deepagopi2011 - Fotolia

Businesses struggling with EU-US data transfer uncertainty

Businesses are facing a highly complex regulatory landscape due to uncertainty around the future of transatlantic data transfers, according to the initial findings of an IAPP report

Businesses are struggling with uncertainty on transatlantic data transfers, according to a report by the International Association of Privacy Professionals (IAPP).

This uncertainty is being driven by scepticism about the Privacy Shield framework that replaced the Safe Harbour agreement declared invalid by the European Court of Justice.

Another contributory factor is the court’s pending review of the standard contractual clauses that many US companies are relying on to carry them through the transition period.

According to the initial findings of the report, which surveyed 600 privacy professionals in the US and EU, more than 80% of companies currently rely on standard contractual clauses to transfer data between the two regions.

It also emerged that just 34% of companies intend to use the newly approved Privacy Shield framework, compared with 50% that used its Safe Harbour forerunner.

Of the US-based companies regulated by the Federal Trade Commission, 73% had used Safe Harbour, but only 42% intend to use Privacy Shield.

Companies in the EU were also implicated, with only 31% indicating they are considering Privacy Shield for the future.

Some comfort

Despite the European Commission’s adoption of the framework, many companies were looking to the Article 29 working party (WP29) of European privacy regulators for assurance.

Although WP29 offered some comfort by approving the framework in late July, the regulators indicated that concerns remain about the commercial aspects and the access US public authorities have to data transferred from the EU.

“The first joint annual review will therefore be a key moment for the robustness and efficiency of the Privacy Shield mechanism to be further assessed,” the regulators said.

“When participating in the review, the national representatives of the WP29 will not only assess if the remaining issues have been solved, but also if the safeguards provided under the EU-US Privacy Shield are workable and effective.”

This means that while the regulators will let the process run for the coming year, the first review of the framework may bring changes.

Legal challenge

To add to the uncertainty, privacy advocates are also expected to challenge Privacy Shield in the European courts.

“The legal uncertainty of standard contractual clauses and the scepticism about Privacy Shield may be a hangover effect from the Max Schrems case that invalidated Safe Harbour in the European courts, which creates uncertainty around the validity of standard contractual clauses and the Privacy Shield,” said IAPP president and CEO Trevor Hughes.

Binding corporate rules

While many US companies have looked to standard contract clauses, others have put their faith in binding corporate rules to see them safely through the transition period.

However, binding corporate rules are a costlier data transfer mechanism and are viewed as a viable option only by 8% of companies with fewer than 5,000 employees because they are primarily structured for much larger organisations.

This leaves only a small percentage of companies with the option to transfer data through binding corporate rules. As a result, the majority of companies will be left with few legal options to transfer data from the EU should Privacy Shield and standard contractual clauses be invalidated.

US think tank the Brookings Institution has estimated that “digitally delivered services” between the EU and the US amounted to $248bn in 2015. Those digital services – IT consulting, mobile and online, etc – are heavily dependent on data transfers and could be disrupted by the legal uncertainty engulfing transatlantic trade.

Read more about Privacy Shield

“Clearly organisations face an extremely complex regulatory landscape as they look to build their businesses for the digital future,” said Hughes.

“It will be vital for them to employ privacy professionals at the highest levels of management to help navigate that landscape and capitalise on opportunity,” he said.

The complete findings from the IAPP report, including how companies view the impending general data protection regulation, how they are conducting supplier management, and how privacy operations are evolving will be revealed during Privacy.Security.Risk 2016, 15-16 September, in San Jose, California.

Read more on Privacy and data protection