In the wake of the disclosure of the National Security Agency’s mass digital surveillance program, a group of Austrian students have filed a series of formal complaints with a number of European data protection agencies. The case could become the first legal proceeding challenging disclosure of non-American data to the American government on the basis of alleged violations of European Union data protection law.

The students filing the complaints are all members of an advocacy organization called "Europe vs. Facebook," which for over two years has been encouraging Facebook users worldwide to request copies of whatever data Facebook holds on each of them. Ars profiled this effort, and its leader, Max Schrems, in December 2012.

“[The goal of this effort] is to see if it is legal for a European Union company to forward data to the National Security Agency in bulk,” Schrems told Ars. “[and] to get more information, because they will have to disclose stuff in a preceding here. The US gag orders are not valid here. Both might be another puzzle piece for the good of mankind.”

Under European Union law, Facebook is required to comply with user data requests within 40 days, since its international (e.g., non-American) headquarters are in Ireland (largely for tax reasons). This means that all Facebook users outside the United States and Canada (which have their own, less-stringent privacy rules) are effectively governed by Irish and EU data protection authorities.

Schrems and his colleagues now are hoping to use European law to find out what has been done with their data held by various digital services, including Facebook (PDF), Apple (PDF), Microsoft (PDF), Skype (PDF), and Yahoo (PDF), all of which were reported to have complied to some degree with the NSA’s PRISM surveillance program. These formal complaints (PDF) were filed with the relevant data protection authorities (DPA) in Ireland, Luxembourg, and Germany on Wednesday.

“I kindly ask you to investigate the following complaint”

The documents ask the DPA in each country to come to a “formal decision,” which is the first step in the legal process—if one of the parties is unhappy with the outcome, he or she can appeal to a court of law.

The Austrians are using a fundamental idea of European Union data protection law, which dictates that anyone interacting with an EU company or government agency can, for any reason, request all the data that entity has about oneself, and the company or government agency must comply. (American law has no equivalent principle, largely leaving privacy and data protection issues to be sorted out in contract law between individuals and corporations.) The idea is summed up in Section V, Article 12 of the 1995 EU directive "On the protection of individuals with regard to the processing of personal data and on the free movement of such data."

As Schrems writes in his own letter to the Irish DPA with regards to his own Facebook account:

This is a formal complaint against “Facebook Ireland Ltd” under section 10 of the Irish DPA and at the same time also a request for a formal decision by the DPC. There is probable cause that “Facebook Ireland Ltd” is breaking the Irish DPA and the underlying Directive 94/46/EG and I kindly ask you to investigate the following complaint, inform me about your findings and make a legally binding decision after conducting a fair trial. . . . As mentioned above my data is processed in the US by “Facebook Inc”. This means that thereby “Facebook Ireland Ltd” is transferring my data to a third country without an “adequate level of protection”. Correspondingly Article 25 of Directive 95/26/EG and section 11 DPA apply to such transfers. A transfer to a third country without an adequate level of protection is only allowed under Article 25 of Directive 95/46/ if the fundamental rights and the right to data protection of the data subjects enjoy adequate factual and legal protecting in the third country. The exceptions under section 11(4) DPA clearly do not apply. “Facebook Ireland Ltd” might argue that users have consented to such transfer, but users have surely not given an informed consent to the processing of their personal data in the US. “Facebook Ireland Ltd” has not informed its users about mass access and about the cooperation with the NSA. To the contrary, “Facebook Inc” and “Facebook Ireland Ltd” is denying any such cooperation. Therefore there cannot be any informed consent. . . . In particular the DPC should investigate if a blanket exception for “national security” or “statutory law” of the US can be in line with Directive 95/46/EC and the users’ fundamental rights under the European Union treaties. Until today it was primarily held that only the “national security” and laws of EU member states – and not any third country – can create exceptions for data processing. Otherwise the DPC would have to clarify in which case the “national security” or the law of a foreign country can be used to waive EU data protection laws. . . . EU citizens are generally exempt from constitutional protection of their fundamental rights, since the US is still following the idea of “civil rights” (only applying to US citizens and people inside of the US) instead of “human rights”. A “mass confiscation” of the EU citizens’ data is therefore not covered by protections under the US constitution, but instead expressly allowed under § 1881a U.S.C. (also known as 702 FISA). There is no effective judicial oversight, because only the service provider – not the data subjects – can take legal action. The relevant FISA court forms its decisions behind closed doors and it has been reported that it has so far almost never refused any requested access to data. In addition, many other laws like the “Patriot Act” allow access to the data of European citizens in a way that is hardly in line with European fundamental rights.

Ars asked Microsoft, Apple, Yahoo, and Facebook for their reaction, but they did not immediately respond. We will update this story when we have more information.

UPDATE 9:55am CT: Eoin O'Dell, a law professor at Trinity College Dublin, told Ars that Schrems et al's legal arguments are "potentially very strong," pointing out that others have already raised similar prospects.

"As they move up through the courts' hierarchy and reach the Court of Justice of the European Union and the European Court of Human Rights, the arguments get stronger," he said, noting that the group still has a ways to go.

"Many of the defenses will raise jurisdictional issues, to the effect that the named defendants aren't the proper ones: e.g., it's not Facebook Europe that gave the NSA access, it's Facebook US, and the Irish regulators have no jurisdiction over Facebook US," he concluded.

UPDATE 10:36am CT: Dominick Boecker, a German IT lawyer, told Ars: "As [e-mails] were copied (and presumably read) German criminal law is applicable and Sect 202a, 202b. The NSA guys should better not set foot on German soil."

"[With respect] to the actual filings: tech companies doing business in the EU have to obey European and their local law," he added. "These rules can't simply be overruled by US-law (and vice versa). The tech companies are in a dilemma: they (presumably) have to obey US law and hand [over] the data to the NSA and they have to obey European (local) law and must deny handing out the data."