In 1995, the European Union adopted the Data Protection Directive to govern the processing, use, and exchange of personal data. The United States refused to enact similar legislation, consequently jeopardizing ongoing and future data transfers with the European Union. To prevent economic catastrophe, the United States negotiated with the European Union to reach the Safe Harbor Agreement and, on July 26, 2000, the European Commission formally recognized the agreement as compliant with the Data Protection Directive in its Safe Harbor Decision. In 2013, U.S. data protection standards were once again placed under the microscope when Edward Snowden leaked information regarding the National Security Agency’s surveillance activities. In the wake of these leaks, Maximillian Schrems filed a complaint with the Irish Data Protection Commissioner, claiming that Facebook was not adequately protecting his personal data from National Security Agency surveillance when transferring it from its European Union servers to its U.S. servers. On October 6, 2015, the European Court of Justice invalidated the Safe Harbor Decision in Schrems v. Irish Data Protection Commissioner. This Comment examines the court’s reasoning and argues that the court erred in interpreting Article 25 of the Data Protection Directive and overstepped jurisdictional boundaries.