Participation in the EU-U.S. Privacy Shield framework tripled during its second month, with 304 companies included on the Privacy Shield List as of close of business at the end of September, not counting subsidiary or affiliated companies of the primary participants. Of the 304 companies, only 77, or 25%, joined to cover transfers of HR data, compared to the 50% or more that did so through Safe Harbor, and only a handful joined solely for HR data. Large or well-known companies on the List are far and few between: Dun & Bradstreet, Dropbox, Facebook, Google, Microsoft, Northrup Grumman, Oracle and Salesforce, with only Google, Microsoft, Northrup Grumman and Oracle joining for HR data. In summary, after two months of receiving certifications Privacy Shield has emerged as a transfer mechanism overwhelmingly used by smaller niche companies to legalize the import of non-HR data from Europe.
Guidance relating to Privacy Shield emerged in the EU during September, with the European Commission issuing a 24-page Guide to the EU-U.S. Privacy Shield geared towards educating individuals about their rights under the framework and how to exercise them, and the Data Protection Authority of the German state of North Rhine-Westphalia issuing the first DPA-crafted FAQs on Privacy Shield and how it will be strictly enforced and supplemented. Finally, as a small demonstration of some of the complexity inherent in interpretation of data transfer requirements, as well as proof that not all the facts asserted in posts to The National Law Review should be taken at face value, we have the following September 22 statement: “Data regulators have (for now) rejected the EU-U.S. Privacy Shield agreement…”