The EU's Justice Commissioner has written to the US attorney general, questioning him about America's data surveillance programme, Prism.
Viviane Reding wrote that she was concerned America's efforts "could have grave adverse consequences for the fundamental rights of EU citizens".
A series of leaks suggest major tech firms have passed information to the National Security Agency, the US government's snooping organisation.
Experts say they could now be sued.
"European data protection laws put restrictions on how data gathered about people, including social networking data, can be used," said Dr Ian Brown, associate director of Oxford University's Cyber Security Centre.
"The firms will now face serious questions from national data commissioners and even potentially from individual users in Europe over whether they followed all the European data protection laws that are supposed to stop things like this happening."
According to leaked documents published by the Guardian and Washington Post newspapers, the NSA can order internet firms to give it access to private emails, online chats, pictures, files, videos and other data uploaded by foreign users.
Google has said that its compliance with the requests did not give the US government "unfettered access to our users' data", but notes that nondisclosure obligations prevented it providing detailed information to the public.
Along with Facebook, Microsoft and Twitter, it has asked to be able to be allowed to publish information about the number and scope of the requests received.
Media reports suggested Yahoo, PalTalk, AOL and Apple have also been involved in Prism.
US intelligence chiefs have said that the data-sweeps save lives by helping thwart terror plots.
In her letter to Eric Holder, Ms Reding asks questions on seven areas of concern about Prism and other US data surveillance programmes:
- Are they only aimed at gathering the data of US citizens and residents, or are they also - or even primarily - targeting non-US nationals, including EU citizens?
- Is the data collection limited to specific and individual cases and, if so, what criteria is applied?
- How regularly is the data of individuals collected or processed in bulk?
- What is the scope of Prism and other such programmes? Is it limited to national security and foreign intelligence, and if so how are such terms defined?
- How might companies in the US and EU challenge the efforts to access and analyse the data?
- What ways might EU citizens find out if they have been affected? How is this different to the situation for US citizens and residents?
- How might EU citizens and companies challenge any effort to access and process their personal data? How does this compare to the rights offered to US citizens and residents?
Ms Reding added that American law enforcers should only be given access to EU citizens' data being held on US companies' servers in "clearly defined, exceptional and judicially reviewable situations".
A spokeswoman for the commissioner confirmed the letter had been sent on Monday evening, and that Ms Reding expected detailed replies to her questions when she meets Mr Holder at a previously scheduled event in Dublin on Friday.