Privacy Shield certifications begin trickling in

The U.S. Department of Commerce is not just rubber-stamping applications to join the new Privacy Shield data protection program: 24 hours after companies began certifying their compliance, the administration's website still listed no approvals.

Microsoft was among the first businesses to certify that it complied with the new rules for transferring European Union citizens' personal information to the U.S. when the Commerce Department's International Trade Administration began accepting applications on Monday.

"We expect it to be approved in the coming days," Microsoft Vice President for EU Government Affairs John Frank wrote on a company blog.

The company isn't waiting for official approval to begin applying the new rules, he said. "Going forward, any data which we will transfer from Europe to the U.S. will be protected by the Privacy Shield’s safeguards."

Workday, a provider of cloud-based HR and finance services, also submitted its self-certification Monday, it said.

The ITA will have its work cut out if all the organizations that self-certified under Privacy Shield's predecessor, the Safe Harbor Framework, choose to re-register. Some 5,534 organizations signed up to Safe Harbor during its 16-year lifespan, with the certification status still listed as "current" for 3,375 of them.

Safe Harbor was ruled inadequate by the Court of Justice of the EU last October, forcing EU and U.S. officials to come up with replacement rules to allow the transatlantic flow of personal information to continue legally. Many multinational businesses are reliant on such transfers for internal functions, such as payroll processing, or for processing customer information.

EU and U.S. officials agreed the new rules on July 12, and the Commerce Department said it would begin accepting certifications from Aug. 1. It set out a five-point plan for organizations to ensure their self-certifications can be accepted.

First up, they must be sure they are eligible to participate: Banks and telecommunications operators, for example, aren't covered by the program. Next, they must develop a clear, concise privacy policy that meets all the Privacy Shield Principles. The policy must identify the independent recourse mechanism an organization will use in case of dispute, typically either a U.S.-based arbitration service or an agreement to work with European data protection authorities. Self-certifiers must also set out how they plan to verify they are in compliance. Finally, they must designate a Privacy Shield contact -- someone who will be able to respond to complaints within 45 days.

Although businesses self-certify their compliance with the Privacy Shield rules, the process isn't free.

The Commerce Department charges a fee for processing their annual applications and adding them to the register. The processing fee ranges from $250 for organizations with revenue under US$5 million up to $3,250 for those with revenue over $5 billion.

On top of that, organizations will have to pay to join an arbitration service or to cover the costs of data protection authorities dealing with complaints.