August 1 was the kickoff date for the new EU-U.S. Privacy Shield, when U.S. companies could begin self-certifying under the Shield. To sweeten the pot, the EU’s Article 29 Working Party (a collection of the EU member states’ top data protection authorities) suggested that they would wait until the first annual review of the Privacy Shield ‒ in 2017 ‒ to fully evaluate the Shield and how well it is protecting the rights of EU data subjects. Some observers have interpreted this statement as establishing a moratorium on legal challenges to the Privacy Shield, but that is inaccurate; DPAs are legally obliged to consider any complaints raised by data subjects about the adequacy of data transfer arrangements and, where appropriate, bring a legal challenge in court. In any event, a statement issued by the Working Party makes clear that the group still has grave concerns about the adequacy of the Privacy Shield to protect the rights of EU data subjects. So while companies may have a little more breathing room in which to work out their EU-to-U.S. data transfer arrangements, the oxygen will not last very long.