Keoni Cabral / Flickr

The European Court of Justice has ruled regulations that allow U.S. companies to handle the personal data of EU citizens are invalid.

At issue is the question of privacy. The EU has some of the strictest rules on privacy, and companies operating inside the 28-member bloc are barred from sending personal information outside its borders without certain guarantees of protection. The Safe Harbor rules, negotiated by the U.S. and the EU in 2000, allowed tech giants such as Amazon, Facebook, and Google to handle the personal information of millions of people in the EU and move them to the U.S., if they meet certain requirements.

But that agreement was challenged by Max Schrems, an Austrian graduate student, who argued that personal data of EU citizens was misused by the National Security Agency’s Prism program. Several major tech companies, including Facebook, are believed to have cooperated with the program.   

On Tuesday, the European Court of Justice agreed. It said the agreement compromised “the essence of the fundamental right to respect for private life,” and “the essence of the fundamental right to effective judicial protection.”

Here’s its ruling, in part:

As regards a level of protection essentially equivalent to the fundamental rights and freedoms guaranteed within the EU, the Court finds that, under EU law, legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data is transferred from the EU to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down for determining the limits of the access of the public authorities to the data and of its subsequent use. The Court adds that legislation permitting the public authorities to have access on a generalised basis to the content of electronic respect for private life.

Likewise, the Court observes that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.

Finally, the Court finds that the Safe Harbour Decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The Court holds that the Commission did not have competence to restrict the national supervisory authorities’ powers in that way.

The court is the EU’s highest court, and its ruling is binding.

Schrems, in a statement, said he welcomed the ruling, “which will hopefully be a milestone when it comes to online privacy. This judgement draws a clear line. It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible.”

Many major multinational companies may not be immediately affected by the ruling, however, because they have their own agreements with the EU on the transfer of data, but the court’s ruling is a shot in the arm to advocates of privacy.

“This is extremely bad news for E.U.-U.S. trade,” said Richard Cumbley, a tech lawyer at Linklaters in London, told The New York Times. “Thousands of U.S. businesses rely on the Safe Harbor as a means of moving information. Without Safe Harbor, they will be scrambling to put replacement measures in place.”

Jeffrey Chester, the U.S. chair of the Trans-Atlantic Consumer Dialogue’s information society policy committee who also serves as executive director of the Center for Digital Democracy said:

Safe Harbor was designed to enable US data companies to engage in nothing less than pervasive commercial surveillance in the EU.. The US authorities do not investigate or have the enforcement resources or legal tools to protect Europeans’ data. The end of the current Safe Harbor regime will be a major global victory for privacy.

But Congressman Jim Sensenbrenner,  a Republican from Wisconsin, saud he was “disappointed” by the court’s “bold move.”

The United States has taken great strides to build strong data protection and privacy controls, such as USA FREEDOM, which was the first curtailment of surveillance authority in the U.S. since the 1970s. It was a thoughtful rethinking of our national security laws that few other countries have undertaken. With the Judicial Redress Act, Congress has taken additional steps toward providing global citizens’ rights over their own data. These efforts will continue in the U.S., as they should abroad, but we must maintain an environment of cooperation and goodwill with our allies. I urge EU and US officials to address this issue and to work to maintain the healthy commercial relationship the EU and the US have worked so hard to build.

We want to hear what you think about this article. Submit a letter to the editor or write to