Vera Jourova, EU commissioner

This time last year, 4,500 companies, including some in the travel sector, were trapped in legal limbo after the European Court of Justice invalidated Safe Harbor, the framework through which U.S. businesses protect personal data to European Union standards. The ECJ had ruled that Safe Harbor failed to provide oversight of whether those companies really met the standards they claimed and that in any case, no data exported to the United States could be considered safe from indiscriminate access by government agencies.

U.S. and EU officials, the latter led by Jourova, a Czech politician who has been a European commissioner since 2014, scurried to find a successor. In February, they announced Privacy Shield, which took effect in August. Privacy Shield enables improved oversight by data protection commissioners, places greater constraints on U.S. government access to EU nationals' personal data and makes the commitments of those companies that sign up enforceable under U.S. law.

As of Dec. 9, 1,217 U.S. entities had completed the certification process. World Travel was the first travel company to be named. Balboa Travel, Expensify, Ovation Travel Group TripBam and Oversight Systems have followed. However, corporate travel's biggest U.S. names—including Sabre, Travelport, Concur (and German parent SAP), Carlson Wagonlit Travel, American Express Global Business Travel and BCD Travel—are absent. The last two are skeptical of Privacy Shield, asserting that other data-protection mechanisms like Binding Corporate Rules and Model Contractual Clauses are more robust.

For now, U.S. travel companies have various legal options through which they can assure they export EU-based travelers' personal data to the United States in compliant fashion. But two lawsuits have challenged the validity of Privacy Shield, and EU data commissioners will review all data transfer mechanisms in July 2017. Meanwhile, U.S. President-elect Donald Trump indicated a low opinion of EU-style privacy rights during his campaign. That led Jourova to state that the European Commission would "closely monitor the respect of protection standards and the correct implementation" of Privacy Shield "under the new U.S. leadership."