(Bloomberg) -- A trans-Atlantic pact that potentially allows U.S. spies to get their hands on European citizens’ private data was declared illegal by the EU’s highest court, in a ruling that threatens to plunge Internet companies into a legal limbo.

Judges at the European Union’s top court struck down the so-called safe-harbor accord after an Austrian law student complained about how U.S. security services can gain unfettered access to Facebook Inc. customer information sent to the U.S.

The 15-year-old agreement, that allows U.S. companies to move commercial data back to the U.S., compromises the privacy of EU citizens and their right to challenge the use of their information, the EU Court of Justice said in a ruling in Luxembourg Tuesday.

“This judgment is a bombshell,” said Monika Kuschewsky, special counsel at Covington & Burling LLP in Brussels. “The EU’s highest court has pulled the rug under the feet of thousands of companies that have been relying on Safe Harbor. All these companies are now forced to find an alternative mechanism for their data transfers to the U.S. And, this, basically overnight.”

The EU’s top court has been weighing the validity of the data-sharing accord following revelations by former National Security Agency contractor Edward Snowden about U.S. government surveillance activities and mass data collection. An Irish judge last year called on the EU’s tribunal to decide whether the deal still protects privacy and whether national regulators have the power to suspend illegal data flows from the EU to the U.S.

‘Fundamental Right’

The pact, drafted in the pre-9/11 days, was designed to facilitate trade by allowing U.S. companies with activities in Europe to shift information between their sites. It allowed companies to transfer data provided they adhered to a list of principles designed to ensure privacy isn’t breached.

U.S. legislation “permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life,” the EU court said in a binding ruling. The pact “is accordingly invalid.”

Austrian privacy activist Max Schrems, 28, triggered the case with a complaint he filed against Facebook with the privacy watchdog in Ireland, where the U.S. social network company has its European base. He alleged that Facebook’s Irish unit illegally handed over data to U.S. spies. Schrems had previously filed 22 complaints against the Menlo Park, California-based company.

No Quick Fix

“The ruling won’t make it very easy to repair this and a quick fix won’t be possible either,” Schrems told reporters in Luxembourg. “But it’s the first time that something actually happens in this entire mass surveillance box.”

“What this ruling means is that data transfers into the U.S. are still possible, but there’s now the possibility for national data protection regulators to act against this. That’s the big news. We can no longer accept that everything the U.S. does is fine because that’s what an EU decision” of 2000, he said.

Facebook, like other tech giants Google Inc. and Yahoo! Inc., have been reeling from the effects of the Snowden revelations in 2013. The companies have been trying to assure their users or customers that their products are secure and that they don’t willingly turn over data to the government.

The case concerns more than 4,000 U.S. companies that are certified under Safe Harbor. Facebook said the case is about mechanisms of European law rather than individual firms.

Thousands of Firms

“Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbor,” it said in a statement. “It is imperative that EU and U.S. governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security.”

The urgency of the ruling was highlighted by the speed of the ruling, just days after an adviser to the EU court described the safe harbor as illegal.

“This is extremely bad news for EU-U.S. trade,” said Richard Cumbley, Global Head of Technology, Media and Telecommunications at Linklaters LLP. “Thousands of U.S. businesses rely on the Safe Harbor as a means of moving information to the U.S. from Europe. Without Safe Harbor, they will be scrambling to put replacement measures in place."

The European Commission and the U.S. mission to the EU in Brussels declined to immediately comment. Tuesday’s ruling will add to the clamor to revise the accord, lawyers said.

“People in Europe are blown away by the United States government having secret subpoena power to get data on anybody at any time as long as they satisfy a secret court,” Tim Blank, a lawyer who heads Dechert’s cybersecurity and data privacy practice in Boston, said ahead of the ruling. “No matter how well intentioned a company is to sign the safe harbor provisions, they can’t stop the government,” he said.

The case is: C-362/14, Maximilian Schrems v. Data Protection Commissioner.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access