Brill didn't rule out the possibility that Europe's DPAs will begin retroactively enforcing Privacy Shield once it's approved.
"In this evaluation time there is uncertainty," she said. "My hope would be that they would understand that everyone is being very respectful of their evaluation and waiting to give them time."
Timothy Edgar, who served under President Obama from 2009 to 2010 as the first director of privacy and civil liberties for the White House National Security Staff, had advice of his own for businesses.
"Companies that were part of Safe Harbor should continue to honor the privacy commitments they made under that agreement, because the Privacy Shield, at least as it has been described so far, is very similar," said Edgar, who is now a senior fellow in international and public affairs at Brown University's Watson Institute for International Studies.
"We don't have all the details yet on the Privacy Shield, so over the next few months it would be prudent for companies to check back with their privacy lawyers to make sure they are doing everything they are required to do under this new arrangement," he added via email.
Companies should consider ways to avoid unnecessary transfers of personal data, Edgar advised: "This is a good practice both for security and privacy reasons," he said.
Those that transfer personal data from the EU to the U.S. would also do well to encrypt the data before it leaves the EU, he added, since EU data-protection regulations only concern transfers of data that are in personally identifiable form.
Looking further ahead, though, Edgar has a big caveat: Privacy Shield may not stand up in European court.
"One thing we know for certain is that it does not change U.S. surveillance law," he explained, and the Court of Justice of the European Union has already determined that that law does not adequately protect EU personal data.
"EU data-protection commissioners are holding off on threats of enforcement for now, but over the next month or so they will be asking tough questions about whether the Privacy Shield is good enough," Edgar added. "The European Commission may be satisfied with the U.S. government's assurances about how EU citizens' data will be treated by American intelligence agencies, but that doesn't mean EU data-protection commissioners -- or European courts -- will agree."
Sign up for CIO Asia eNewsletters.