Despite heavy industry lobbying to secure the EU-US Privacy Shield deal, only 103 companies have so far signed up to the agreement—representing a fraction of the 5,526 signatories to the defunct Safe Harbour framework.

Privacy Shield came into force a month ago but, so far, the only well-known tech names on the list are Microsoft and Salesforce. While Google has submitted its "certification to the US department of commerce for approval."

The likes of Facebook, Apple, and Twitter—all of which previously signed up to Safe Harbour—are yet to adopt Privacy Shield, however.

On July 12, the European Commission adopted the new deal to facilitate the transfer of personal data from the EU to the US. The arrangement was necessary because the US doesn't meet the data protection standards required by Europe, and the previous workaround was annulled by the European Court of Justice last October.

Privacy Shield is a voluntary scheme, whereby companies promise to treat European citizens' personal data in compliance with European Union data rules. Those pledges are then enforced by the US department of commerce.

According to the commission, the department of commerce is currently reviewing the privacy policies of 190 further firms that want to sign up, while an additional 250 companies are in the process of submitting their applications.

Model clauses

Max Schrems—whose case brought down the Safe Harbour scheme—believes, however, that the vast amount of companies are relying on model clauses for transatlantic data transfers.

The commission had advised that model clauses should be used by firms during the limbo period between the final days of Safe Harbour and setting up Privacy Shield.

"I guess there are also a lot that are still in the 'wait and see' position," Schrems told Ars. "And, of course, many just don’t give a shit. Many of these 5,500 companies probably just signed up for some project and never cared afterwards. I think the number of sign-ups is actually quite good, given that everyone that really cared put model contracts in place in the last year and it's not a major topic for many of these 5,500," he added.

Companies relying on model clauses shouldn't get too comfortable, however, as Schrems has taken another case to the Irish data protection watchdog. He argues that model clauses fail to offer sufficient data protection.

He also has doubts about the reliability of Privacy Shield. Schrems said:

I am more surprised that companies like Microsoft are implementing, what is meant to be a 'high standard' in a matter of four weeks or so. I think it’s fair to say, it cannot be very different from Safe Harbour if this switch is possible in almost no time, knowing how long implementation of compliance mechanisms typically take.

Christian Borggreen, international policy director at the Computer & Communications Industry Association agreed that it takes time: "In just one month, the US department of commerce has already approved more than a hundred company applications with two hundred more in the pipeline.

"Companies obviously need time to review and implement Privacy Shield's very stringent privacy obligations. Companies are actually joining Privacy Shield faster than its predecessor where it took an entire 15 years to get to 5,526 participants."

European justice commissioner Věra Jourová said she was “pleased that many companies have already signed up and brought their privacy policies in line with the Privacy Shield. I encourage many others to continue to do so to ensure Europeans can have full confidence in the protection of their personal data when transferred to the US.”

Assistant European Data Protection Supervisor Wojciech Wiewiórowski told Ars:

It is quite hard to assess the whole construction proposed by the European Commission and its American counterparts after just weeks of existence. The Safe Harbour scheme was not an immediate success at once. Bearing in mind a complicated nature of documents negotiated between EU and US as well as doubts and reservations of data protection authorities, we are not surprised it takes 'a while' for organisations to decide if they want to join the scheme or not. The EDPS continues to observe the practice of Privacy Shield remembering that its predecessor—Safe Harbour—was used by some of the entities co-operating with EU institutions, bodies, and agencies.

The EU's data regulators have vowed to give the now-adopted Privacy Shield framework a thorough appraisal the first chance they get—in one year’s time.

This story was updated after publication to note that Google had signed up to Privacy Shield just a few days ago, on August 29, and is awaiting approval from the US department of commerce.

