More Companies in EU-U.S. Data Transfer Plan at Deadline

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Sept. 29 — Microsoft Corp. and Alphabet Inc.'s Google are among the nearly 300 companies the Department of Commerce has listed in the European Union-U.S. Privacy Shield data transfer program certification list in advance of Sept. 30 safe harbor deadline.

Ted Dean, deputy assistant secretary for services at the U.S. Department of Commerce International Trade Administration—which administers the program—told Bloomberg BNA Sept. 29 that as the deadline approaches more companies will submit their certification under the program. Nearly 300 companies are posted on the Privacy Shield web site and there are “hundreds more which have completed certification and are pending review,” he said.

It has taken time for companies to adopt the Privacy Shield because “there are new privacy protections” that take time to implement, Dean said. As time progresses, we “expect growth” in the number of companies that certify under the Privacy Shield, he said.

Companies that certify with the U.S. Department of Commerce by the Sept. 30 deadline will receive a nine-month window to bring existing commercial relationships fully in conformity with the Accountability for Onward Transfer Principle. The Onward Transfer Principle is the notion that a data controller must ensure that third parties have the same level of data protection as required under the Privacy Shield.


If companies want to take advantage of the nine-month reprieve they “have to file by the Sept. 30 deadline,” Dean said. These companies may not be posted on the Privacy Shield website by that date but they do have to submit a “completed certification by the deadline,” he said.

However, not all companies may find the need the certify with Commerce before that deadline.

Phil Lee, privacy partner at Fieldfisher and head of the firm's Palo Alto, Calif. office, told Bloomberg BNA Sept. 29 that a company needs to evaluate its “specific circumstances” before rushing to file by Sept. 30.

If a company has found another data transfer mechanism that works for it—such as standard contractual clauses or binding corporate rules—“then there is little incentive to want to pursue the Shield, either before or after the 30th,” Lee said.

Companies should still be prepared for increased privacy protections for data transferred to the EU, regardless whether or not they certify under the Privacy Shield. Companies that don't certify or ignore EU data transfer rules may face regulatory fines on both sides of the Atlantic.

Should Companies Certify?

Before rushing to sign up before the Sept. 30 deadline passes, companies should do a deep dive and consider which data transfer mechanism is best for the company.

Lee said that consumer-facing companies that “wholly operate out of the U.S.” won't be able to rely on other data transfer “solutions like SCCs or BCRs” because those mechanisms are usually reserved to EU member countries. If that is the case, “it makes perfect sense to certify before the Sept. 30 deadline in order to take advantage” of the nine-month grace period.

Companies also “have to keep in mind that the longevity of the Privacy Shield is not yet proven,” Lee said. The framework is “certainly going to be subject to challenges” and will “almost guaranteed undergo at least some changes during the annual review between Commerce and the European Commission,” he said.

Weighing the positives with the negatives of complying with the Privacy Shield is necessary, Lee said. “Joining the Shield is certainly not a decision that should be taken lightly,” he said.

Bruce Perlman, senior vice president at corporate relocation company Cartus Corp. in Danbury, Conn., told Bloomberg BNA Sept. 29 that there “seems to be some concern in the U.S. about whether the Privacy Shield will remain in place.” Multiple companies have approached Cartus for advice on whether to sign up under the program, he said.

Whether or not the Privacy Shield will last is a reason that other companies haven't yet signed up under the framework, Perlman said.

Companies Satisfied

Companies have been satisfied with the certification process and are actively using the nine-month period to analyze existing commercial contracts to make sure they are in line with the Onward Data Transfer Principle.

The nine-month window was “one of the several reasons” Cartus, part of Realogy Holding Corp., was “one of the first to file for Privacy Shield status,” Perlman said. Although Cartus already has “strong privacy and data security” in “existing vendor contracts,” the nine-month window will help the company “further refine those provisions,” he said.

Realogy is the second largest public real estate brokerage company in the U.S. with a $3.79 billion market capitalization, Bloomberg data show.

Lee said that most companies that have joined the Privacy Shield program so far are “generally” happy.

However, their decision to join the Privacy Shield may be “sales-driven,” Lee said. Companies are “told by their sales teams that getting Shield certified is important to close European deals,” he said.

Those that have certified so far “are finding that it abates some their European customers' concerns,” Lee said. For that reason, “those that have gone through the process do seem satisfied,” he said.

Dean agreed that EU companies may view U.S. companies that certify under the Privacy Shield as an attractive business partner. Commerce “expects that companies in Europe will look for U.S. companies that have the Privacy Shield,” he said.

There is definitely a strong “commercial incentive to use the Privacy Shield,” Dean said.

To contact the reporter on this story: Daniel R. Stoller in Washington at

To contact the editors responsible for this story: Donald G. Aplin at ; George R. Lynch at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.