privacy_shieldIt’s been another exciting week of developments for U.S. companies on the EU data transfer front. From the first company to indicate that it will certify under Privacy Shield, to the first European Data Protection Authority (DPA) to suggest that it would like to challenge the validity of the new framework, here are this week’s Privacy Shield developments:

The Department of Commerce begins accepting Privacy Shield Applications. As of August 1, 2016, the Department of Commerce began accepting Privacy Shield self-certification applications. While it is unclear when the Department of Commerce will update its Privacy Shield list, at least one notable U.S. company, Microsoft, has already updated its privacy policy, indicating that it participates in the framework.

The European Commission Issues Guide to Privacy Shield. The European Commission issued a Guide to the EU-U.S. Privacy Shield for EU data subjects explaining rights and remedies under the new framework. Although the guide is directed at EU citizens, it can also help companies understand how Privacy Shield works, the obligations a company has under the framework, and consumer rights with respect to company use of personal data.

Hamburg DPA Expresses Interest in Challenging Privacy Shield. The Hamburg DPA suggested it may challenge the validity of the framework stating, If there is a legal way to seek reference to the CJEU – and we hope that the national lawmaker will enact a law for national DPAs soon – we will take all appropriate steps for getting a ruling on the validity of the Commission’s decision.” This comes after the July 26 statement by the Article 29 Working Party committing itself to assisting EU data subjects exercising their rights under the Privacy Shield framework. The Working Party stated that it would undertake a more comprehensive review of Privacy Shield a year from August 1, 2016. Many privacy advocates read the July 26 statement as a moratorium on Privacy Shield legal challenges and a promising step toward legal certainty regarding the new framework. This latest development by the Hamburg DPA, however, seems to suggest otherwise.