In the two weeks since the EU-US Privacy Shield data transfer certification process officially opened, applications by US companies has been slow.

Only 40 US companies have been certified since the US Department of Commerce began accepting applications on 1 August 2016, according to the agency.

The agency said that around 200 applications are currently being processed, but that is well below the 4,000 companies certified under the former Safe Harbour agreement for transatlantic data transfers, according to the Wall Street Journal (WSJ).

The European Commission adopted the framework for certifying US companies as being compliant with EU data protection regulations to enable data transfer between the EU and the US.

Privacy Shield was developed in consultation with the US to replace Safe Harbour after it was declared invalid by the Court of Justice of the European Union (CJEU).

Despite the framework’s adoption by the European Commission, many companies looked to the Article 29 Working Party (WP29) of European privacy regulators for assurance.

Although the WP29 approved the framework in late July, providing some comfort, the regulators indicated that concerns remain about the commercial aspects and the access by US public authorities to data transferred from the EU.

“The first joint annual review will therefore be a key moment for the robustness and efficiency of the Privacy Shield mechanism to be further assessed,” the regulators said.

“When participating in the review, the national representatives of the WP29 will not only assess if the remaining issues have been solved, but also if the safeguards provided under the EU-US Privacy Shield are workable and effective.”

This means that while the regulators will let the process run for the next year, the first review of the framework may bring changes.