The European Court of Justice (ECJ) has passed a non-binding opinion declaring a controversial EU-US data sharing agreement invalid.
The opinion will affect the 'safe harbour' agreement, a legal instrument designed to simplify the transfer of commercial data from Europe to the US.
The case stems from a complaint launched by Max Schrems, a 27-year old Austrian privacy activist, following ex-NSA contractor Edward Snowden leaking details of a mass electronic surveillance programme, known as Prism.
Following Snowden's revelations, Facebook and other US internet companies were alleged to have shared EU customer data with American intelligence services.
A Facebook spokesperson has denied accusations they were involved in providing "backdoor access to Facebook servers and data to intelligence agencies or governments."
Yves Bot, an ECJ advocate-general, stated that governments should retain the right to prevent the US accessing EU citizen's data if it violates EU protection law.
In a strongly worded statement he declared the agreement, "invalid", adding, "in light of the important role played by the national authorities with regard to data protection, their powers of intervention must remain intact."
The move contravenes the European Commission's 'safe harbour' data sharing agreement with the US, which is currently under renegotiation.
Jan Albrecht, a vice-chair of the European Parliament's civil liberties, justice and home affairs (LIBE) committee, welcomed the opinion.
He said, "the finding confirms the position of the European Parliament, which has already called for 'safe harbour' to be suspended," before calling for the "urgent need to agree the reform of the EU's data protection laws to ensure strong and implementable individual rights."
Timothy Kirkhope, ECR MEP and member of the LIBE committee, also highlighted the need for clearer rules on EU data protection saying, "this judgment shows how it is essential we adopt a clear legal framework for data handling and data protection in the EU."
Changes to the 'safe harbour' agreement will shape international regulations over access to, and ownership of, online information.
Under the terms of the agreement, US internet companies, including Facebook, Apple and Google can store EU customer data - from IP addresses to employment information - in the US, without violating EU data protection laws. At present it is used by around 4500 companies.
While Bot's decision is not binding, the ECJ usually follows the advocate-general's lead. The court will make a final decision on the case in a few months' time.
Schrems said the opinion, will have "major implications for EU-US data flows and US internet companies operating in Europe."
However, representatives of the digital industry have been critical of the judgement.
John Higgins, Director General of DigitalEurope, a European trade association, reaffirmed this view saying, "we are concerned about the potential disruption to international data flows if the Court follows today’s opinion."
He also highlighted the impact a future ruling may have on the digital single market, saying it would, "frustrate the creation of the digital single market in Europe because it would fragment Europe’s approach to data flows out of the EU."
Christian Wigand, European Commission spokesperson for justice, consumers and gender equality, told the Parliament Magazine that while it "does not comment on the substance of pending court cases such as this one," it has been "working tirelessly with the US," to reach an agreement under which "all exchanges of personal data for law enforcement purposes will be governed by strong data protection rules."
Commission officials have previously argued that a negative ruling from the ECJ could be ignored as the new agreement being negotiated would include greater protection.
Schrems is hopeful of winning the case saying, "after an initial review of the advocate general’s opinion of more than 40 pages it seems like years of work could pay off."