* Austrian student secures landmark privacy ruling

* Legal battle results in "bombshell" decision

* Google, Facebook, IBM among companies affected

(Adds quotes from Schrems)

By Julia Fioretti, Shadia Nasralla and Francois Murphy

BRUSSELS/VIENNA, Oct 7 (Reuters) - From Vienna cafes to the European Union's highest court, an Austrian law student's two-year battle against Facebook and mass U.S. surveillance culminated in a landmark ruling that has rippled across the business world.

Max Schrems, a 28-year-old Facebook user finishing his Ph.D in law at Vienna University, took an interest in the subject of privacy during a semester at Santa Clara University in California.

The legal battle against mass U.S. surveillance that he subsequently pursued resulted in what lawyers called a "bombshell" ruling on Tuesday, knocking down the Safe Harbour data transfer framework between the European Union and the United States used by more than 4,000 companies, including Google , Facebook and IBM .

Schrems is taking the victory in his stride and has no "big plan for what's next".

"First of all now I have to finish my PhD," Schrems told Reuters. "I just keep doing my thing."

He will still be found at the traditional Cafe Ritter in Vienna's fashionable Mariahilf district, a home from home where he likes to spend time and meet friends.

He nurtures a fervent belief in his right to privacy, to be defended in the courts if need be.

"That I have to argue why I want my things should stay private should not be a topic, because it's a basic right. The same way that I don't have to argue why I want the right to vote I just have this right and I insist on that," he said.

Under EU law, companies may not transfer personal data to countries deemed to have lower privacy standards, such as the United States, unless they have legal contracts in place or have the explicit permission of the person in question.



"A BIG LIE"

The benefit of Safe Harbour was that it created a special arrangement for companies shifting data across the Atlantic, allowing them simply to state they had complied with EU data protection law.

The end of Safe Harbour has left a legal void which regulators, companies and lawyers are trying to fill as quickly as possible.

Schrems' legal battle followed revelations by former National Security Agency contractor Edward Snowden of details about the U.S. government's Prism programme, which allowed it to harvest private information directly from companies such as Facebook, Apple and Microsoft .

Facebook has repeatedly denied being a "back door" for U.S. intelligence agencies.

Schrems filed 22 complaints against Facebook in Ireland, where the company has its European headquarters, but he received no help from the authorities for years.

"They practically excluded me from my own case," Schrems said.

He even set up a website, called europe-v-facebook.org.

"The question is, do we have a fundamental right to data protection in Europe, do we have a private sphere in Europe, and do we enforce it Because until now we have been living a big lie," he said on Austria's ORF television on Tuesday.

However, he says he has nothing personal against the U.S. social network.

He is an active user of Twitter and Facebook and says he just wants to make it safer for people to communicate online.

"The blanket solution, so to speak, is to go offline. But then we have a society where everyone sits in their shell and can't speak to anyone. That is not what we want."

"Facebook was actually more of a coincidence," Schrems told ORF. He said he simply had to focus on one company to build a strong case.



FRIVOLOUS AND VEXATIOUS

Schrems withdrew his initial 22 claims against Facebook, but sent out the fateful 23rd claim, which wound its way up to the European Court of Justice.

He asked the Irish Data Protection Commissioner to stop Facebook's transfers of European users' data to its U.S. servers because of the risk of U.S. government snooping following Snowden's revelations on Prism.

His complaint that the United States did not provide sufficient privacy safeguards for data stored there was initially thrown out as "frivolous and vexatious" by the Irish authorities.

Yet that is the argument that was upheld by the highest court in the European Union on Tuesday.

(Additional reporting by Georgina Prodhan in Frankfurt; Editing by Tom Heneghan and Giles Elgood) ((julia.fioretti@thomsonreuters.com; +32 2287 6875; Reuters Messaging: julia.fioretti.thomsonreuters.com@reuters.net))

Keywords: EU IRELAND/PRIVACY SCHREMS