Europe's highest court has issued a key finding that the surveillance of citizens' data by the US intelligence services is "mass" and "indiscriminate" and, therefore, European national authorities are entitled to suspend the transfer of that data if there are concerns.
The opinion relates to a case brought to the Irish High Court by an Austrian citizen over the transfer of data to the US by an Irish subsidiary of Facebook.
The European Court of Justice this morning held that the revelations by the whistle-blower Edward Snowden over spying by the National Security Agency had given rise to "serious concerns" about the protection of EU citizens' data transferred to the US.
The finding came via an opinion issued by the Advocate General Yves Bot.
If confirmed by the court's judges the opinion could have a major impact on how hi-tech US multinationals operating in Europe handle the transfer of data to the United States.
Max Schrems, who took the case, had argued that due to the Snowden allegations over widespread surveillance of data in US-based servers held by companies like Facebook and Google, EU citizens' data transferred to the US was at risk.
Of particular concern was the NSA's so-called PRISM scheme under which it obtained unrestricted access to mass data stored on US servers owned or controlled by technology giants like Facebook.
Mr Schrems, a Facebook user since 2008, had brought a complaint to the Irish Data Protection Commissioner that US law offered insufficient protection regarding citizens.
The complaint was rejected because of an EU directive dating back to 2000 relating to the transfer of data from the EU to the US.
Under the directive the so-called Safe Harbour agreement was regarded as ensuring that US data protection laws were adequate.
The case then went to the Irish High Court, which forwarded the issue to the ECJ in Luxembourg.
This morning the ECJ advocate general issued an opinion on the case. The opinion is not binding, but in 80% of cases an opinion is reflected in the final judgment.
It found that the Safe Harbour agreement was inadequate and that national supervisory authorities, such as the Irish Data Protection Commissioner, were entitled to suspend the transfer of data if there were concerns.
The advocate general held that "the safe harbour scheme ... does not contain appropriate guarantees for preventing mass and generalised access to the transferred data."
In a statement issued by the court, it was argued that, as such, fundamental EU rights such as the right to respect for private life and the right to the protection of personal data, were at risk.
The statement added that because surveillance by US intelligence services was "mass, indiscriminate" then those rights could be breached.
The court noted that all Facebook users in the EU are required to sign a contract with the company's subsidiary Facebook Ireland, and that "some or all of the data" of Facebook users is transferred to Facebook's US servers.
The court also noted that the Irish Data Protection Commissioner had refused to investigate Mr Schrem's complaint because he regarded it as "vexatious or frivolous", and that the existence of the Safe Harbour scheme had prevented him from taking any further action.
According to the ECJ, the Irish High Court had found that intercepting personal data was a legitimate exercise in national security and preventing serious crime, but that it had acknowledged that the revelations by Mr Snowden showed "over-reach" by the NSA.
TJ McIntyre of Digital Rights Ireland said there were "very significant economic interests at stake " following the legal opinion.
Mr McIntyre said this was the case because the modern internet economy depends very much on data transfers.
He said if the full ruling follows the ECJ's legal opinion, there will be immense pressure on the European Commission and the United States to conclude a revised Safe Harbour agreement which will put greater protections in place.
Mr McIntyre said while the Advocate General found the Irish Data Protection Commissioner had behaved "properly", the Commissioner ultimately had not gone far enough.
He said the Irish Data Protection Commissioner was found to have had "too cramped an understanding of their role".
Mr McIntyre said the ruling is followed "we can expect National Data Protection Authorities to have a greater role in scrutinising how your data is protected when it's transferred abroad".