The international agreement between the superpowers gives US companies access to the online information. The European Court of Justice in Luxembourg said it should not prevent Europe’s national privacy watchdogs from checking that US firms were taking adequate data protection measures.
It concluded that Ireland’s regulator needed to decide whether Dublin-based Facebook’s EU-to-US transfers should be suspended.
The court found that allowing the authorities access to the content of electronic communications compromised the fundamental right to respect for private life.
The judgment followed a legal challenge by an Austrian privacy activist concerned that the social network Facebook might be sharing Europeans’ personal data with US cyberspies.
Max Schrems said: “I very much welcome the judgment of the court, which will hopefully be a milestone when it comes to online privacy.
“This judgment draws a clear line. It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible.”
Facebook said its view that it did nothing wrong had been accepted.
“This case is not about Facebook. What is at issue is one of the mechanisms that European law provides to enable essential transatlantic data flows.”
The decision could have far-reaching consequences affecting many other British and Irish companies, legal experts have said.
Joanne Bone, partner at national law firm Irwin Mitchell, said: “This decision opens up a huge can of worms for businesses which trade with the US or even those who just have cloud solutions with US providers.
“The [European] Commission needs to act quickly to come up with a workable alternative to minimise interruption to potentially thousands of businesses in the UK.”
Mr Schrems challenged the 15-year-old Safe Harbour treaty in his fight to expose what information Facebook gave to American intelligence agencies.
Safe Harbour was an agreement between the EU and US designed to provide a streamlined way for US firms to get data from Europe without breaking its rules.
The EU forbids personal data from being transferred to and processed in parts of the world that do not provide adequate privacy protections.
Safe Harbour allows US companies to self-certify that they are carrying out the required steps.
The court judgment said national security, public interest, and law enforcement requirements of the United States prevail over the Safe Harbour scheme.
It added the US was bound to disregard protective rules laid down by Safe Harbour where they conflict with such requirements.
“The United States Safe Harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons.”
The judgment added: “The court declares the Safe Harbour decision invalid.”
Mr Schrems’ legal battle over Safe Harbour was sparked by the revelations of Edward Snowden over the US National Security Agency (NSA)’s Prism surveillance system which allowed spies to access enormous amounts of data from global tech companies.
He initially brought a lawsuit in Ireland after failing to secure an investigation into Facebook by the country’s Data Protection Commission. Every Facebook user outside the US and Canada has a contract with Facebook Ireland.