A data agreement allowing the transfer of information from Facebook and other big tech companies between the European Union and the U.S. is invalid, the top EU court has ruled.

The Court of Justice also said that national regulators in the EU need to take tougher action to protect the privacy of users' data.

The ruling to invalidate Privacy Shield will complicate the transfer of a lot of data outside the EU and it could require regulators to vet any new transfers due to concerns that the U.S. government can look at people's data for national security reasons.

It will no longer simply be assumed that tech companies such as Facebook will adequately protect the privacy of their European users' data when it is sent to the U.S.

Instead, the EU and U.S. are likely to have to find a new agreement that guarantees that Europeans' data get the same privacy protection in the U.S that they do in the EU – which has some of the toughest standards in the world.

The case began after former U.S. National Security Agency contractor Edward Snowden revealed in 2013 that the American government was looking at people's online data and communications. The revelations included details on how Facebook gave U.S. security agencies access to the personal data of Europeans.

Austrian activist and law student Max Schrems that year filed a complaint against Facebook, which has its EU base in Ireland, arguing that personal data should not be sent to the U.S. – as many companies do – because  data protection is not as strong as in Europe.

Though the legal case was triggered by concerns over Facebook in particular, it could have far-reaching implications for all tech companies that move large amounts of data over the internet if regulators find that U.S. privacy protections are insufficient and block the transfers. Things like email and flight and hotel reservations would not be affected.

Schrems said the ruling amounted to a victory for privacy. "The U.S. will have to engage in serious surveillance reform to get back to a 'privileged' status for U.S. companies," he wrote on Twitter.

Companies use legal mechanisms called standard contractual clauses that force businesses to abide by strict EU privacy standards when transferring messages, photos and other information. Companies such as Facebook routinely move such data among its servers around the world, and the clauses — stock terms and conditions — are used to ensure the EU rules are maintained when data leave the bloc.

The Court of Justice ruled on Thursday that those clauses are still valid. However, it declared invalid the umbrella agreement between the U.S. and EU on data transfers, called Privacy Shield.

The court noted in its rulings that there are "limitations on the protection of personal data arising from the domestic law of the United States on the access and use by U.S. public authorities of such data transferred from the European Union to that third country."

Alexandre Roure, a senior manager at Computer & Communications Industry Association, said the decision "creates legal uncertainty for the thousands of large and small companies on both sides of the Atlantic that rely on Privacy Shield for their daily commercial data transfers.

"We trust that EU and U.S. decision-makers will swiftly develop a sustainable solution, inline with EU law, to ensure the continuation of data flows which underpin the transatlantic economy."