"He says the infringement came about thanks to Facebook transferring its users' data to the US National Security Agency (NSA)."
Presumably Facebook will argue that the data was entered onto a US server by the user. Therefore, the transfer from the EU to the US was performed by the data owner, not them, and any subsequent transfer from Facebook to the NSA comes purely under US law.
It's a little different from (say) European airlines transferring customer data to the US. In that situation, the initial transfer was from a European resident to a European company.
Certainly if I went onto a North Korean web-site and entered a load of stuff I wouldn't expect that data to enjoy the protection of EU law. Whenever you have transactions between two entities in different legal jurisdictions there is bound to be some dispute over whose legal system takes precedence.