On 6 October 2015, the Court of Justice of the European Union (CJEU) issued the final ruling in Schrems v Data Protection Commissioner (Case C-362/14). In its ruling the Court invalidated the Safe Harbour arrangement, which governs data transfers between the EU and the US. While the decision does not automatically put an end to data transfers from Europe to the United States, it allows each country's national regulators to suspend transfers if the company in the United States does not adequately protect user data. The paper analyses the most important aspects of the judgment: the Court’s definition of the competences of national data protection authorities, the Court’s interpretation of the criteria for ‘adequacy’ under Article 25(6) of Directive 95/46/EC and the reasoning of the Court for the invalidation of the Safe Harbour Agreement. Further, and in line with the findings of the Court, the paper analyses the relationship between state surveillance and data protection and examines the consequences of the Court’s ruling.