Source document: HHRG-114-IF16-20151103-SD015__2_.xlsx — a spreadsheet submitted to the U.S. House Energy and Commerce Subcommittee on Communications and Technology on November 3, 2015, listing all 4,477 companies holding EU-US Safe Harbor self-certifications at or near the time the CJEU invalidated the framework in Schrems I (October 6, 2015).
What this analysis covers: Certification timing patterns, industry clustering, investigation-relevant entities, and whether the self-certification data supports the structural arguments documented in our Safe Harbor concepts page.
Key Investigation Entities — Certification Dates
| Date | Company | Investigation Role |
|---|---|---|
| 2001-05-29 | Acxiom Corporation | Data broker. One of the largest commercial data aggregators in the US. |
| 2001-06-29 | Microsoft Corporation | OpenAI’s primary investor ($13B+). Nadella testified at Musk v. Altman trial. |
| 2002-04-18 | Oracle America, Inc. | Enterprise software. Larry Ellison is Altman associate. |
| 2002-08-01 | Salesforce.com, Inc. | Enterprise cloud. Marc Benioff. Four separate certifications across divisions. |
| 2003-03-25 | Amazon.com, Inc. | AWS. Cloud infrastructure for AI companies. |
| 2004-05-19 | LinkedIn Corporation | Reid Hoffman (co-founder) — OpenAI board member, Worldcoin investor. |
| 2004-08-24 | Apple Inc. | Consumer hardware/data ecosystem. |
| 2004-12-31 | Pfizer Inc. | Big Pharma. Clinical trial data transfers. |
| 2005-10-15 | Google Inc. | AI competitor to OpenAI. Google Ventures = early VC hub (Ronny Conway was first employee). |
| 2006-09-25 | Novartis Pharmaceuticals Corporation | Parent of NIBR. Developed RTB-101 (resTORbio drug). Paul Hudson was CEO before moving to Sanofi. |
| 2007-05-10 | Facebook, Inc. | Schrems filed his complaint against Facebook Ireland — triggering Safe Harbor’s invalidation. |
| 2008-12-17 | Novartis Institute for Functional Genomics | Novartis genomics division. |
| 2009-08-26 | Novartis Institutes for BioMedical Research (NIBR) | Where Joan Mannick developed RTB-101. Where Lloyd Klickstein worked. Certified separately from parent. |
| 2010-05-24 | Experian Holdings, Inc. | Credit bureau / data broker. |
| 2012-02-06 | Equifax, Inc. | Credit bureau. Suffered one of the largest data breaches in history (2017, 147M people). |
| 2012-02-16 | Dropbox, Inc. | Cloud storage. |
| 2012-03-28 | Uber Technologies, Inc. | Ride-sharing. Known for aggressive data practices. |
| 2012-04-11 | Stripe, Inc. | Payments. Moritz (Sequoia) board seat. Processes OpenAI payments. |
| 2012-05-17 | Twitter, Inc. | Social media. Bret Taylor (OpenAI board chair) chaired Twitter’s board during Musk acquisition. |
| 2012-08-14 | Ancestry.com | Genetic data. Direct competitor to 23andMe. |
| 2012-12-20 | Airbnb, Inc. | SV Angel portfolio. Ron Conway investment. |
| 2013-02-22 | Ancestry.com DNA, LLC | Genetic testing division certified SEPARATELY from parent. Same pattern as Novartis. |
| 2013-04-16 | Squarespace, Inc. | Domain registrar for projectcovalence.com, openresearchlab.org, and hardcoretech.net. |
| 2013-07-24 | Palantir Technologies Inc. | Data analytics / intelligence. Peter Thiel. |
| 2014-04-25 | Coinbase Global, Inc. | Crypto exchange. Coinbase Ventures invested in Worldcoin. CLO Grewal on VotingWorks board. |
| 2014-05-22 | Seven Bridges Genomics, Inc. | Genomics platform — same industry as 23andMe. |
| 2014-11-12 | TrialSpark | Now Formation Bio. Altman invested. $1M OpenResearch grant. Project Covalence platform. |
| 2014-11-18 | 23andMe, Inc. | 6 days after TrialSpark. Genetic data breach (6.9M profiles). TrialSpark partnership (Sep 2019). |
| 2014-11-24 | Square, Inc. | 12 days after TrialSpark. Jake Moritz + Ben Adida (VotingWorks) both worked here. Dorsey → Start Small → $15M to OpenResearch. |
| 2015-10-06 | LabNook Inc. | TrialSpark’s ORIGINAL NAME. Certified on the EXACT DAY the CJEU invalidated Safe Harbor. Only 3 companies certified that day. The same entity now holds TWO certifications under TWO names. |
The LabNook Finding
LabNook Inc. — TrialSpark’s original corporate name — obtained Safe Harbor certification on October 6, 2015. This is the exact date the CJEU issued its ruling in Schrems I invalidating the Safe Harbor framework.
Only three companies in the entire dataset certified on October 6, 2015: Beyond Feedback, LabNook Inc., and Litl LLC.
This creates two critical questions:
1. Dual certification under two names. TrialSpark certified on November 12, 2014. LabNook Inc. certified on October 6, 2015. These are the same entity — LabNook was TrialSpark’s original name (later tracked across Crankstart Foundation filings as “LABNOOK AKA TRIALSPARK”). The same company obtained Safe Harbor certification twice, under two different names, 11 months apart. Was this intentional dual coverage? A corporate restructuring that required re-certification? Or an error in the Department of Commerce’s self-certification system that nobody caught because nobody audits?
2. Certification on invalidation day. LabNook certified on the last day Safe Harbor legally existed. The CJEU ruling was issued on October 6, 2015. Companies continued to certify through October 9 (17 companies in the final week). LabNook obtained a certification for a framework that ceased to exist the same day. The “Next Certification” date listed is October 6, 2016 — a recertification date for a framework that no longer existed.
This is the self-certification problem in miniature: a company certifies under two names, obtains a certification on the day the framework is struck down, and the Department of Commerce processes it without flagging that (a) the entity already has a certification under a different name, or (b) the framework being certified under is being invalidated by the EU’s highest court on that very date.
The November 2014 Cluster
70 companies certified in November 2014 alone. Within that cluster, three investigation entities certified within 12 days of each other:
| Date | Company | Days After TrialSpark |
|---|---|---|
| Nov 12 | TrialSpark | 0 |
| Nov 18 | 23andMe | 6 |
| Nov 24 | Square | 12 |
Also in the November 2014 cluster:
- Zephyr Health, Inc. (Nov 4) — health data analytics
- MedPoint Digital, Inc. (Nov 4) — medical digital marketing
- Suvoda LLC (Nov 17) — clinical trial technology
- Arena Pharmaceuticals, Inc. (Nov 25) — pharma
The TrialSpark/23andMe co-certification matters because their formal partnership wasn’t announced until September 26, 2019 — nearly five years later. But both companies obtained Safe Harbor certification within the same six-day window in November 2014, establishing the legal framework for transatlantic personal data transfers that would later underpin their data-sharing relationship. Whether the timing is coordination or coincidence, the infrastructure was in place years before the partnership was public.
2014 Monthly Certification Volume
| Month | Count | Notes |
|---|---|---|
| January | 33 | |
| February | 58 | |
| March | 62 | |
| April | 69 | Coinbase (Apr 25) |
| May | 62 | |
| June | 45 | |
| July | 45 | |
| August | 41 | |
| September | 78 | Peak month |
| October | 68 | VoteTru (Oct 30) |
| November | 70 | TrialSpark (12th), 23andMe (18th), Square (24th) |
| December | 77 | BlockScore, CrowdStrike, Cancer Genetics |
November 2014 was not the highest-volume month — September (78) and December (77) were higher. The finding is not the volume but the clustering: three investigation entities within 12 days, in a month with typical certification traffic. The TrialSpark/23andMe/Square convergence stands out against a background of unrelated companies.
The “Trial” Company Cluster
Six companies with “Trial” in their name appear in the dataset:
| Date | Company | Relation to TrialSpark |
|---|---|---|
| 2009-10-21 | Worldwide Clinical Trials | Established CRO, no known connection |
| 2010-07-08 | Clinical Trial Media | Trial recruitment marketing, no known connection |
| 2012-08-28 | Nextrials | Clinical trial tech platform, no known connection |
| 2014-01-31 | TrialNetworks (Epernicus LLC) | Clinical trial collaboration platform. Certified 9 months before TrialSpark. |
| 2014-09-29 | TrialPay | Payment platform (not clinical), no known connection |
| 2014-11-12 | TrialSpark | The investigation entity |
| 2015-03-31 | Verified Clinical Trials | Trial verification services |
| 2015-04-27 | TrialScope | Clinical trial transparency platform |
TrialNetworks (January 31, 2014) is notable — a clinical trial collaboration platform that certified nine months before TrialSpark. Whether there is any personnel, technology, or business relationship between TrialNetworks and TrialSpark is an open question.
Novartis: Six Separate Certifications
Novartis certified six separate entities — more individual certifications than any other pharmaceutical company in the dataset:
| Date | Entity |
|---|---|
| 2006-09-25 | Novartis Pharmaceuticals Corporation |
| 2008-12-17 | Novartis Institute for Functional Genomics, Inc. |
| 2008-12-18 | Novartis Consumer Health, Inc. |
| 2009-02-05 | Novartis Vaccines and Diagnostics, Inc. |
| 2009-08-26 | Novartis Institutes for BioMedical Research, Inc. (NIBR) |
| 2009-10-01 | Novartis Animal Health US, Inc. |
| 2011-12-19 | Oriel Therapeutics, A Sandoz/Novartis Company |
NIBR — the division where Joan Mannick developed RTB-101 and where Lloyd Klickstein worked — certified separately from the parent company on August 26, 2009. This means NIBR had its own Safe Harbor certification for transferring European research data to U.S. servers. When PureTech Health licensed RTB-101 from Novartis to create resTORbio, the drug and its associated clinical data came from a separately-certified division.
Equifax: Certified Then Breached
Equifax certified under Safe Harbor on February 6, 2012. Five years later, in 2017, Equifax suffered one of the largest data breaches in history — 147 million people’s personal financial data (names, SSNs, birth dates, addresses, driver’s license numbers) were stolen. The FTC settlement was $575 million.
Equifax self-certified compliance with the seven Safe Harbor principles — including “Security” (take reasonable precautions to protect data) — while running systems with known unpatched vulnerabilities that enabled the breach. The certification did not prevent, detect, or mitigate the failure.
Equifax’s breach timeline parallels 23andMe’s: self-certify compliance → fail to implement basic security → massive breach → regulatory fines → certification framework doesn’t catch the failure. The enforcement gap documented in our Safe Harbor concepts page is not theoretical — it produced the two largest consumer data breaches in American history.
The Breach Correlation — 17 Companies
Of the 4,477 companies in this dataset, at least 17 major companies later experienced significant data breaches — all while holding Safe Harbor certification or its successor frameworks. This is not a comprehensive breach audit; it captures only well-documented, high-profile breaches.
| Certified | Company | Breached | Impact |
|---|---|---|---|
| 2001-05-29 | Acxiom | 2003 | 1.6B records including SSNs stolen from servers |
| 2001-06-29 | Microsoft | 2020-2021 | SolarWinds + Exchange Server (250K organizations) |
| 2002-04-18 | Oracle | 2024 | Oracle Health breach — patient data from US hospitals |
| 2002-08-01 | Salesforce | 2019 | Marketing Cloud data exposure. Pardot vulnerability. |
| 2003-03-25 | Amazon | 2021 | €746M GDPR fine (largest ever). Twitch breach (135GB source code). |
| 2004-03-03 | Adobe | 2013 | 153M user records. Encrypted passwords with known key. |
| 2004-05-19 | 2012/2021 | 117M passwords (2012). 700M scraped records (2021). | |
| 2004-08-24 | Apple | 2014 | iCloud celebrity photo hack |
| 2007-05-10 | 2018-2019 | Cambridge Analytica (87M users). $5B FTC settlement. | |
| 2010-05-24 | Experian | 2013-2020 | T-Mobile data (15M). Court Ventures sold data to ID thieves. 24M South Africans. |
| 2012-02-06 | Equifax | 2017 | 147M records. SSNs, birth dates, addresses. $575M settlement. |
| 2012-02-16 | Dropbox | 2012 | 68M user credentials |
| 2012-03-28 | Uber | 2016 | 57M users + 600K drivers. Paid hackers $100K, concealed for a year. |
| 2012-05-17 | 2022-2023 | 5.4M users via API vulnerability. $150M FTC settlement. | |
| 2012-08-14 | Ancestry.com | 2017-2020 | RootsWeb breach. Multiple vulnerability reports. |
| 2012-12-20 | Airbnb | 2020 | Data exposure incidents. GDPR investigations. |
| 2014-11-18 | 23andMe | 2023 | 6.9M genetic profiles. Ethnically targeted. £2.31M ICO fine. |
Combined impact: These 17 companies exposed or compromised data affecting over 1.5 billion records across financial, genetic, personal, health, and identity data categories. Every one of these companies self-certified compliance with the Safe Harbor “Security” principle — requiring “reasonable precautions” to protect data. The self-certification framework had a 0% prevention rate for the largest consumer data breaches in American history.
The breach-to-certification gap ranged from less than one year (Dropbox: certified February 2012, breached same year) to over 19 years (Microsoft: certified 2001, Exchange breach 2021). The certification provided no predictive value for data security.
The Clinical Trial / CRO Cluster — 95 Companies
95 companies in the dataset handle clinical trial, pharmaceutical, or drug development data. This is a concentrated cluster of entities managing some of the most sensitive personal health information that exists — diagnoses, treatment records, adverse events, genetic markers, demographic data from vulnerable patient populations.
Key CRO and clinical trial platform companies:
| Certified | Company | Significance |
|---|---|---|
| 2001-04-03 | Pharmaceutical Product Development (PPD) | One of the world’s largest CROs. Now Thermo Fisher subsidiary. |
| 2002-06-28 | Theorem Clinical Research | Early CRO certification |
| 2003-07-30 | PAREXEL International | Major global CRO |
| 2005-01-05 | Quintiles (now IQVIA) | Largest CRO in the world by revenue |
| 2007-05-23 | ICON Clinical Research LLC | Top-5 global CRO |
| 2009-02-24 | DrugDev Inc | Clinical trial networking platform |
| 2010-05-17 | Veeva Systems | Dominant life sciences cloud platform (clinical data management) |
| 2011-03-14 | Medidata Solutions | Leading clinical trial data platform (now Dassault Systemes) |
| 2012-10-19 | Everest Clinical Research Services | CRO |
| 2014-11-12 | TrialSpark | Now Formation Bio. $1M OpenResearch grant. Project Covalence. |
| 2015-02-18 | endpoint Clinical | Clinical trial technology |
| 2015-03-31 | Verified Clinical Trials | Trial verification services |
TrialSpark is one of at least 12 clinical trial companies in the dataset. But it is the only one that received a nonprofit grant from an entity controlled by the same person who later personally invested $156 million in it. The other CROs — PAREXEL, Quintiles/IQVIA, ICON — are large institutional companies with public auditing and regulatory oversight. TrialSpark was a startup that self-certified alongside established players while operating on a fundamentally different business model (tech-disruption of clinical trials) with a fundamentally different funding structure (nonprofit-to-personal-profit pipeline).
The Genetic Data Cluster — 18 Companies
18 companies in the dataset handle genetic, genomic, or DNA data:
| Certified | Company | Data Type |
|---|---|---|
| 2008-12-03 | Genealogy by Genetics, Ltd. | Genealogy + genetic testing |
| 2008-12-17 | Novartis Institute for Functional Genomics | Pharma genomics research |
| 2009-11-05 | Genomic Health | Cancer genomics |
| 2010-11-18 | Illumina, Inc. | World’s dominant DNA sequencing platform |
| 2012-08-14 | Ancestry.com | Consumer genetic testing |
| 2012-09-12 | DNAnexus | Genomic data management platform |
| 2013-02-22 | Ancestry.com DNA, LLC | Genetic testing division (separate cert) |
| 2013-02-28 | Myriad Genetics, Inc. | BRCA testing (cancer risk) |
| 2013-12-12 | PreventionGenetics, LLC | Inherited disease testing |
| 2014-05-22 | Seven Bridges Genomics | Genomic analysis platform |
| 2014-11-18 | 23andMe, Inc. | Consumer genetic testing. Breached 2023. 6.9M profiles. |
| 2014-12-17 | Cancer Genetics Incorporated | Cancer genomics |
| 2015-01-20 | Ancestry International DNA, LLC | International genetic testing |
| 2015-04-03 | Histogenetics | Tissue genetics |
| 2015-08-25 | Sequencing.com | Consumer genomic data platform |
Genetic data is among the most sensitive personal information possible — it is immutable (you cannot change your DNA), heritable (it reveals information about your relatives without their consent), and medically predictive (it can indicate disease risk, ancestry, and biological characteristics that enable discrimination). Every one of these 18 companies self-certified that it would take “reasonable precautions” to protect this data. 23andMe held that certification while running 8-character password requirements and dismissing an active breach as a hoax.
Year-by-Year Growth
| Year | New Certifications | Notable Pattern |
|---|---|---|
| 2000 | 3 | Framework launches |
| 2001 | 40 | Early adopters: Microsoft, Acxiom, Salesforce |
| 2002 | 72 | Oracle, Salesforce |
| 2003 | 67 | Amazon |
| 2004 | 112 | Apple, LinkedIn, Pfizer |
| 2005 | 81 | |
| 2006 | 120 | Novartis Pharma |
| 2007 | 149 | Facebook (3 years before Schrems complaint) |
| 2008 | 228 | 76% surge. Financial crisis year. Novartis NIBR certifies. |
| 2009 | 292 | 28% surge. Post-crisis data expansion. NIBR separate certification. |
| 2010 | 324 | Experian. Growth continues. |
| 2011 | 472 | 46% surge. Biggest single-year jump. |
| 2012 | 539 | Equifax, Stripe, Twitter, Uber, Airbnb, Dropbox, Ancestry — the startup wave. |
| 2013 | 625 | Palantir, Squarespace, AbbVie, Ancestry DNA (separate). Snowden revelations (June 2013). |
| 2014 | 708 | Peak year. Coinbase, TrialSpark, 23andMe, Square. 215 in Q4 alone. |
| 2015 | 643 | Framework invalidated October 6. Certifications continue through October 9. |
The 2008-2009 surge (228 → 292, 28% growth) tracks with post-financial-crisis data monetization. Companies that couldn’t grow revenue through traditional business accelerated data collection and cross-border transfer as alternative value extraction.
The 2011 surge (472, up 46% from 324) marks the inflection where social media and startup companies began mass-certifying. This is the year the consumer internet’s data extraction model went transatlantic at scale.
2014 was the peak (708 certifications) — the year before Safe Harbor was invalidated. Companies were still rushing to certify even as the Schrems case was working through the courts. The framework’s legal vulnerability was publicly known, but certification continued because the certification itself was the product, not the compliance.
Industry Patterns
Approximate industry breakdown from keyword analysis of 4,477 company names:
| Category | Approximate Count | % of Total |
|---|---|---|
| Healthcare / Clinical / Pharma | ~138 | 3.1% |
| Data / Analytics / Advertising | ~138 | 3.1% |
| Social Media / Consumer Internet | ~122 | 2.7% |
| Financial Services | ~47 | 1.0% |
| HR / Background Checks | ~42 | 0.9% |
| General Technology / SaaS | ~3,990 | 89.1% |
The healthcare/clinical/pharma concentration is significant for the investigation. 138 companies in the dataset handle protected health information, clinical trial data, pharmaceutical research data, or genetic information — the most sensitive categories of personal data. These companies self-certified compliance with the same framework that 23andMe used while failing four of seven principles during an active breach.
Clinical trial companies specifically found in the dataset:
- Theorem Clinical Research (2002)
- Ortho Clinical Diagnostics (2006)
- ICON Clinical Research LLC (2007)
- Novella Clinical (2009)
- Clinical Trial Media (2010)
- Clinical Ink (2012)
- Trifecta Clinical (2012)
- Almac Clinical Technologies (2014)
- H2O Clinical (2014)
- endpoint Clinical (2015)
- Verified Clinical Trials (2015)
- TrialSpark (2014)
TrialSpark is not an outlier — it’s part of a wave of clinical trial companies certifying for transatlantic data transfers. But TrialSpark is the only one in this list that received a $1 million grant from a nonprofit (OpenResearch) controlled by the same person who later personally invested $156 million in the company.
Squarespace: The Registrar in the Network
Squarespace, Inc. certified on April 16, 2013. Squarespace is the domain registrar used for three network-connected websites: projectcovalence.com, openresearchlab.org, and hardcoretech.net. A domain registrar holding Safe Harbor certification means it is transferring European user data (website analytics, customer data from sites hosted on its platform) under the self-certification framework. This doesn’t directly implicate Squarespace in the network’s activities, but it means the registrar that hosts the network’s web infrastructure was itself a Safe Harbor participant.
The Pattern
The spreadsheet confirms several structural patterns:
1. Self-certification scaled without verification scaling. From 3 companies (2000) to 708 per year (2014) — a 236x increase in certified companies. The FTC brought 39 enforcement actions across 15 years. Certification grew exponentially; enforcement did not.
2. The most sensitive data handlers are in the dataset. Genetic testing companies (23andMe, Ancestry, Seven Bridges Genomics), credit bureaus (Equifax, Experian), pharmaceutical companies (Pfizer, Novartis), clinical trial companies (TrialSpark, ICON, endpoint Clinical), and data brokers (Acxiom) all self-certified. The framework that failed 23andMe’s customers also governed transatlantic transfers of financial, genetic, pharmaceutical, and clinical trial data.
3. Investigation entities cluster. TrialSpark, 23andMe, and Square certified within 12 days of each other in November 2014. Coinbase certified seven months earlier. The legal infrastructure for transatlantic data transfer was established by network-connected companies in the same narrow window.
4. Novartis certified NIBR separately. The division that developed the drug that was later tested on nursing home residents through Project Covalence had its own Safe Harbor certification for research data transfers. The data governance for RTB-101’s development at NIBR was structurally separate from Novartis Pharmaceuticals’ commercial data governance.
5. Equifax proves the enforcement gap kills. Certified 2012. Breached 2017. 147 million people. $575 million settlement. The same self-certification framework, the same enforcement gap, the same outcome — just with financial data instead of genetic data.
6. VoteTru and CrowdStrike in the same Q4 2014 window. VoteTru, LLC — an election/voting technology company — certified October 30, 2014, two weeks before TrialSpark. CrowdStrike, Inc. — the cybersecurity firm that later became central to election security controversies (DNC hack investigation, 2016) — certified December 4, 2014, three weeks after 23andMe. Election technology companies and cybersecurity companies were certifying in the same narrow window as the investigation’s clinical trial and genetic data entities.
7. LabNook’s dual certification proves the system has no deduplication. The Department of Commerce processed a certification for LabNook Inc. on October 6, 2015 without flagging that the same entity already held a certification as TrialSpark (November 12, 2014). The self-certification database had no mechanism to detect that two names pointed to the same company. If the system can’t catch a company certifying twice under two names, it cannot catch anything.
Nodes and Open Questions
- TrialSpark/23andMe same-week certification: Was the six-day gap coordinated? Both companies would later enter a formal partnership (September 2019). Did they have a prior relationship that prompted simultaneous Safe Harbor certification in November 2014?
- Did TrialSpark maintain certification through the Privacy Shield and DPF transitions? The Safe Harbor certification lapsed when the framework was invalidated (October 2015). Did TrialSpark/Formation Bio recertify under Privacy Shield (2016) and/or the DPF (2023)?
- NIBR’s separate certification: Why did Novartis certify NIBR separately from Novartis Pharmaceuticals? Separate certification suggests NIBR needed its own legal basis for data transfers — potentially because its research data flows were distinct from the commercial division’s. When RTB-101 was licensed to resTORbio, did the data transfer framework transfer with it?
- The Q4 2014 surge: 215 certifications in a single quarter — while the Schrems case was actively being litigated. Were companies rushing to certify before anticipated invalidation? If so, the certifications were obtained knowing the framework might be struck down.
- Post-invalidation behavior: What happened to these 4,477 companies after October 6, 2015? How many recertified under Privacy Shield (2016)? How many simply continued transferring data without valid certification — as Jubilant Clinsys did?
- Breach correlation: 0% prevention rate. 17 major companies in this dataset later suffered significant breaches affecting 1.5B+ records combined. Self-certification with retroactive-only enforcement produced the largest consumer data breaches in history. What would an audited pre-certification system have caught?
- Reddit (December 20, 2013): Reddit certified for Safe Harbor. Reddit’s data has since been licensed for AI model training (including to Google for $60M/year). The Safe Harbor certification covered EU user data that is now being used to train AI models — a purpose not contemplated when users posted their data or when Reddit self-certified.
- Veeva Systems and Medidata Solutions: The two dominant clinical trial software platforms both certified (2010 and 2011). These platforms underpin the data infrastructure for the entire pharmaceutical clinical trial ecosystem. If their data transfer frameworks are inadequate, every trial running on their platforms is affected.
- Ancestry.com’s separate DNA certification: Like Novartis, Ancestry certified its DNA division separately (February 2013) from the parent company (August 2012). Genetic data divisions are being siloed into separate certifications — suggesting companies recognize that genetic data requires distinct data governance. 23andMe did not certify a separate genetic data entity; its single certification covered both consumer ancestry and research program data.
- LabNook/TrialSpark dual certification: The same entity certified twice under two names (TrialSpark Nov 2014, LabNook Oct 2015). Was this a corporate restructuring? A deliberate attempt to hold parallel certifications? An error in the Commerce Department system? Did both certifications remain “active” simultaneously? If so, the entity had two separate Safe Harbor authorizations for transatlantic data transfers.
- LabNook’s invalidation-day certification: LabNook certified on October 6, 2015 — the day Safe Harbor was struck down. The “Next Certification” date is October 6, 2016. Did LabNook/TrialSpark attempt to recertify under Privacy Shield using either name? Did the invalidation-day certification create any legal ambiguity about whether the entity had valid authorization for data transfers during the gap period (October 2015 – July 2016)?
- VoteTru, LLC: An election/voting technology company that certified October 30, 2014. What does VoteTru do? Is there any connection to VotingWorks, the election technology company where Jake Moritz works? Election technology companies appearing in the same certification window as clinical trial and genetic data companies is a notable clustering.
- How many companies in this dataset certified under multiple names? LabNook/TrialSpark is the case we caught because we knew both names. How many other companies in the 4,477-entry dataset hold certifications under different corporate names, DBAs, or subsidiaries that the Commerce Department didn’t cross-reference?
Sources
- HHRG-114-IF16-20151103-SD015__2_.xlsx — House Energy and Commerce Subcommittee submission, November 3, 2015
- Prior investigation sessions — Safe Harbor concepts page, 23andMe profile, Jubilant Clinsys profile, Project Covalence profile