deepagopi2011 - Fotolia

Slow response to Privacy Shield EU-US data transfer programme

Only 40 US firms has been certified under the Privacy Shield transatlantic data transfer programme, but this is expected to gain momentum

In the two weeks since the EU-US Privacy Shield data transfer certification process officially opened, applications by US companies has been slow.

Only 40 US companies have been certified since the US Department of Commerce began accepting applications on 1 August 2016, according to the agency.

The agency said that around 200 applications are currently being processed, but that is well below the 4,000 companies certified under the former Safe Harbour agreement for transatlantic data transfers, according to the Wall Street Journal (WSJ).

The European Commission adopted the framework for certifying US companies as being compliant with EU data protection regulations to enable data transfer between the EU and the US.

Privacy Shield was developed in consultation with the US to replace Safe Harbour after it was declared invalid by the Court of Justice of the European Union (CJEU).

Despite the framework’s adoption by the European Commission, many companies looked to the Article 29 Working Party (WP29) of European privacy regulators for assurance.

Although the WP29 approved the framework in late July, providing some comfort, the regulators indicated that concerns remain about the commercial aspects and the access by US public authorities to data transferred from the EU.

“The first joint annual review will therefore be a key moment for the robustness and efficiency of the Privacy Shield mechanism to be further assessed,” the regulators said.

“When participating in the review, the national representatives of the WP29 will not only assess if the remaining issues have been solved, but also if the safeguards provided under the EU-US Privacy Shield are workable and effective.”

This means that while the regulators will let the process run for the next year, the first review of the framework may bring changes.

Slow uptake of Privacy Shield

Uncertainty about how the framework may change, as well as concerns that Privacy Shield may yet be challenged by privacy advocates in the same way that the Safe Harbour agreement was challenged, has resulted in relatively few companies rushing to apply for certification.

However, privacy experts expect applications for Privacy Shield certification to grow steadily in the coming months, according to the WSJ, especially if European companies begin to favour Privacy Shield certified companies in competitive bids.

Another reason there has been no rush to apply for certification is that many US companies waited for Privacy Shield to be adopted and approved before starting work on changing their data handling processes to comply with the new framework.

As this work is completed, more US companies will be in a position to apply and join the early adopters, which include Microsoft, Workday and

Microsoft applied for Privacy Shield certification on 1 August 2016, according to the WSJ, but is also using standard contractual clauses (SCCs) to strengthen Microsoft’s competitive position.

Read more about EU-US Privacy Shield

Most US companies have relied on SCCs and binding corporate rules (BCRs) to carry them through the post-Safe Harbour period.

However, SCCs and BCRs – like Privacy Shield – could potentially face legal challenges by privacy campaigners.

In approving Privacy Shield, the WP29 also warned that the results of the first joint review regarding access by US public authorities to data transferred under Privacy Shield may also affect SCCs and BCRs.

Eduardo Ustaran, partner and European head of privacy and cyber security at law firm Hogan Lovells, said the WP29 statement means businesses will have to take a view on whether Privacy Shield is robust enough, knowing there is not 100% certainty.

“However, taking everything into account, a degree of consensus is likely to build up in favour of Privacy Shield as a valid mechanism for transfers of data to the US,” Ustaran told Computer Weekly.

All in all, the uncertainty about the long-term acceptance of Privacy Shield is set to be prolonged, he said. “But on a positive note, the EU regulators appear willing to work with all the parties involved to make it work,” he added.

Read more on Privacy and data protection