Companies Remain Wary on Using Privacy Shield Compared With Other Options, IAPP Says
Many companies remain wary about using the EU-U.S. Privacy Shield and are relying more on other trans-Atlantic data transfer mechanisms such as standard contractual clauses, said the International Association of Privacy Professionals in its second annual survey, sponsored by EY, released Thursday. "While 50 percent of all companies that transferred personal data between the EU and U.S. in the past used Safe Harbor, just 34 percent say they intend to use Privacy Shield in the future," IAPP said. More than 4,400 U.S. companies used the old safe harbor arrangement before it was invalidated by the European Court of Justice (ECJ) in October (see 1510090023). The Department of Commerce opened the self-certification process for Privacy Shield, which was agreed to earlier this year, Aug. 1 with 196 companies -- including Akamai, Microsoft, Oracle, Salesforce and Workday -- approved as of Thursday (see 1608050007). IAPP said more than 80 percent of companies surveyed said they’re relying on standard contractual clauses, which is currently being challenged in ECJ (see 1607060009). IAPP said companies may be "hesitant" to use Privacy Shield since it might be legally challenged. Another mechanism called binding corporate rules is more of an option for larger companies, the survey found. Fifty-three percent of companies with more than 75,000 employees see it as a "viable solution," compared with 8 percent of companies with fewer than 5,000 employees. IAPP surveyed more than 600 privacy professionals -- 63 percent working for U.S. companies, 19 percent for European organizations and 10 percent for Canadian firms -- across the financial services, government, healthcare and pharma, professional services and technology and telecom sectors. IAPP said more than half polled expected privacy budgets to grow, and 72 percent said the topic is a board-level concern.