A controversial deal between Brussels and Washington to hand over full passenger details on flights between EU countries and the US was thrown out by European Court judges today.
The information was demanded by the Americans as a security measure in the wake of the terrorist attacks in September 2001.
But it was opposed by many Euro-MPs as a flagrant breach of privacy laws.
Now the European Court of Justice has backed the Euro-MPs and scrapped the "Passenger Name Records" (PNR) system which is already in operation.
The judges said the agreement with the US had to be annulled because existing EU data protection law only covers commercial data, not that used for security purposes.
The judges said the system should continue until the end of September "for reasons of legal certainty and in order to protect the persons concerned",
But then it had to be annulled because existing EU data protection law only covers commercial data, not that used for security purposes.
Liberal Democrat leader in the European Parliament Graham Watson, who led the campaign against the legislation, welcomed the result:
"The response to 9/11 has been costly, both to the taxpayer and to individual freedom. It has made us little, if any, safer.
"Today's judgment vindicates the four-year campaign that I and my colleagues led in the European Parliament to protect the privacy of airline passengers."
Fellow Liberal Democrat MEP Sarah Ludford said: "The Commission and Council (EU governments) are hoist with their own petard.
"The European Parliament has been arguing for years for adequate safeguards when data is transferred in the police and intelligence field.
"Our victory in this case demonstrates the refusal of MEPs to buckle in the face of transatlantic bullying, and to challenge 'security' proposals which undermine the legitimate interests of the citizens we are elected to represent."
She said MEPs would now be alert for any Washington attempts to replace the EU-wide data processing deal with a series of bilateral deals with national authorities "with similarly inadequate safeguards against misuse of personal data."
Today's ruling made clear that the transfer of private data on individuals for security reasons was not covered by EU rules on "data processing" as part of the supply of commercial services - such as information on individuals necessarily held by airlines when people bought travel tickets.
EU data protection rules excluded from their scope "processing operations concerning public security, defence, State security and the activities of the State in areas of criminal law."
And the "data processing" in question in the EU-US deal was clearly on security grounds, as set out by the US Bureau of Customs and Border Protection (CBP).
The deal on "processing and transfer of personal data" on transatlantic flights was backed by EU governments and the European Commission.
It meant complying with US anti-terrorist legislation requiring that all airlines operating flights to, from or across American territory provide the US authorities with electronic access to all passenger data in their reservation and departure control systems.
Concern about a conflict with EU privacy laws led to protracted negotiations, ending in May 2004 when the Commission said it was satisfied with restrictions imposed on the use of the information by the CBP.
Euro-MPs then challenged it, arguing that fundamental rights were being infringed and that there was no legal basis in EU law or supplying such detailed information.
The judges emphasised today that EU law on data protection included a full commitment to supporting the US in the fight against terrorism "within the limits imposed by Community law".
Washington had warned that failure to agree a deal on passenger data would mean prolonged delays for air passenger from Europe, as more processing would be required on arrival in America.
And the court decision almost certainly means more queues and long hold-ups for Europeans at American airports once the current system is scrapped at the end of September.
The fact that the verdict was based on a legal argument about the scope of EU data protection laws paves the way for a possible attempt to negotiate a similar, but "intergovernmental" EU deal with the US.
That would mean any passenger data transfer agreement would not be subject to the current restrictions of the EU rules identified by the judges today.
And the verdict could pose a big headache for individual European airlines. They could face the threat of sanctions from Washington if they refuse to cooperate with the US electronic passenger information requirements - and sanctions from their national data protection authorities if they do.
The European Parliament's assault on the legislation was far from unanimous - in a vote in March 2004, MEPs threatened by 229-202 to take the issue to the European Court.
The UK Government was ordered to pay its own costs today because the UK opted to support as a named individual country the defence mounted against the Euro-MPs' case by the European Commission and by the 25 EU governments acting as the Council of Ministers.