WASHINGTON — Europe’s top court on Tuesday ruled that a 15-year-old agreement allowing American companies to handle Europeans’ data was invalid, a decision that could affect how technology companies such as Amazon, Facebook and Google operate overseas.

The European Court of Justice examined the case of an Austrian citizen who claimed that his data, in light of revelations by Edward Snowden that U.S. agencies spied upon people in other nations, wasn’t being adequately protected.

The ruling comes as European leaders and Washington are negotiating a new agreement on data transfers across the Atlantic. It also raises questions about how major U.S. tech firms can continue to operate there without breaking the law.

Currently, under so-called Safe Harbor rules, U.S. firms are allowed to transfer personal data of European citizens back to the U.S. and they only have to follow one set of rules on how data they store and collect within the European Union is protected.

If the Safe Harbor rules in place since 2000 are done away with, each country in the European Union could potentially set is own privacy rules and regulations, creating enormous barriers to U.S. firms doing business there.

The ruling could “unintentionally tilt the global privacy and data protection landscape to make the EU the global center of gravity,”  said Jim Koenig of Paul Hastings, a Washington, D.C.-based law firm.

It could also force U.S.-based businesses to make expensive infrastructure investments and build European data centers to process data previously transferred to the U.S., said Scott Vernick, head of the data security and privacy practice at law firm Fox Rothschild.

Laws in the European Union view personal data privacy as a fundamental right. U.S. laws consider it more an issue of consumer protection.

To bridge that gap, the Safe Harbor agreement was created. It provides U.S. companies with a single legal framework for sharing information with European firms, giving them legal protection to do business.

Some of the requirements of the agreement include that organizations which collect and use information about individuals tell them why the information is collected, give them choice to opt out of having their personal information disclosed to a third party, be able to correct or delete inaccurate information and take reasonable precautions to protect the information from loss or unauthorized access

Today more than 3,000 businesses in the U.S. and the EU depend on the agreement to avoid running afoul of European privacy laws, according to the Information Technology and Innovation Foundation.

That could change because of the lawsuit brought last year against Facebook by Austrian law student and privacy advocate Max Schrems.

He argued that spying on Europeans by the National Security Agency, as disclosed by Snowden, meant his data privacy rights were not being adequately protected.

Schrems filed the case in Ireland, Facebook’s European headquarters. The Irish court rejected the suit and Schrems appealed to the European high court.

“This decision is a major blow for U.S. global surveillance that heavily relies on private partners. The judgement makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights,” Schrems said in a statement posted on his Twitter account after Tuesday’s ruling.

There was no immediate reaction from U.S tech firms.

In an opinon on Sept. 23, the European Court’s Advocate General for the case, Yves Bot, had already declared the Safe Harbor agreement invalid.

Bot wrote that, “once personal data is transferred to the United States, the National Security Agency and other United States security agencies such as the Federal Bureau of Investigation are able to access it in the course of a mass and indiscriminate surveillance and interception of such data.”

The U.S. Mission to the European Union issued a statement saying that “the United States does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens.”

The PRISM surveillance program is “targeted against particular valid foreign intelligence targets, is duly authorized by law, and strictly complies with a number of publicly disclosed controls and limitations,” the statement said.