Privacy Shield Skepticism and Pending Legal Action Against Standard Contractual Clauses Create Uncertainty, Report Says

Portsmouth, NH – Aug. 31, 2016The International Association of Privacy Professionals (IAPP), the world’s largest and most comprehensive global information privacy community and resource, today released initial findings from its annual Privacy Governance Report revealing that while the Privacy Shield agreement recently negotiated between EU and U.S. governments continues to face skepticism in the marketplace, it is another legal mechanism that poses the biggest threat for transatlantic data flows.

The report, which surveyed 600 privacy professionals in the U.S. and EU, found that more than 80 percent of companies currently rely on standard contractual clauses as a method of data transfer between the two regions, yet these clauses are currently subject to a pending legal review in the Court of Justice of the European Union, which recently struck down the EU-U.S. Safe Harbor arrangement.

Findings also show that just 34 percent of companies intend to use the newly approved Privacy Shield framework to transfer data from the EU to the U.S., compared to 50 percent who used Safe Harbor. Of the U.S.-based companies that are regulated by the Federal Trade Commission, 73 percent used Safe Harbor in the past, but only 42 percent intended to use Privacy Shield in the future. Companies in the EU were also implicated, with 31 percent of companies indicating they are eying Privacy Shield for the future. To add to the uncertainty, there are still a number of concerns with Privacy Shield, with an expected challenge by privacy advocates in the European courts.

“The legal uncertainty of standard contractual clauses and the skepticism of Privacy Shield may be a hangover effect from the Max Schrems case that invalidated Safe Harbor in the European courts, which creates uncertainty around the validity of standard contractual clauses and the Privacy Shield,” said IAPP president and CEO, J. Trevor Hughes.

Binding corporate rules, a third, and costlier data transfer mechanism, are only viewed by 8 percent of companies with fewer than 5,000 employees as a viable option going forward, as it’s primarily structured for much larger organizations. This leaves only a small percentage of companies the option to transfer data through binding corporate rules, leaving the majority of companies few legal options to transfer data from the EU should Privacy Shield and standard contractual clauses be invalidated.

According to EU Commission figures, there was slightly more than $1 trillion in transatlantic trade in 2015. Of that, the Brookings Institute estimated that $248 billion were “digitally delivered services.” Those digital services, like software, IT consulting, mobile and online, are heavily dependent on data transfers and could be disrupted by the legal uncertainty engulfing transatlantic trade.

“Clearly organizations face an extremely complex regulatory landscape as they look to build their businesses for the digital future that provides access to the global economy,” Hughes said. “It will be vital for them to employ privacy professionals at the highest levels of management to help them navigate that landscape and capitalize on opportunity.”

The complete findings from the Privacy Governance Report, including how companies view the impending GDPR, how they are conducting vendor management, and how privacy operations are evolving will be revealed during Privacy. Security. Risk. 2016, Sept.15-16, in San Jose, Calif.

About the IAPP

The International Association of Privacy Professionals is the world’s largest association of privacy professionals with more than 25,000 members across 83 countries. The IAPP is a not-for-profit association that helps to define and support the privacy profession globally. More information about the IAPP is available at




Media contact:
Lindsay Hinkle
(o) 603-427-9200  (c) 603-674-8168