In a new survey that underscores the climate of uncertainty around the newly approved EU-US Privacy Shield, only 34 percent of privacy professionals whose companies transfer data from Europe to the US said they expected their businesses to adopt the framework for responsible transatlantic data flow.
What's more, 50 percent of these same respondents confirmed that their companies had previously followed the Safe Harbour arrangement that preceded the Privacy Shield – an indication that the international business community may have lost faith in the governing bodies responsible for the data privacy compliance since Safe Harbour was struck down by the Court of Justice of the European Union.
The survey is part of a larger annual Privacy Governance Report – issued by the International Association of Privacy Professionals (IAPP) and underwritten by EY (formerly known as Ernst & Young) – scheduled for release later in September. For its study, the IAPP polled a total of 600 privacy professionals, 54 percent of whom confirmed that their companies engaged in transatlantic data transfer. Those who responded in the affirmative were then asked which mechanisms and policies they used for cross-border data transfers.
Omer Tene, VP of Research and Education at the IAPP, suggested in an interview with SCMagazine.com that companies may be disinclined to jump through the regulatory hoops required for Privacy Shield certification, with the looming prospect of the courts finding this policy lacking as they did with Safe Harbour. “Companies might be thinking… it may not be worth going through the exercise to begin with,” said Tene.
Moreover, by May 2018 Europe will enforce its General Data Protection Regulation, which could also drastically impact how companies manage the export of their data. “There might be concerns that the Privacy Shield is a stopgap measure which will not satisfy the additional requirements and burdens of GDPR,” Tene explained. According to the IAPP, the three aspects of GDPR compliance that privacy professionals consider to be the most difficult to execute are the right to be forgotten, data portability and explicit consent requirements.
Judging by the IAPP's findings, a far more popular legal mechanism for ensuring data privacy standards while transferring data across the Atlantic is the “standard contractual clause (SCC)." In fact, 81 percent of respondents whose companies transfer data from the EU to the US confirmed that their companies utilise SCCs. Many companies were forced to adopt these clauses after Safe Harbour was dissolved, in order to have some measure of legal recourse for communicating data.
“When Privacy Shield was approved, there was no requirement, obviously, that they move to the Privacy Shield,” noted Mary Hildebrand, founder and chair of law firm Lowenstein Sandler's Privacy and Information Security Practice, and founder of its Tech Group. “So if they've already addressed the issue, they're not going to change unless they have to,” she explained in an interview with SC.
Case in point: 96 percent of surveyed companies with 25,000 to 75,000 employees that transfer data from the EU to the US use SCCs, but only 26 percent plan to certify with Privacy Shield, likely because they already have an alternative solution in place. When the Safe Harbour was still valid, however, 75 percent of these same companies were certified under that programme.
“This report comes as no surprise,” said Aaron Tantleff, a privacy and information security lawyer at Foley & Lardner LLP, in comments emailed to SC. “Given the current uncertainty, many are considering a wait-and-see approach or evaluating other means for fear that the Privacy Shield will only last until the one-year grace period afforded by the local data authorities before [it's challenged].”
However, the IAPP warns that these contracts are now subject to a pending legal review by the very same court that struck down Safe Harbour. “If they are going to be invalidated it is going to inflict a lot of pain on a large part of the industry,” said Tene.
Indeed, “many companies feel that Privacy Shield and the SCCs are just a ticking time bomb,” said Tantleff.
Regarding the SCCs, Hildebrand said that despite “everybody gritting their teeth and hoping nothing bad happens,” most likely the legal challenge against these clauses will invalidate them “because realistically, there's no difference between how the data [is] surveilled" than how it was under Safe Harbour.
The survey also suggests that binding corporate rules, a third kind of data transfer mechanism, may be too expensive for certain companies seeking viable alternatives to SCCs and the Privacy Shield. Of the surveyed companies that share data between Europe and the US, only eight percent of those with 5,000 employees or fewer said they intend to use binding corporate rules.
Still, experts including Tene and Hildebrand cautioned not to jump to conclusions, as the Privacy Shield registration only opened 1 Aug, and it could take time before companies feel comfortable enough to take the plunge.