A trans-Atlantic pact that potentially allows U.S. spies to get their hands on European citizens' private data was declared invalid by the EU's highest court, in a ruling that threatens to plunge Internet companies into a legal limbo.

Judges at the European Union's top court struck down the so-called safe-harbor accord after an Austrian law student complained about how U.S. security services can gain unfettered access to Facebook Inc. customer information sent to the U.S. Other U.S. companies, including Google Inc. and Yahoo! Inc., may also be effected.

Austrian privacy activist Max Schrems

Photographer: Christian Bruna/AFP via Getty Images

The 15-year-old agreement, which allows American companies to move commercial data back to the U.S., compromises the privacy of EU citizens and their right to challenge the use of their information, the EU Court of Justice in Luxembourg said Tuesday.

"This judgment is a bombshell," said Monika Kuschewsky, special counsel at Covington & Burling LLP in Brussels. "The EU's highest court has pulled the rug under the feet of thousands of companies that have been relying on safe harbor. All these companies are now forced to find an alternative mechanism for their data transfers to the U.S. And, this, basically overnight."

Snowden Revelations

The EU's top court has been weighing the validity of the data-sharing accord following revelations by former National Security Agency contractor Edward Snowden about U.S. government surveillance activities and mass data collection. An Irish judge last year called on the EU's tribunal to decide whether the deal still protects privacy and whether national regulators have the power to suspend illegal data flows from the EU to the U.S.

The pact, drafted in the pre-9/11 days, was designed to facilitate trade by allowing U.S. companies with activities in Europe to shift information between their sites. It allowed companies to transfer data provided they adhered to a list of principles designed to ensure privacy isn't breached.

'Invalid'

U.S. legislation "permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life," the EU court said in a binding ruling. The pact "is accordingly invalid."