The Irish Data Protection Commissioner (DPC) has warned that the legality of data transfers from here to the US may now be "questionable" after a landmark European Court struck down a key transatlantic treaty.
Helen Dixon's office stopped short of saying it would take immediate action to cut off services from Facebook or other major tech operations here.
But she said that the European Court of Justice (CJEU) ruling on a case involving Ireland, Facebook and the Austrian privacy campaigner Max Schrems meant that her office would now have to reassess the legality of such services.
She said that standard contractual clauses (SCCs), the most commonly-used way for companies to transfer people's personal information between here and the US, were now in doubt.
"It is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable," she said. "This is an issue that will require further and careful examination, not least because assessments will need to be made on a case-by-case basis."
The majority of Irish and European companies rely on standard contractual clauses to transfer data. However, the European Court Of Justice yesterday said that such tools may be invalid in countries like the US, which do not adhere to European privacy standards. It also said that bodies such as the Irish DPC must enforce a stricter standard.
"Supervisory authorities are required to suspend or prohibit a transfer of personal data to a third country where they take the view, in the light of all the circumstances of that transfer, that the standard data protection clauses are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means," said Europe's highest court.
The Irish DPC chief said that "while the judgment most obviously captures Facebook's transfers of data relating to [Max] Schrems, it is of course the case that its scope extends far beyond that, addressing the position of EU citizens generally."
The European Court of Justice also ruled that the EU-US 'Privacy Shield' treaty, put in place less than four years ago to protect the legality of data transfers between the two regions, was "invalid" because there was no effective protection for EU citizens' privacy against systemic surveillance by US authorities.
"By annulling the Privacy Shield, the CJEU has, in effect, found that a tool that previously allowed EU based companies to transfer personal data to US based providers in large quantities violates EU law," said Marie McGinley, a partner at the Dublin-based legal firm Eversheds Sutherland.
"This decision will have a far reaching impact for both US and EU based companies."