The European Court of Justice said that Safe Harbour did not eliminate the need for local privacy watchdogs to check US firms were taking adequate data protection measures.
The court also said that the ruling means the Irish Data Protection Commission, which regulates Facebook, now needs to decide whether the social network's EU-to-US transfers should be suspended.
Facebook has denied any wrongdoing. "This case is not about Facebook," said a spokeswoman.
"What is at issue is one of the mechanisms that European law provides to enable essential transatlantic data flows.
The ruling was the result of a legal challenge against Facebook by 28-year-old law graduate Schrems for alleged privacy breaches. He is concerned that the social network might be sharing European's personal data with US cyberspies.
"I very much welcome the judgement of the court, which will hopefully be a milestone when it comes to online privacy," Schrems said. "It clarifies that mass surveillance violates our fundamental rights."
But others have warned it could have far-reaching consequences, with thousands of US businesses using Safe Harbour as a means of moving information to the US from Europe.