Tentative take-up of Privacy Shield



Only 35 companies have so far been certified to the EU-US Privacy Shield, which became operational on 1 August. The programme has stricter requirements than its predecessor, Safe Harbor, which in the end had some 5,500 participants. However, large organisations’ privacy programs, if fully compliant with the former Safe Harbor programme, are likely to need only relatively minor adjustments to what they currently have in place.

There is still legal uncertainty surrounding the agreement. There could be a legal challenge in European Courts in individual countries which ultimately go to the Court of Justice of the European Union. While the EU DPAs’ common position in the EU Art. 29 Data Protection Working Party is that they would give it a year to see how the programme works, some individual DPAs are not so lenient. In Germany, Hamburg’s DPA is already planning to challenge the Privacy Shield.

The current list of 35 does not include large multinationals apart from Microsoft and Salesforce. Google is understood to be in the process of signing up. It has been reported that the US Department of Commerce, which issues the certifications, is dealing with some 200 applications from US companies.

See the list of certified companies.