Microsoft, Salesforce Lead EU Data Transfer Certification

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Aug. 15 — Microsoft Corp. and Salesforce Inc. are among the first companies certified under the recently opened EU-U.S. Privacy Shield data transfer program.

A U.S. Department of Commerce spokesman told Bloomberg BNA Aug. 15 that a total of 36 companies and their related entities have been certified under the program. Commerce is “reviewing nearly 200 additional pending certifications and are expecting hundreds more in the coming weeks,” he said. Commerce began taking applications Aug. 1.

The Privacy Shield is a replacement for the now defunct U.S.-EU Safe Harbor Program. Over 4,400 U.S. companies were self-certified with Commerce under the Safe Harbor and thousands of EU companies also relied on those certifications to send personal data to those companies.

There is strong compliance motivation for companies to become Privacy Shield early adopters. Companies that sign up before Sept. 30, will have a nine month grace period from the date they certify to meet the new requirement that their third party business partners will ensure privacy, according to the Department of Commerce's Privacy Shield website.

Matt Gonzales, compliance manager at Dallas-based e-mail verification company Kickbox Inc., told Bloomberg BNA Aug. 15 that “the Privacy Shield has put the company and our customers at ease.” Being certified under the Privacy Shield shows “that the customers can trust our company,” he said.

Privacy Shield certification “is the status quo for our customers,” Gonzales said. Kickbox was previously certified under the now defunct U.S.-EU Safe Harbor program and is one of the 36 companies certified under the replacement Privacy Shield.

Framework Plan Upgraded

EU and U.S. officials approved July 12 the new trans-Atlantic data transfer pact (15 PVLR 1478, 7/18/16).

The U.S.-EU Safe Harbor Program, was invalidated by the European Court of Justice—the EU's top court—in October 2015 on the basis that it failed to sufficiently protect the privacy of EU data subjects (14 PVLR 1825, 10/12/15).

The European Commission, the EU's executive arm, worked to secure changes in the framework agreement to better protect personal data from potential U.S. government surveillance. The Privacy Shield, as well as an amendment to the U.S. Privacy Act, gives EU citizens greater rights to seek legal redress from alleged improper use of their data by the U.S. government.

Big Tech Leads the Way

Major U.S. tech companies highlighted the first group of companies certified Aug. 12.

Microsoft was one of the first companies to sign up for the Privacy Shield, the company said in a statement obtained by Bloomberg BNA. “Any data which we will transfer from Europe to the United States will be protected by the Privacy Shield’s safeguards,” the technology giant said in the statement.

Microsoft is the third largest technology company in the world with a market capitalization of $451.5 billion, Bloomberg data show.

A Salesforce spokeswoman told Bloomberg BNA Aug. 15 that the company “commends the U.S. and EU governments for their work” on the Privacy Shield. In addition to the Privacy Shield framework, it uses “binding corporate rules” and “EU standard contractual clauses,” the spokeswoman said.

The San Francisco-based cloud computing company is the “only top 10 software company in the world to have all three legal mechanisms for data transfer between the EU and U.S.,” she said.

Salesforce is the eighth largest application software company with a market capitalization if $55.3 billion, Bloomberg data show.

Easy, Hands-On Process

For those who many be worried about the complexities of a new cross-border data transfer mechanism may put this worry aside, Gonzalez said.

The Privacy Shield certification process “is fairly straight forward,” he said. Commerce's website provides companies that certified under Safe Harbor with “a checklist to go through” the prior certification “and adapt,” he said.

Although there were “some minor glitches, you would expect these with a new program,” Gonzales said. The hardest part about the Privacy Shield was “accommodating the HR privacy policy for our EU employees.” It was “only difficult in time, not in complexity,” he said.

Gonzales also said that the Privacy Shield certification review time is also very hands on. Within three days of submission, “a reviewer reached out to the company to make updates to our certification,” he said. Gonzales “thought it was going to be a more bureaucratic process, but the issue was resolved” in time for the Aug. 12 certification.

To contact the reporter on this story: Daniel R. Stoller in Washington at

To contact the editor responsible for this story: Donald G. Aplin at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.