Skip to main content

View more from News & Articles or Primerus Weekly

About 2 weeks after the announced start of the certification procedure under the European Union (EU)-United States (US) Privacy Shield (Privacy Shield) on August 1, 2016, the U.S. Department of Commerce (USDOC) officially granted certification status to a first set of approximately forty US-based multinational companies. Privacy Shield is a framework for transatlantic exchanges of personal data for commercial purposes between the EU and the US. The EU-US Privacy Shield is a replacement for the US-EU Safe Harbor, which was declared invalid by the European Court of Justice in October 2015

According to an USDOC spokesperson, “nearly 200 additional [Privacy Shield] certifications” are still pending and hundreds more are expected. According to the publicly accessible Privacy Shield list, companies already approved under the new framework are predominantly major US technology companies, such as Microsoft and Salesforce.

Companies that have not yet registered, but plan to do so, should consider signing up by September 30: for those submitting their certification by September 30, the USDOC grants a grace period of nine months from the date of certification to meet the necessary compliance requirements.

Not using Privacy Shield, or another currently available mechanism, to transfer data to the United States may be costly. For example, on June 2016, the data protection authority of Hamburg, Germany announced that, following a review of thirty-five international organizations based in Hamburg, it fined three companies for unlawful transfers of personal data from the EU to the US: Adobe – fined EUR 8,000; Punica – fined EUR 9,000; and Unilever – fined EUR 11,000. The fines could have been anything up to EUR 300,000.

Scrutiny is not limited to EU-US transfers. In July, the US Federal Trade Commission (FTC) issued warning letters to twenty-eight companies that claimed certified participation in the Asia-Pacific Economic Cooperative (APEC) Cross-Border Privacy Rules system on their websites but did not appear to have met the requirements to make that claim.

Key Takeaway.  Any business that transfers personal data to the US from another country should ensure that it is following requirements for transferring such data.

Please contact Khizar A. Sheikh, Esq. ( or 973-243-7980) for more information.