There are now 200 companies standing behind Privacy Shield, the framework agreement allowing businesses to process the personal information of European Union citizens on servers in the U.S.
Companies must register with the International Trade Administration of the U.S. Department of Commerce to be covered. It’s a self-certification process, so the ITA is only checking that the forms are filled in correctly, not that companies are necessarily complying with all 13,894 words of the rules. The Privacy Shield rules are needed to ensure that EU citizens’ personal information is afforded the same legal protection in the U.S. as required under EU law.
The ITA began processing applications on Aug. 1, and by Aug. 26 had accepted 90, relating to a total of 200 companies including “additional covered entities.”
Two you might have heard of are Microsoft and Salesforce.
Microsoft’s promise to play by the Privacy Shield rules covers data processed by its Caribbean, Indian, Licensing, Mobile, Online, Regional Sales and Technology Licensing divisions as well as the main company.
But that same registration also says EU citizens’ data could be handled by a dozen partially digested acquisitions: Acompli, bought in 2014 to enhance the mobile clients for Outlook; Blue Stripe Software, a cloud management company it picked up in 2015; Android lock-screen maker Double Labs; e-discovery specialist Equivio; FieldOne Systems, an addition to its Dynamics CRM; sales gamification startup Incent Games; cloud monitor MetricsHub; customer self-service portal maker Parature; big data analytics platform maker Revolution Analytics; calendar app Sunrise Atelier; online mapping toolmaker Vexcel, and organizational analytics company VoloMetrix.
Salesforce.com’s registration is simpler: It covers “Salesforce.com, inc. and its U.S. subsidiaries.”
Privacy Shield is the successor to the Safe Harbor framework, which covered transatlantic data transfers from July 2000 until October 2015, when the Court of Justice of the European Union ruled that it provided inadequate protection for Europeans’ privacy rights.
Some 5,534 organizations signed up to Safe Harbor before the court ruling came, with the certification status still listed as “current” for 3,375 of them.
If the ITA continues to process self-certifications at the current rate then it could take two years or more before all those who sheltered in Safe Harbor are defended by Privacy Shield.
One company notably not on the Privacy Shield list yet is Facebook. Its Safe Harbor registration indirectly led to the framework’s collapse, after a complaint to the Irish Data Protection Commissioner about its privacy policy resulted in a legal question about Safe Harbor being referred to the CJEU.
Since the CJEU ruling, Facebook has maintained that it was not reliant on Safe Harbor, and that other legal mechanisms allow it to process EU citizens’ personal information in the U.S.