Student Max Schrems launched the case following revelations two years ago by former US National Security Agency contractor Edward Snowden about the NSA's surveillance programs. Schrems complained to the data protection commissioner in Ireland, where Facebook has its European headquarters, that US law doesn't offer sufficient protection against surveillance of data transferred by the social media company to servers in the United States.
Irish authorities initially rejected his complaint, pointing to a 2000 decision by the EU's executive Commission that, under the so-called "safe harbor" deal, the US ensures adequate data protection.
On Tuesday, the European Court of Justice ruled that decision by the Commission invalid.
It said the effect is that the Irish data commissioner will now be required to examine Schrems' complaint "with all due diligence."
Once it has concluded its investigation, the authority must "decide whether ... transfer of the data of Facebook's European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data," the court said in a summary of its ruling.
Facebook said it couldn't immediately comment.