in Schrems v. Data Protection Commissioner, No. C 362/14 (ECJ October 6, 2015), stems from a legal challenge brought by an Austrian citizen claiming that the Safe Harbor did not adequately protect his personal data against transfer to the U.S., in violation of the EU’s Data Protection Directive (DPD).

By agreeing with Schrems’ contentions, the ECJ’s ruling now places in jeopardy data transfers from the EU to the more than 4,400 U.S. companies currently self-certifying under the Safe Harbor. And while the DPD permits other, more cumbersome methods of compliance to enable cross-border transfers, including providing data protection via contracts or binding corporate rules, there is no immediate fix for those companies that have until now relied on the Safe Harbor.

A copy of the ECJ’s decision is available online here.