Data Transfer Zombies May Haunt U.S. Companies

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Oct. 27 — U.S. companies that previously certified under a defunct U.S.-EU data transfer system will be stuck on a government website indefinitely, in a state of suspended animation.

Companies on the U.S.-European Union Safe Harbor list will be data transfer zombies—stuck on the U.S. Department of Commerce's website, without recourse to remove themselves from the publicly available list.

With the roll out of the EU-U.S. Privacy Shield Aug. 1, which replaces Safe Harbor, Commerce announced that it would no longer accept certifications under Safe Harbor and wouldn't accept recertifications as of Halloween—Oct. 31. But the Safe Harbor website list will be available online indefinitely, the department said.

There's no getting off the Safe Harbor list but companies that “self-certified to the Safe Harbor Framework will continue to be able to withdraw from the program after Oct. 31,” a Commerce official told Bloomberg BNA. The “U.S-EU certified through date, which is visible on the Safe Harbor List,” will show the withdrawal date, the official said.


Companies that join the Privacy Shield “will be withdrawn from the Safe Harbor Framework by default,” the official said.

Lothar Determann, privacy partner at Baker & McKenzie LLP in Palo Alto, Calif., told Bloomberg BNA that the process of perpetual Safe Harbor listing is like the classic rock song that refuses to die, “Hotel California,” which famously states “you can check out any time you'd like, but you can never leave.” Even if a company withdraws from Safe Harbor, they “will remain on the list until the Commerce Department takes down the list—which is apparently not planned,” he said.

The Privacy Shield replaced the Safe Harbor, which was invalidated by the EU's top court in October 2015. The court said Safe Harbor failed to sufficiently protect the privacy of EU data subjects. Over 4,400 U.S. companies were self-certified with Commerce under the Safe Harbor and thousands of EU companies also relied on those certifications to send personal data to those companies.

As of Oct. 26, the Commerce Department “has finalized the Privacy Shield certifications of over 580 organizations” and “more than 1,500 companies have submitted self-certifications to the” Privacy Shield website, the Commerce official said.

Whether the Privacy Shield is immune from the same fate as Safe Harbor is uncertain.

Additionally, companies previously registered under Safe Harbor may not want to completely abandon the data transfer regime because they may have more robust data privacy protections due to their compliance under the Safe Harbor Principles, the privacy professionals said.

Gone but Not Forgotten

Even if companies are left on the Safe Harbor list indefinitely, or if the Privacy Shield is ever invalidated, they “should continue to document their annual self assessments under the Safe Harbor Principles,” Determann said.

Companies should also include the principles of the Privacy Shield and the new EU privacy regime under the General Data Protection Regulation into their self-assessment programs, Determann said. The Safe Harbor-inspired “self assessments are an excellent measure for companies to check, document and enhance their data privacy and security programs and mitigate risks,” he said.

However, companies should remain aware that the “Privacy Shield Principles require companies to re-certify indefinitely for data they receive in reliance on the program—even after they leave,” he said.

Companies that decide to leave the Privacy Shield “may de-register at any time but would have to continue to self-assess and re-certify annually regarding data they have previously collected in reliance on the program,” Determann said.

Even if a company can't leave Safe Harbor or the Privacy Shield, there may be benefits to entering either data transfer system in the first place.

Karen L. Neuman, privacy partner at Goodwin Procter LLP in Washington, told Bloomberg BNA that “companies certified under Safe Harbor have already done an initial analysis of their privacy programs so they aren't starting from scratch.” Although the Privacy Shield isn't “Safe Harbor 2.0,” it does give companies “a platform from which to do their Privacy Shield analysis,” she said.

Determann agreed that “U.S. companies in the Safe Harbor program” are in “much better shape compliance-wise.”

Escape to the Shield

Companies that decide that the Privacy Shield data transfer program fits their business needs will have an advantage over those who don't think about their data transfer methods at all.

Neuman, who also served as the former chief privacy officer for the U.S. Department of Homeland Security, said that “a benefit of participating in the Privacy Shield is that it gives companies the opportunity to familiarize themselves with their data practices.” It also helps companies ensure those practices align” with the Privacy Shield principles, such as “data minimization, purpose limitation and reasonable retention practices,” she said.

Companies that have to think about how they collect and use data is “a good thing,” Neuman said.

Additionally, companies have said that “it has been a relatively positive experience” so far under the Privacy Shield, Neuman said. The Privacy Shield has “settled the playing field in legal uncertainty and gives companies some legal certainty in the near term,” she said.

Privacy Shield's Fate Uncertain

Although many companies have found refuge in the Privacy Shield, whether it will hold up to court challenges remains to be seen. Privacy analysts have predicted that a court challenge to the Privacy Shield is inevitable.

EU privacy regulators, however, have taken a more wait-and-see approach to future the Privacy Shield.

Isabelle Falque-Pierrotin, the chairman of the Article 29 Working Party of data protection officials from the 28 EU countries, has said that privacy regulators “still have concerns” over the Privacy Shield's adequacy. The group will wait until after summer 2017 to review the agreement. This opens the door for future court and regulatory challenges.

Although the data protection officials won't review the program until 2017, if there are complaints, the officials “will have to answer,” she said.

With strong corporate interest in the Privacy Shield, any future challenge to the program may have immense impact on how large companies—such as Inc., Alphabet Inc.'s Google and Apple Inc.—conduct and plan for cross-border data transfers.

Neuman said that even with some “some uncertainty around the Privacy Shield, the fact negotiators took a legal challenge into account during negotiations and concluded an agreement has a positive impact in the global digital economy.”

To contact the reporter on this story: Daniel R. Stoller in Washington at

To contact the editor responsible for this story: Donald G. Aplin at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security