Back on February 12th 2015, Max Schrems, the Austrian law student who began Europe v. Facebook, posted a tweet suggesting that the Court of Justice of the European Union (CJEU) may hear his case as soon as this month. Since then, the case has been scheduled for a hearing on 24 March.
The case concerns whether U.S. intelligence programs such as PRISM, which involve sharing by U.S. companies of EU citizen data with organizations like the National Security Agency (NSA), violate the fundamental rights of those citizens. Schrems filed a claim against the Irish Data Protection Authority alleging that Facebook fails to protect personal data in accordance with European privacy laws because when it transfers personal data to its parent company in the U.S., such personal data is capable of being accessed by the NSA. Schrems initially brought the case against Facebook to the Irish data protection agency, where Facebook has its European headquarters. However, when the agency rejected his case, Schrems sued the agency in Irish court, which then referred the case to the CJEU to decide. If the CJEU finds that such intelligence programs do violate fundamental rights, then Safe Harbor could be invalidated as a means of cross-border data transfer between the EU and U.S.
Safe Harbor is already under substantial criticism. In 2013, the European Commission recommended 13 ways in which the framework should be updated by summer of 2014. The U.S. has addressed 12 of the 13 recommendations. However, U.S. government access to EU citizen data for purposes of defense intelligence remains a sticking point.
Many observers thought the case would not be considered until fall of 2015 at the earliest. However, because the CJEU will hear the case this month, it appears that it is prioritizing Safe Harbor. The decision could be very important because of the court’s role as the ultimate interpreter of EU data protection law. It may be too early to tell whether the CJEU will decide the case on the larger issue concerning the claim that the Safe Harbor framework violates European law, or whether the court will decide the case based on other issues.
According to a European Commission study, 51 percent of companies that are Safe Harbor certified process human resources data of EU employees. Safe Harbor is therefore a legal mechanism used daily by a large number of European companies. If Safe Harbor is abolished, companies would be obliged to use Binding Corporate Rules, which can be expensive, or model contracts, which can be very constricting. Smaller firms, particularly, would have trouble operating in a world without Safe Harbor.
Reporters are still optimistic that the U.S. government and the European Commission will find a way of updating the Safe Harbor framework in a way that achieves the dual purpose of the framework, enabling trade and data flows and protecting individuals’ personal information. As the case is being heard this month, a resolution by fall 2015 is likely.