Austrian Max Schrems arrives at the European Court of Justice with his lawyer Herwig Hofmann | JOHN THYS/AFP/Getty Images on the bench Europe’s top court goes off the rails The court has ripped apart a data transmission system that will be a nightmare to repair.

NEW YORK — The European Court of Justice took the position this week that 15-year old “safe harbor” provisions that governed relations between the United States and the European Union did not provide — by the EU — for “adequate protection” standards of EU data that was to be stored and used in the United States. In reaching that decision, the ECJ held that a decision by the Commission did not eliminate or reduce the ability of national supervisory bodies to enforce the provision of the Charter of Fundamental Rights of the European Union.

In effect, the ECJ decision set aside the initial determination made by the Irish data protection commissioner that had dismissed the complaint of the Austrian privacy activist Maximilian Schrems, seeking termination of the data collection program. The decision of the ECJ threatens to create massive dislocations in the practices of some 4,500 companies, including such stalwarts as Apple, Facebook and Google, that have routinely relied on the standard practices.

* * *

To see where the ECJ has gone off the rails, it is instructive to compare its approach with the data protection commissioner’s. The first question that the commissioner asked was whether Schrems could show that any data that he had placed on Facebook Ireland had been compromised when it was thereafter transferred and stored in the U.S. The commissioner insisted that unless Schrems could show some particularized harm to himself, he was not in a position to challenge the overall operation of this system, which was in compliance with Decision 2000/520 of the Commission, which set out the basic norms over data collection.

As a matter of general jurisprudence, the commissioner’s approach was eminently sensible because it did not put at risk long-term structures in the absence of any claim of demonstrable harm. The point is of great importance in this context, given the heavy reliance of all major data countries on a protocol that had been in place for a long period of time. It is in general a good maxim of law, in the EU as in the U.S., that “if it ain’t broke, don’t fix it.”

When the matter got to the ECJ, all prudential worries were brushed to one side, as the ECJ never once alluded to the practical consequences of its decision. Instead, the ECJ took the general view that Schrems, or indeed anyone else, could bring to the fore the question of whether the earlier accord was binding so long as an examination of the applicable legal rules showed a gap in the formal level of protection that U.S. law afforded data originating in the EU.

But why? The phrase “adequate protection” could easily be read as something short of ideal protection. But the ECJ took the opposite position in holding that the American statutory framework had to offer protection “essentially equivalent” to that supplied in light of exacting European standards, which started from the assumption that the privacy right in data — apparently even that which has been publicly posted on Facebook — was a fundamental interest deserving of the highest protection.

It was of course no accident that the ECJ made this cryptic reference: “Mr. Schrems referred in this regard to the revelations made by Edward Snowden concerning the activities of the United States intelligence services, in particular those of the National Security Agency [NSA].” Thereafter the ECJ concluded that any surveillance in the name of national security cannot be pursued on a “generalized basis.” What is needed to act in defense of national security is some “objective criterion”— which is “specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail.”

* * *

To American eyes, the ECJ decision was astonishing in several respects. The first is that it paid no heed whatsoever to the reliance-interest of thousands of companies, some large and some small, in the earlier set of rules. It is one thing for a court to shut down a set of untested protocols because they have the major potential of abuse. It is quite another to shut them down when there is no evidence of concrete abuse anywhere in the system for the 15 years that those practices have been in effect.

The second is that the ECJ attached no weight whatsoever to the massive dislocation that its decision would impose on all the companies in question. These harms extend also to the customers of these companies, many of whom, unlike Schrems, are quite happy with the present system developed under Decision 2000/520.

The third weakness of the ECJ position is that it misunderstands the nature of surveillance. Surveillance is not an effort to find the perpetrator of a particular past crime. It is correct to insist that the government has good reason to examine the private information of potential subjects. But when the government is trying to stop some conspiracy or deadly act before it occurs, it has to cast the net wider to gain the necessary information.

To give an example, it is perfectly appropriate for sniffer dogs to check airport luggage for traces of gunpowder. But only if that preliminary search yields positive results is it permissible to open the baggage. The same approach applies to investigations on the web. Tracing connections between persons is permissible without any specific evidence of criminality. But the content of any secret phone call should be examined only when there is good reason to think that it involves terrorist activities.

Normally, decisions to shut down major programs require some balance of the equities on both sides. That was wholly ignored by the ECJ. Starting from its dubious premises, the ECJ has ripped apart a system that will take a great deal of effort to put back together. In the interim, virtually all the companies in question are left adrift on the question of whether they should shut down their networks immediately or risk serious civil and criminal penalties for moving further forward in this direction. It takes years to put into place successful complex systems of data transmission. It takes only one arrant complaint and a dubious decision of the ECJ to rip it all apart.

Richard A. Epstein is the Laurence A. Tisch professor of law at New York University, the Peter and Kirsten Bedford senior fellow at the Hoover Institution at Stanford University, and the James Parker Hall distinguished service professor emeritus and senior lecturer at the University of Chicago.