Microsoft, Salesforce among first certified companies under US-EU Privacy Shield

According to the The Wall Street Journal, roughly 40 US companies have now signed on to the US-EU “Privacy Shield” agreement, introduced earlier this year to succeed the now-invalid Safe Harbor agreement, which had been in place for decades. The Safe Harbor agreement allowed transfer and processing of data between servers in the US and Europe.

Safe Harbor was invalidated by the European Court of Justice in October 2015 because of the perceived risk of US government spying on EU data. In the wake of that decision, US companies doing business in Europe were suddenly in a state of legal limbo.

The new arrangement, worked out earlier this year, imposes a range of new safeguards for European data being processed on US servers:

• US companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed.
• The US has given the EU assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight.
• Any European who believes their data has been misused under the new arrangement will have several redress possibilities
• There will be a dedicated new Ombudsperson role in the US State Department to address complaints from European privacy regulators on behalf of individuals.

The US Commerce Department released the names of some of the companies now in compliance with the Privacy Shield rules. They include Microsoft and Salesforce. Presumably, numerous others, such as Google and Facebook, will follow shortly. It’s reported that more than 200 applications are now being processed by the Commerce Department.

Companies doing business in Europe or with EU citizens (even indirectly) will either need to be certified under Privacy Shield or make alternative arrangements to comply with European data protection rules.

There’s still a possibility that the new Privacy Shield regime will be challenged in European courts by privacy skeptics who believe it doesn’t go far enough to protect European data.