The European Court of Justice has declared invalid one of the two legal methods companies use to transfer EU citizens' data to the United States.
They had been able to transfer data by signing up to higher privacy standards under the EU-US Privacy Shield.
But they will now have to sign standard contractual clauses, non-negotiable legal contracts drawn up by Europe, which the court chose not to abolish.
The ECJ was concerned about companies handing data to intelligence agencies.
Surveillance laws
Max Schrems, the Austrian privacy advocate who brought the case, said: "It seems we scored a 100% win for our privacy.
"It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role on the EU market."
European data protection law says data can be transferred out of the EU - to the United States or elsewhere - only if appropriate safeguards are in place.
But the ECJ said US "surveillance programmes... are not limited to what is strictly necessary".
"The requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred," it said.
"The limitations on the protection of personal data arising from the domestic law of the United States... are not circumscribed in a way that satisfies requirements."
'Bold move'
The EU-US Privacy Shield system "underpins transatlantic digital trade" for more than 5,000 companies, about 65% of which are small-medium enterprises (SMEs) or start-ups, according to UCL's European Institute.
"This is a bold move by Europe," Jonathan Kewley, co-head of technology, at law firm Clifford Chance, said.
"The courts are saying that the surveillance regime in the US does not respect the rights of EU citizens and puts US state interests over the interests of individuals.
"What we are seeing here looks suspiciously like a privacy trade war, where Europe is saying their data standards can be trusted but those in the US cannot."
And it could mean "more Europe data localisation, with more customer data staying in Europe as a result".
Mr Schrems lodged a complaint against Facebook transferring data to the US in 2013, after leaks by ex-CIA contractor Edward Snowden revealed the extent of US surveillance.
His first case ended with the ECJ overturning the long-standing Safe Harbour arrangement, in 2015.
Privacy Shield and SCCs were created as alternatives.