Last week, representatives of the European Commission and U.S. Department of Commerce met for the first annual review of the Privacy Shield framework, which more than 2,500 companies currently use to transfer personal data from the EU to the United States. As the world awaits the results of the review, due sometime in October, new IAPP survey data shows interest in the data-transfer mechanism is on the rise.
In early returns from the IAPP-EY Privacy Governance Survey, which annually monitors the privacy practices of organizations around the world, we see a marked increase in organizations saying they are already using or intend to use the Privacy Shield framework. This year, 47 percent of those saying they will transfer personal data from the EU to the U.S. report they will use Privacy Shield in the coming year. Last year, just 34 percent of the same population said they would use it.
The survey covered 548 organizations around the globe from both the public and private sectors. See last year’s full report here.
This data jibes with what U.S. Department of Commerce administrators and EU Commission observers are seeing on the ground, according to a panel held at the International Data Protection and Privacy Commissioners Conference being held this week in Hong Kong. While Commerce's International Trade Administration Team Lead for Data Flows and Privacy Shannon Coe noted the milestone of pushing past 2,500 participating companies, Commission Data Protection Head of Unit at DG Justice Bruno Gencarelli pointed out that Shield has seen more participation in one year than Safe Harbor saw in its first 10 and that we're still seeing roughly 20 companies certifying under the Shield framework every week.
"Privacy Shield is, first of all, from the Commission perspective, a success," Gencarelli said. "This is not just a first-year boom. The system is growing in a continuous and healthy way."
Dialing in further to the IAPP-EY data, small- to medium-sized enterprises are particularly interested in Shield, with 67 percent of companies with fewer than 5,000 employees saying they intend to use it as a data transfer mechanism in the coming year. It's not surprising. Coe said, "More than half of [Shield participants] are SMBs. We measure this by annual revenue, and you will see over half of the companies do $25 million annually or less, and half of those are $5 million or less. This is an important tool for small companies across industry sectors."
Further, backing out health care and financial services firms, who are not regulated by the Federal Trade Commission, which oversees the Privacy Shield framework, we see participation or intended participation from 49 percent of U.S. companies and 53 percent of EU companies.
Standard contractual clauses, often referred to as model clauses, will be used by 88 percent of organizations responding to the survey, up from 80 percent last year.
However, Privacy Shield is by no means the most popular method of transferring personal data to the United States from the EU. Standard contractual clauses, often referred to as model clauses, will be used by 88 percent of organizations responding to the survey, up from 80 percent last year. It is no wonder then that so many eyes are watching the case known as “Schrems 2.0.” Currently, before the Irish High Court, the case has the potential to invalidate model clauses as a transfer mechanism, similar to the way the first Schrems case invalidated the Safe Harbor data transfer mechanism that Privacy Shield replaced.
This relative uncertainty is also driving interest in the derogations for data transfer outlined in the EU General Data Protection Regulation, set to come into force in May 2018. This year, 35 percent of those transferring personal data report they will rely on derogations like the one for the fulfillment of a contract, versus 27 percent in the year prior.
See a deeper dive into data on data transfer, along with data on all aspects of privacy operations, in the 2017 IAPP-EY Privacy Governance Report, to be released at the IAPP Privacy. Security. Risk conference in San Diego, California, Oct. 16 through 18.
Photo credit: Image courtesy of European Commission