Late last week, Max Schrems, the Austrian law student who began Europe-v-Facebook and has seen his suit against the Irish DPA regarding Facebook's handling of his data forwarded all the way to the European Court of Justice, posted a somewhat cryptic tweet:
#ECJ hearing on #SafeHarbor / #PRISM (C-362/14) may take place at soon as next month. More in the next days... #EUDataP
— Max Schrems (@maxschrems) February 12, 2015
Contacted directly, Schrems could only say that he'd been given a "heads up" from the courts and that he's bound by court rules that don't allow for public statements that might be construed as trying to influence public opinion around the case.
As a refresher, at issue is whether U.S. intelligence programs, such as PRISM, which involve sharing by U.S. companies of EU citizen data with organizations like the NSA, violate the fundamental rights of those EU citizens. If the ECJ finds that they do, then Safe Harbor could be invalidated as a program for cross-border data transfer between the EU and U.S.
Already, Safe Harbor is under fire, with the European Commission recommending in late 2013 13 ways in which the program should be updated. At the time, a deadline of summer of 2014 was given for the United States to respond. Essentially, the U.S. has addressed 12 of the 13 recommendations, with the Obama administration even going so far as to propose that EU citizens have a right of redress in U.S. courts on personal data use matters.
However, the access by the U.S. government to EU citizen data for purposes of defense intelligence remains a sticking point.
Many observers thought the Schrems case would not be taken up by the ECJ until the fall of this year at the earliest, so this indication that it might be taken up in March could indicate a prioritization of Safe Harbor on the part of the court.
"There is always much speculation about Safe Harbor, particularly because some in Europe would like to see it radically amended or even terminated," said Eduardo Ustaran, CIPP/E, partner at Hogan Lovells. "The decision by the ECJ will be extremely important because of the court's role as the ultimate interpreter of EU data protection law. So, effectively, what the ECJ decides may settle the matter forever."
However, FTC Commissioner Julie Brill said she thinks, "it is too early to tell whether the court will decide the case on the larger issue concerning the allegation that the U.S.-EU Safe Harbor framework violates European law, or whether the court will decide the case based on other issues ... There are a number of different paths that the ECJ could take in deciding the case."
Ustaran agreed with that last point. "The risk is that the outcome of the decision could cause EU data protection authorities to go in different directions in terms of accepting the validity of Safe Harbor," he said. "This would only contribute to the uncertainty we see today. The Commission cannot obviously interfere with the judicial process, but I am sure the ECJ appreciates the economic and political implications of their decision."
Without the Safe Harbor framework, companies would be forced into going the route of Binding Corporate Rules, which can be an expensive operation, or using model contracts, which can be constricting, for every data transfer. Smaller firms, particularly, would have trouble navigating a world without Safe Harbor.
As former CNIL head Yann Padova points out in a piece for Euractiv, "According to a European Commission study, 51 percent of companies that are Safe Harbor-certified process HR data of employees residing in Europe. Therefore, Safe Harbor is a legal mechanism used daily by a large number of European companies. This is why, according to certain studies cited by the Commission, disrupting transatlantic data flows could have a recessionary effect of between -0.8% and -1.3% of the EU's GDP."
That is certainly a substantial potential impact of the court's decision.
However, "I am still hopeful," said Ustaran, "that the U.S. government and the European Commission will find a way of updating the Safe Harbor model in a way that achieves the dual purpose of this tool: facilitating trade and data flows, and protecting valuable personal information. If there is political will to agree a solution, it is definitely doable, in my view."
It's possible that the ECJ's decision forces their hand. Should it start hearing the case next month, observers say a resolution by fall is likely.
"The case is certainly one that I am watching," said Brill.
As will the rest of the privacy community.