While the Privacy Shield agreement recently negotiated between EU and U.S. governments continues to face skepticism in the marketplace, it is another legal mechanism that poses the biggest threat for trans-Atlantic data flows. According to the results of a comprehensive survey of 600 privacy professionals by the IAPP this summer, more than 80 percent of companies rely on pre-approved “standard contractual clauses” to transfer data from the EU to the U.S. Yet these clauses are currently subject to a legal attack in the Court of Justice of the European Union, which – after striking down the EU-U.S. Safe Harbor arrangement – may invalidate their use.

The upcoming Annual Privacy Governance Report 2016 reveals that just 34 percent of companies intend to use the EU-U.S. Privacy Shield framework to transfer data from the EU to the U.S., compared to the 50 percent who used Safe Harbor. Privacy Shield, which was finalized over the summer concurrently with the fielding of the survey, itself faces scrutiny from European regulators and possibly its own court battle. Finally, only 8 percent of companies with fewer than 5,000 employees see binding corporate rules, a third, and more costly data transfer mechanism, as a viable option going forward. 

According to EU Commission figures, there was slightly more than $1 trillion in transatlantic trade in 2015. Of that, the Brookings Institution estimated in 2012 that $248 billion were “digitally delivered services.” Those digital services – like software, IT consulting, mobile and online – rely heavily on data transfers and could be disrupted by the cloud of legal uncertainty engulfing transatlantic trade. Nor is this a concern only for U.S. firms: According to the survey, 89 percent of all EU companies actively transferring data to the U.S. currently use standard contractual clauses.

Of the U.S.-based companies that are regulated by the Federal Trade Commission, 73 percent used Safe Harbor in the past, but only 42 percent intend to use Privacy Shield in the future. This result may be influenced by the early stage of the framework at which the survey was rolled out, or a hangover effect from the Max Schrems case that invalidated Safe Harbor in the European courts and continues to generate uncertainty around the validity of standard contractual contracts and the Privacy Shield.

To add to the uncertainty, in its most recent statement, the Article 29 Working Party in the EU, the collection of Member State data protection authorities, said a number of concerns remain with Privacy Shield and that the first annual review of the agreement will be a “key moment.”

The data shows that not only U.S. companies should be concerned about the future of Privacy Shield: Thirty-one percent of EU companies said they are eyeing Privacy Shield for their future data transfer needs.

According to the report, a more comprehensive data transfer mechanism, binding corporate rules, which companies can get certified by data protection authorities for use in transferring data, seems to be an option for only large companies. Quite simply, the cost in legal fees and organizational time to accomplish binding corporate rules is prohibitive for smaller firms.

Just 8 percent of companies with fewer than 5,000 employees see BCRs as a viable option going forward, versus 53 percent of companies with more than 75,000 employees.

“Clearly,” said IAPP President and CEO J. Trevor Hughes, “organizations face an extremely complex regulatory landscape as they look to build their businesses for the digital future that provides access to the global economy. It will be vital for them to employ privacy professionals at the highest levels of management to help them navigate that landscape and capitalize on opportunity.”

Find a deeper dive into all of this information and more, including how companies view the impending GDPR, how they are conducting vendor management, and how privacy operations are evolving, in the Annual Privacy Governance Report 2016, which will be available for the first time at the IAPP’s Privacy. Security. Risk. Conference, Sept. 14 through 16, in San Jose, California.