An Austrian law student thought Facebook wasn't safeguarding his status updates and private chats from the spying U.S. government. So he took the company to Europe's highest court. And now thousands of U.S. companies have lost their shield against Europe's privacy police.

The Oct. 6 ruling by the Court of Justice of the European Union ended a 15-year-old agreement that enabled American companies to collect and store private data on European citizens. The decision to toss out the "Safe Harbour" agreement exposes more than 4,000 businesses, including such Minnesota giants as 3M, Ecolab and St. Jude Medical, to potential investigation by European government agencies that enforce privacy laws.

"This really was a bombshell in the world of data transfer and the ability of businesses to do what they need to do," said Mike Cohen, a principal at Gray Plant Mooty in Minneapolis, who advises companies on privacy law.

Despite that, no one expects the E.U. to set up a blockade on the transatlantic flow of data while governments and businesses scramble to work out new arrangements. But it reveals Europeans' higher expectation of privacy for the data they provide to companies, and their increasing alarm with how American businesses, knowingly or not, share it with others.

"They look at [privacy] as a fundamental right," Cohen said. "Here in the U.S., we look at data to monetize it."

Practices that Americans take for granted — mailing lists being shared, marketing pitches based on shopping behavior — are "mind-boggling" to Europeans, said William McGeveran, a law professor at the University of Minnesota. "When you talk to Europeans, they just can't believe all these businesses just swap information about what kind of customer you are."

Schrems launched his case after he requested his data from Facebook and found the company still had data he had deleted.

That concern was the origin of the Safe Harbour agreement. In 2000, the E.U. decided U.S. laws did not adequately protect information on European customers, employees and others. But individual companies could certify that they would abide by European standards of data security.

McGeveran said the ruling in the Safe Harbour case is consistent with the court's 2014 decision that Europeans have a "right to be forgotten," a ruling that forced Google to delete links to information about individuals if they can show the sites are irrelevant or outdated. European countries also have government agencies, called data protection authorities, that enforce violations of privacy laws.

The current controversy began when the Austrian student, Max Schrems, was studying in California a few years ago, according to a recent New York Times profile. Schrems told the Times that a Silicon Valley executive visited his class and seemed to have little regard for Europe's laws on data privacy.

Those laws allow private citizens to get the information companies hold on them, so Schrems requested his own data from Facebook. He was shocked to find the company had a complete record of everything he had done on Facebook from the moment he registered, including data that he had deleted.

In spring 2013, Edward Snowden's revelations of massive surveillance by the National Security Agency (NSA) prompted Schrems to file a complaint against Facebook in Ireland, where its European operations are based. Schrems argued that Facebook could not keep his data safe from the NSA and other unauthorized users once it was stored on U.S. servers.

The ruling from Europe's high court made Schrems, 28, a celebrity among privacy campaigners and earned him a congratulatory tweet from Snowden.

The sensitivity to U.S. spying on Europeans is somewhat baffling, given recent moves in France and other European countries to increase surveillance of its citizens, McGeveran said.

It's also ironic that the watershed privacy ruling emerges from posts on Facebook, where "friends" feel compelled to document every meal, bike ride and goofy argument with their toddlers, rather than sensitive information handed over to a bank or medical clinic.

For all their obsession with privacy, Europeans are more accustomed than Americans to sharing certain things about themselves. Job applicants routinely offer their ages, marital status and religion to potential employers, all of which U.S. employers are prohibited from asking due to anti-discrimination laws, McGeveran said.

Meanwhile, Europeans are quite open about something that most Americans avoid in public: nudity.

"There are topless beaches all over the place," McGeveran said.

Contact James Eli Shiffer at james.shiffer@startribune.com or 612-673-4116.