Thousands of businesses are still battling with how best to transfer data across the Atlantic – despite the June agreement which finally saw Privacy Shield approved – sparking fears that nearly $250bn (£188bn) worth of trade between the US and EU is under threat.
The continued uncertainty is being driven by scepticism about how robust the Privacy Shield framework is, as well as fears that a pending review of the so-called standard contractual clauses (SCCs) – which are used by 80% of firms transferring data – could render SCCs illegal too.
According to a survey of 600 privacy professionals in the US and EU, carried out by the International Association of Privacy Professionals (IAPP), only 40 US firms have so far been certified for Privacy Shield.
The study also reveals that just 34% of companies intend to use the newly approved framework, compared with 50% which used its Safe Harbour forerunner.
In the US, 73% had used Safe Harbour, but only 42% intend to use Privacy Shield, while only 31% of EU firms indicate they are considering it for the future.
Despite the European Commission’s adoption of the framework, fears expressed by individual EU data regulators sitting on the Article 29 Working Party (WP29) have exacerbated the problem.
Although WP29 approved the framework in late July, the fact that they have pledged to keep a close eye on how Privacy Shield develops has set off alarm bells at many companies.
“The first joint annual review will be a key moment for the robustness and efficiency of the Privacy Shield mechanism to be further assessed,” the regulators said at the time.
This means that while the regulators will let the process run for the next 12 months, the first review of the framework may bring changes.
To add to the uncertainty, privacy advocates are also expected to challenge Privacy Shield in the European courts.
While many companies have looked to SCCs, others have put their faith in binding corporate rules to see them safely through the transition period.
However, binding corporate rules are a far more expensive data transfer mechanism and are viewed as a viable option only by 8% of companies with fewer than 5,000 employees because they are primarily structured for much larger organisations.
US think tank the Brookings Institution has estimated that “digitally delivered services” between the EU and the US – including customer data storage – were worth nearly $250bn (£188bn) in 2015. Those digital services are heavily reliant on data transfers and could be hit hard by the uncertainty.
IAPP president and CEO Trevor Hughes said: “The legal uncertainty of standard contractual clauses and the scepticism about Privacy Shield may be a hangover effect from the Max Schrems case that invalidated Safe Harbour in the European courts. Clearly organisations face an extremely complex regulatory landscape as they look to build their businesses for the digital future.
“It will be vital for them to employ privacy professionals at the highest levels of management to help navigate that landscape and capitalise on opportunity,” he added.
EU agrees Privacy Shield but UK must still toe line
Transatlantic data transfers torpedoed once again
Facebook ‘still using illegal safe harbour agreement’
Privacy Shield is nothing short of preposterous
UK consumer data ‘is still at risk’ despite US deal
EU confirms 11th-hour deal over US data transfers
Obama urged to intervene in safe harbour talks
Firms told ‘don’t panic’ over safe harbour ruling
Cameron takes charge of safe harbour backlash
New ruling halts US data transfer