Europe's top court has been advised to rule that US spy chiefs can be banned from accessing online data of citizens.
In a significant move for internet privacy campaigners, a lawyer for the European Court of Justice said an EU-US agreement on the transfer of huge data banks does not stop watchdogs from suspending the movement of information.
Yves Bot, advocate general in the Luxembourg-based court also said the deal should not prevent investigations of complaints against web giants.
The assessment - described by the ECJ as an opinion and with no guarantee it will be accepted when judges rule later this year - was released after a long-running challenge by Austrian campaigner Max Schrems over Facebook's use of his personal data and its transfer to American intelligence agencies.
He said the ruling could have major implications for EU-US data flows and US internet companies operating in Europe.
"After an initial review of the advocate general's opinion of more than 40 pages it seems like years of work could pay off. Now we just have to hope that the judges of the Court of Justice will follow the advocate general's opinion in principle," he said.
Mr Schrems said that while his case was specific to Facebook it may also apply to other tech giants like Apple, Google, Yahoo and Microsoft.
His legal battle over Safe Harbor was sparked by revelations over the US National Security Agency (NSA)'s Prism surveillance system which was exposed by whistleblower Edward Snowden.
It allowed spies to wade through billions of bits of personal data, communication and information held by nine internet giants.
Mr Bot's opinion, although not binding, is normally accepted in later rulings by the judges of the ECJ although there have been exceptions.
He branded the US spying as "mass, indiscriminate surveillance".
On the specific role of Safe Harbor, Mr Bot said data transfers are an important and necessary element of the transatlantic relationship between the US and Europe.
But he warned that the European rules which govern it are invalid.
In one of the most hard-hitting findings, Mr Bot said the access US spies have to European data interferes with the right to respect for private life and protection of personal data.
He said internet users in Europe have no effective judicial protection while the large scale data transfers are happening.
In the 44-page opinion Mr Bot found: "The access of the United States intelligence services to the data transferred covers, in a comprehensive manner, all persons using electronic communications services, without any requirement that the persons concerned represent a threat to national security.
"Such mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights guaranteed by Articles 7 and 8 of the Charter (of Fundamental Rights of the European Union)."
Mr Schrems, a Facebook user since 2008, first took his opposition to the Safe Harbor arrangement to the Data Protection Commissioner (DPC) in Ireland - famously based in the unlikely setting of offices above a corner shop in the town of Portarlington.
Everyone on the social network in the EU signs a contract with Facebook Ireland, audited by the DPC, and under the US-EU data transfer all their details can be accessed by the NSA.
Mr Schrems's challenge to seek an investigation into what data of his was sent to US spies will come back to the High Court in Dublin after the ECJ issues its final ruling.
His action was sparked by the Snowden revelations.
The former NSA contractor triggered a wave of controversy when he leaked tens of thousands of documents about surveillance programmes run by the US intelligence services and foreign counterparts, including Britain's GCHQ, in 2013.
He fled to Hong Kong where he met journalists to co-ordinate a series of articles that exposed mass surveillance programmes such as the NSA's Prism and GCHQ's Tempora, which involve "hoovering up" vast volumes of private communications.
Once Snowden's identity was revealed, he fled to Russia, and he remains wanted by the US authorities.
John Higgins, director general of DigitalEurope, which lobbies for tech firms in Brussels, said the ECJ opinion raises fears that consumers in Europe would lose out on new services if it requires data transfers to the US or elsewhere.
"We are concerned about the potential disruption to international data flows if the court follows today's opinion," he said.
In Brussels, the European Commission said 13 revisions to Safe Harbor have been adopted in a bid to restore trust and it was also confident a deal could be done soon on new data transfer arrangements.
Vera Jourova, European commissioner for justice, consumers and gender equality, said: "My aim is to ensure that European consumers' personal data is effectively protected in practice.
"A strengthened Safe Harbor will restore trust in EU-US data flows. I am confident that we will be able to soon conclude our work on strengthening the Safe Harbor arrangement."