US spy chiefs can be blocked from accessing online data of European citizens, a court has ruled.
In what is being billed as a landmark decision, the European Court of Justice (ECJ) issued its opinion after Austrian campaigner Max Schrems challenged Facebook over the transfer of his personal information to American intelligence agencies.
The Luxembourg court found the Safe Harbor agreement between the US and Europe, which gives spies access to huge banks of data, does not stop watchdogs from investigating complaints or bar them from suspending the transfers.
The arrangement allows the National Security Agency (NSA) to use the Prism surveillance system exposed by whistleblower Edward Snowden to wade through billions of bits of personal data, communication and information held by nine internet giants.
Mr Schrems said the ruling could have major implications for EU-US data flows and US internet companies operating in Europe.
"After an initial review of the advocate general's opinion of more than 40 pages it seems like years of work could pay off. Now we just have to hope that the judges of the Court of Justice will follow the advocate general's opinion in principle," he said.
In his opinion, which the ECJ said is not binding, Advocate General Yves Bot found that data transfers are an important and necessary element of the transatlantic relationship between the US and Europe.
But he warned that the European rules which govern it are invalid.
In one of the most damning findings, the ECJ said the access US spies have to European data interferes with the right to respect for private life and protection of personal data.
It said internet users in Europe have no effective judicial protection while the large scale data transfers are happening.
The ECJ branded the US spying as "mass, indiscriminate surveillance".
Mr Schrems said that while his case was specific to Facebook it may also apply to other tech giants like Apple, Google, Yahoo and Microsoft.
In the 44-page opinion Mr Bot found: "The access of the United States intelligence services to the data transferred covers, in a comprehensive manner, all persons using electronic communications services, without any requirement that the persons concerned represent a threat to national security.
"Such mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights guaranteed by Articles 7 and 8 of the Charter (of Fundamental Rights of the European Union)."
The final ruling by the ECJ's 15 judges is expected later this year and while Mr Bot's opinion is not binding the court's final decision normally follows his initial assessment.
Mr Schrems, a Facebook user since 2008, first took his opposition to the Safe Harbor arrangement to the Data Protection Commissioner (DPC) in Ireland - famously based in the unlikely setting of offices above a corner shop in the town of Portarlington.
Everyone on the social network in the EU signs a contract with Facebook Ireland, audited by the DPC, and under the US-EU data transfer all their details can be accessed by the NSA.
Mr Schrems's challenge to seek an investigation into what data of his was sent to US spies will come back to the High Court in Dublin after the ECJ issues its final ruling.
His action was sparked by the Snowden revelations.
The former NSA contractor triggered a wave of controversy when he leaked tens of thousands of documents about surveillance programmes run by the US intelligence services and foreign counterparts, including Britain's GCHQ, in 2013.
He fled to Hong Kong where he met journalists to co-ordinate a series of articles that exposed mass surveillance programmes such as the NSA's Prism and GCHQ's Tempora, which involve "hoovering up" vast volumes of private communications.
Once Snowden's identity was revealed, he fled to Russia, and he remains wanted by the US authorities.