A 21 year-old Austrian law student named Max Schrems has won a legal battle in the European Union that now protects personal data from being sent to the United States from the EU without the consent of the data’s European owners.

The European Court of Justice (ECJ) ruled the transfer of data covered by the “Safe Harbour” arrangements used by over 4,000 firms such as Google, Facebook and IBM is illegal and ordered a stop to the practice. These agreements allowed companies to claim they had complied with EU data protection law when in fact they weren’t doing so.

This now illegal practice formerly gave spy agencies such as the U.S. National Security Agency illegal access to huge amounts of data about users in Europe without their owners’ knowledge or approval.

Last September, ECJ Advocate General Yves Bot argued safe harbour agreements didn’t meet the requirements of the EU’s Data Protection Directive and should be voided. Safe harbour agreements are supposed to ensure data transfers from the EU to the US are legal under European data privacy laws.

This directive states that companies can’t transfer personal data to countries such as the US that have lower privacy standards than the EU unless companies have legal contracts or have secured the explicit permission of each of the persons whose data is being used.

Bot said the “mass, indiscriminate surveillance” conducted by U.S. intelligence agencies renders safe harbour agreements invalid. He recommended the ECJ should invalidate the 15 year-old data transfer agreement between the EU and the U.S. This week, the ECJ accepted Bot’s arguments, in effect ending all Safe Harbour agreements and rendering void the legal framework underpinning these agreements.

Schrems, the unlikely hero of this Bambi versus Godzilla saga, said he took up arms against this invasion of privacy after Edward Snowden blew the lid off the U.S. government's Prism program that allowed it to amass private information directly from Apple, Facebook and Microsoft without the consent of the owners of this data.

Two years ago, Schrems filed 22 lawsuits against Facebook in Ireland, the company’s European headquarters. He asked that the Irish Data Protection Commissioner stop Facebook from continuing to transfer data about its European users to its U.S. servers because of U.S. government spying. Facebook has consistently denied it provided an open back door for U.S. spying.

Privacy activist Schrems also created a website called “europe-v-facebook.org” to advance his pro-privacy cause. The Irish government refused to act on his cases, however, branding them "frivolous and vexatious".

“They practically excluded me from my own case,” Schrems said, according to Reuters.

Schrems, a passionate champion of the right to privacy, withdrew his initial 22 claims against Facebook but filed a 23rd lawsuit that wound up in the ECJ, said Yahoo. He considers privacy a basic human right.

"The question is, do we have a fundamental right to data protection in Europe, do we have a private sphere in Europe, and do we enforce it? Because until now we have been living a big lie," Schrems said following the ECJ decision upholding his case.

For now, Schrems is basking in the afterglow of his fantastic victory. His plans?

"First of all now I have to finish my PhD," Schrems said. "I just keep doing my thing”.

He has no "big plan for what's next".

Contact writer at feedback@ibtimes.com.au, or let us know what you think below.