Europe's top court ruled Tuesday that data stored on U.S. servers isn't safe because of government spying, a giant blow to companies such as Facebook that might need to change the way they handle private data from Europe.
The court's decision declares invalid a pact allowing unfettered transfer of data from Europe to the U.S. by thousands of companies.
The case was brought by an Austrian law student in the wake of revelations by former U.S. National Security Agency contractor Edward Snowden of the extent of the NSA's surveillance programs.
Max Schrems complained that U.S. law doesn't offer sufficient protection against surveillance of data transferred by Facebook to servers in the United States.
The verdict could have far-reaching implications for companies operating in Europe. Though it does not ban the transfer of data, it opens up the possibility that European regulators will be inundated by complaints by consumers, making it hugely difficult to do business.
"The message is clear -- that mass surveillance is not possible and against fundamental rights in Europe," said Schrems after the ruling.
Companies, he added, "cannot just aid foreign spies and get away with it because they fall under European jurisdiction."
The so-called "safe harbor" agreement has allowed companies to send data on users from the EU to U.S. Facebook and Google, for example, earn money from advertising that relies on data on how users behave on the Internet -- what they search for and what they click on.
But the revelations of NSA spying have provoked a backlash from European consumers, who are traditionally more concerned about data privacy than Americans,
Schrems, the Austrian student, complained to the data protection authorities in Ireland, where Facebook has its European headquarters, that his information was not safe on U.S. servers.
Irish authorities initially rejected his complaint, pointing to a 2000 decision by the EU's executive Commission that under the "safe harbor" agreement, the U.S. ensures adequate data protection.
In Schrems' case, the Irish data commissioner will now be required to examine the complaint and "decide whether ... transfer of the data of Facebook's European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data," the court said in a summary of its ruling.
In a statement, Facebook said it's now "imperative that EU and U.S. governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security."
The statement noted that the ECJ's advocate general "himself said that Facebook has done nothing wrong."
AmCham EU, which represents U.S. companies across all sectors in the EU, said the ruling could have serious implications for Europe's economy.
"We are concerned today's Court's decision will jeopardize the free flow of data across the Atlantic, compromise the EU economic recovery and negatively impact the Commission's goal to create a Digital Single Market," said Susan Danger, AmCham EU's managing director.
Markus J. Beyrer, the director general of lobby group BUSINESSEUROPE, warned that the judgment gives rise to "great legal uncertainty that must be remedied urgently."
He said several thousands of companies -- and not just major corporations like Facebook -- have relied on the pact allowing the transfer of data.
"The solution is not to revoke Safe Harbor, but to improve it," he said.
The decision by the Court does not mean companies have to immediately stop transferring data to the U.S. Rather, national authorities in Europe will be allowed to review individual transfers of data. They could also be forced to if there are complaints, as in Schrems' case.
The European Union and the U.S. are expected to go back to drawing board to put together a new data sharing pact.
Schrems insisted he was never seeking to strike a blow to Facebook.
"On the one hand you have fundamental rights which are hugely important but then you have legal certainties for companies," he said. "It's basically like the banks, they're too big to shut down."
Sophie In't Veld, a leading Liberal lawmaker in the European Parliament, welcomed the ruling and called the "safe harbor" decision "a travesty of legality."
"We need clear rules to govern the transfer of personal data to the U.S. and other non-EU countries," she said. "But they must be legally watertight, provide real and meaningful protection, and there must be proper enforcement."
Geir Moulson in Berlin and Raf Casert in Brussels contributed to the story.