The European Union's highest court has challenged the key basis of rules granting US authorities swift access to Europeans' personal data through Facebook and other US tech giants.
The court ruling affects a set of rules known as "Safe Harbour", the US-EU agreement that gives US authorities expedited access to EU citizens' personal information without scrutiny from national regulators.
The ruling has wide ramifications for US tech giants operating in Europe, including Amazon and many others as well as Facebook, who may now face much tighter controls on what user data they are passing to US intelligence and law enforcement agencies.
The long-awaited decision is the result of a legal action brought by Austrian citizen Max Schrems in the wake of the revelation in the Guardian and Washington Post of the NSA's PRISM programme – which claimed "collection directly from the servers" of tech giants including Google, Facebook, Yahoo, Apple and others.
In the light of that revelation, Schrems issued a legal challenge demanding EU authorities examine how much personal information from Facebook was handed over to the US, and on what basis, as all EU citizens signing up to Facebook are contracted with Facebook's Irish division, which falls in the EU's remit.
This was initially rejected on the basis of Safe Harbour – a longstanding treaty which speeds up US access to EU information provided the transfer complies with a series of key principles. The agreement means such sharing falls outside the remit of Europe's often aggressive data protection authorities, who have little oversight of the extent of sharing or collection by US authorities.
Though the European Court of Justice's ruling won't have an immediate impact, the ruling gives national authorities the power to demand information on data sharing arrangements, and could quickly curtail US authorities' access to the personal information of the EU's 500 million inhabitants.
The court's advocate general was scathing in his assessment of the US's privacy protections for non-US citizens. "[The] law and practices of the United States offer no real protection against surveillance by the United States of the data transferred to that country," he said in his recommendation to the justices.
He added that "the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data", both of which are guaranteed under the European Convention on Human Rights.
The court's ruling today was based on the advocate general's recommendation, though the justices did not adopt his condemnation of the United States' surveillance practices. Explaining the immediate impact of their decision, the justices said:
This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems' complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook's European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.
The decision may also cause the tech giants headaches. Schrems' lawyer, Gerard Rudden, told the Irish Independent ahead of the ruling that if Safe Harbour was found to be invalid, it could open the way for civil claims against Facebook and others.
"If it is held that Safe Harbour is invalid and Facebook have been transferring data, that could open the door to compensation claims," he said.
The ruling has been greeted enthusiastically by privacy groups.
"In the face of the Snowden revelations, it is clear that Safe Harbour is not worth the paper it's written on," said Jim Killock, executive director of the Open Rights Group. "We need a new agreement that will protect EU citizens from mass surveillance by the NSA."
TACD, an umbrella organisation of EU and US consumer groups, was similarly enthusiastic.
"Safe Harbour was designed to enable US data companies to engage in nothing less than pervasive commercial surveillance in the EU," said spokesman Jeffrey Chester.
"The US authorities do not investigate or have the enforcement resources or legal tools to protect Europeans' data. The end of the current Safe Harbour regime will be a major global victory for privacy."
The EU ruling comes just weeks ahead of controversial new UK proposals on access to social media and online data – colloquially known as the "snoopers' charter" – which are widely expected to seek to expand the government's access to such information.