The Atlantic Ocean just got a lot wider. On Tuesday the E.U.’s highest court threw out a key U.S.-European agreement called Safe Harbor, that for years has allowed companies to transfer their customers’ data back and forth across the Atlantic—the route taken by half the Internet traffic on the planet—without having to ask their permission in advance. The European Court of Justice in Luxembourg ruled that the agreement violated privacy rights of regular citizens, since they have no control over how their data is ultimately used.
That decision—declaring the agreement null and void—was recently described to Fortune by a business group as the “Doomsday scenario,” which would throw companies’ global operations into chaos. Safe Harbor, which the U.S. and E.U. officials in 2000 when online commerce was taking off, was a way of allowing companies to conduct business on the borderless Internet. “It is fair to say this is a bombshell,” Wim Nauwelaerts, a Brussels partner for the U.S. law firm Hunton & Williams, who represents American companies in the EU, said by phone on Tuesday. “There are thousands of companies who genuinely rely on the Safe Harbor network to transfer data, in order for them to do business.”
But despite those complications, the EU judgement is clear: The Safe Harbor agreement is none too safe. Under EU laws, companies are allowed to transfer their customers’ data only if “the third country in question ensures an adequate level of protection,” the ruling says.
And for that level of protection, the E.U. judges concluded, don’t look to the U.S.
Tuesday’s ruling is a measure of how deep the impact is in Europe of Edward Snowden’s NSA leaks, more than two years after they exploded. The court decision says the U.S. has failed to show that they collect people’s data in a way that is “strictly necessary and proportionate to the protection of national security.” It also said that both Americans or Europeans have “no administrative or judicial means of redress” if their data is used for reasons they did not intend.
In fact, it was the NSA’s PRISM program that doomed Safe Harbor, and which will now frame future negotiations between the U.S. and Europe about how companies transfer data. In 2013 Snowden revealed that the agency was scooping up mammoth quantities of people’s details, by tapping into the data bases of giant U.S. tech and telcoms companies. Since all those megacompanies were signatories to the Safe Harbor agreement, the Safe Harbor rules proved a legal framework for PRISM, according to Tuesday’s EU court ruling. “Companies such as Google, Facebook, Microsoft, Apple, Yahoo had hundreds of millions of clients in Europe and transferred personal data to the United States for processing,” it says.
The ruling jolted U.S. officials, yet they should hardly have been taken by surprise. In late September the E.U.’s Advocate General Yves Bot published an opinion slamming the lack of data-privacy protections under Safe Harbor, and saying that the U.S. intelligence agencies carried out “mass, indiscriminate surveillance.” In response the U.S. Mission to the E.U. in Brussels said in a statement that “the United States does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens.” The E.U. court did not buy it.
Now comes the messy process of reworking rules for business. U.S. and E.U. officials have been negotiating new Safe Harbor rules since 2013, and in recent weeks both sides have said they were close to agreement. The new rules would likely include assurances—never before made— that governments will not access data of regular citizens. “It’s vital for companies to be able to function in a multijurisdictional environment and a global trading world,” says Paul Meller, spokesman for Digital Europe, a lobbying group in Brussels representing multinational tech companies. “Most would agree Safe Harbor is not perfect but it’s a pragmatic way of getting over this jurisdictional issue.”
In 2000, it was urgent to figure out how to transfer basic information like credit cards, names, addresses, and other data that now underpins billions of dollars worth of Internet business. Yet few could have foreseen that such data could just as easily be used for governments to conduct mass surveillance. “Hindsight in a beautiful thing,” Henriette Tielemans, a data-privacy lawyer at the Covington law firm in Brussels, said in a statement emailed to Fortune on Tuesday. “We must all remember that in 2015 things are different than they were in 2000.”
Nonetheless, it was the hindsight of one young Austrian student, Max Schrems, that set in motion the downfall of Safe Harbor.
At just 24, Schrems, then a law student in Vienna, spent six months studying at Santa Clara University in California in 2011, when he sat in on a class by a Facebook lawyer. Schrems told me he was shocked to hear the lawyer brush off concerns about data privacy. “I was the only European in the room,” he said. “The basic theme was ‘you can do whatever you want.'” Schrems researched Facebook’s privacy rules for his thesis, concluding that they violated E.U. laws. He lodged a complaint against the Data Privacy Commission of Ireland, where Facebook has its E.U. headquarters. He crowdsourced the funding for his case online and petitioned Facebook to get his data—receiving 1,200 pages of documents, including 300 pages of data he had deleted from his Facebook page.
All that became the basis for the case in the E.U. court, about controlling data-transfer rules with the U.S.—an issue that has grown massively in support among Europeans since the Snowden revelations. Schrems, who turned 28 last week, says he could not have imagined back in California that his youthful student outrage might lead to an entire rewriting of trans-Atlantic rules. Seconds after the E.U. court announced its ruling on Tuesday, he tweeted his satisfied response: “*YAY*.”