Most international businesses are avoiding the use of the recently approved EU-US Privacy Shield framework to legitimize transatlantic data transfers, according to a survey by the International Association of Privacy Professionals (IAPP) sponsored by Ernst & Young.

The Privacy Shield was designed as replacement for the Safe Harbor framework, which enabled data transfers between the European Union and the US since 2000 but was invalidated in 2015, following a legal challenge against Facebook.

Just 34 percent of respondents to the survey said they plan to rely on Privacy Shield, in contrast with 50 percent that used Safe Harbor.

Instead, organizations are falling back on other methods to guarantee data privacy across borders – although one such method, standard contractual clauses, is also being challenged in a European court, while another, binding corporate rules, is often deemed too complex for smaller businesses.

Last year, the European Court of Justice invalidated the Safe Harbor framework after Austrian privacy activist Max Schrems sued Facebook over the claims that user data could be accessed by the US government agencies.

Mechanisms for data transfer
– International Association of Privacy Professionals

By the time the ECJ announced its decision, the EU was already in negotiations with the US to develop a revised set of principles later dubbed the EU-US Privacy Shield, which was formally approved in July 2016.

In its annual Privacy Governance Report, the IAPP asked 600 privacy professionals on both sides of the Atlantic about their data transfer arrangements, and found that just 34 percent were planning to rely on the Privacy Shield. The overwhelming majority (80 percent) of respondents said they are currently using standard contractual clauses to enable data transfer.

The report notes that while increasingly popular, this method of complying with European regulations could be invalidated in a current case pending at the Court of Justice of the European Union, adding to the confusion.

Just 8 percent of companies with fewer than 5,000 employees said they see a third compliance option, binding corporate rules, as a practical option. This mechanism is considered to be expensive and time consuming to implement.

The report warns that, in the event standard contractual clauses are invalidated, global organizations could be left without a viable legal channel for transferring data across the Atlantic.

“The legal uncertainty of standard contractual clauses and the skepticism of Privacy Shield may be a hangover effect from the Max Schrems case that invalidated Safe Harbor in the European courts, which creates uncertainty around the validity of standard contractual clauses and the Privacy Shield,” said IAPP president and CEO, Trevor Hughes.

“Clearly organizations face an extremely complex regulatory landscape as they look to build their businesses for the digital future that provides access to the global economy. It will be vital for them to employ privacy professionals at the highest levels of management to help them navigate that landscape and capitalize on opportunity.”

The complete findings from the IAPP Privacy Governance Report will be revealed during Privacy.Security.Risk 2016 conference in San Jose, California.