Europe's top court, the Court of Justice of the European Union (CJEU), has struck down the 15-year-old Safe Harbour agreement that allowed the free flow of information between the US and EU. The most significant repercussion of this ruling is that American companies, such as Facebook, Google, and Twitter, may not be allowed to send user data from Europe back to the US.

It's important to note that the CJEU's ruling (PDF) will not immediately prevent US companies from sending data back to the motherland. Rather, the courts in each EU member state can now rule that the Safe Harbour agreement is illegal in their country. It is is very unlikely, however, that a national court would countermand the CJEU's ruling in this case.

The case was originally sent to the CJEU by the High Court of Ireland, after the Irish data protection authority rejected a complaint from Maximillian Schrems, an Austrian citizen. He had argued that in light of Snowden's revelations about the NSA, the data he provided to Facebook that was transferred from the company's Irish subsidiary to the US under the Safe Harbour scheme was not, in fact, safely harboured. Advocate General Yves Bot of the CJEU agreed with Schrems that the EU-US Safe Harbour system did not meet the requirements of the Data Protection Directive, because of NSA access to EU personal data.

According to an earlier CJEU statement (PDF), "the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data, which are guaranteed by the [Charter of Fundamental Rights of the EU]." Another issue, according to the Advocate General, was "the inability of citizens of the EU to be heard on the question of the surveillance and interception of their data in the United States," which therefore amounts to "an interference with the right of EU citizens to an effective remedy, protected by the Charter."

Because the CJEU was ruling on an issue in Ireland, the Irish court is expected to make its own judgement shortly. It is likely that the Irish court will side with the CJEU. When that happens, one of two things will need to happen: Facebook, and many other US companies with Irish subsidiaries, will need to keep European data within the EU; or the US will need to provide real privacy protection for EU data when it flows back to the US. As the latter is unlikely due to pressure from the NSA and other intelligence agencies, we suspect most US companies will opt for the former.

Twitter may have already begun this bifurcation of its data. Back in May, it published a new privacy policy that laid out two different sets of rules: one for US users, and another for everyone else. It isn't entirely clear if Twitter moved all non-US data over to its Irish subsidiary at the time, but presumably it was at least laying the groundwork for an impending CJEU ruling.

The third possible route is that the EU could negotiate another Safe Harbour agreement with the US; but following the CJEU's ruling, it would have to be quite stringent.

All in all, this is a huge victory for the privacy of EU citizens—and it's all down to Edward Snowden shining a torch on the NSA's indiscriminate spying on European citizens.