New IAPP-EY Privacy Governance Report Shows Rising Concerns About Cross-Border Data Transfers, Widespread Adoption of SCCs

The annual Privacy Governance Report from researchers at IAPP and EY focuses on the ongoing COVID-19 pandemic and its impact on privacy professions. But it also examines at least one seismic event that has had nearly as much impact on companies doing business in the EU: the Schrems II decision and the resulting complications it has created for data transfers to the United States.

The report finds that the majority of privacy professionals are having to deal with the Schrems decision, and that the most common strategy by far is the use of standard contractual clauses (SCCs) and third countries in the data transfer chain. The effects of the pandemic are also still being felt as Covid vaccine mandates begin to impact the workforce.

Said Müge Fazlioglu, Senior Westin Research Fellow and author of the report: “Privacy is on the move. Almost every day, there’s a new fine, new law passed or proposed, or new legislative hearing about how to better protect consumer privacy. Our Governance report shows what the Privacy Leadership teams across the world’s largest and smallest companies are doing to ensure privacy protections remain in place as billions and billions of data transfers continue to power the global economy.”

Privacy governance issues in 2021: International data transfers, COVID workforce impact take center stage

Privacy budgets were up in the past year, and 60% of respondents say that they expect them to increase again in the coming year. The average privacy spend is now about $873,000 annually, and only 3% of respondents feel that budgets will be going down any time soon.

The Schrems II court decision, which expanded interpretation of the General Data Protection Regulation (GDPR) to heavily restrict data transfers to the US and other countries, is one of the main drivers of increased spend. 70% of respondents said that the decision impacts their organizations. Privacy governance professionals say that it is the most difficult task that they are currently dealing with, and only 20% say that their organizations are now fully in compliance with the new terms. Nevertheless, 74% said that they are continuing with international data transfers using whatever legal tools are available (94% say that SCCs are in use). Only 8% of organizations have opted to move all relevant data processing to the EU, and only 3% have opted to stop offering services there.

The SCCs that allow continuance of EU-US data transfers are now subject to more rigorous scrutiny, forcing privacy governance strategies to adopt new data control mechanisms to stay within GDPR compliance. 52% have implemented firewalls that are based on origin and destination IP address, 45% have a hybrid cloud strategy, 44% have implemented geo-restricted and 27% are using data flow blocking.

While Schrems II is the most immediately disruptive issue, vaccine mandates are looming. 48% of organizations have all but ruled out the collection of employee vaccine records at this point, but 27% said it has already happened or is expected in the near future (24% say they are not sure). A slight majority could wind up having to implement a vaccine policy when all is said and done, in spite of the fact that 81% of privacy governance professionals say they are still working from home and expect to be into 2022. The Biden administration is working on a vaccine mandate to be implemented through OSHA for any employer with more than 100 employees, but the actual directive may not be in force until 2022 and court challenges are expected.

While fewer than a quarter of employers are presently collecting vaccine records, 44% continue to ask for Covid-19 health status information in some form and 30% are doing in-office temperature checks. These numbers are down from the first year of the pandemic.

Compliance with developing local laws lags somewhat

The past year saw some evolution of privacy laws around the world, such as the emergence of Brazil’s data protection law and the passage of changes to California’s state-level protections. Though organizations face an increasing amount of local laws that need to be juggled, 48% say they still have a single global privacy strategy.

There is some expected variance in compliance status among this set of laws, with the newer ones seeing lower rates. 51% of privacy governance pros now feel that their organization is at least “very” compliant with the GDPR, but only 41% felt the same about California’s CCPA and only 21% were as prepared for Brazil’s LGPD. The California terms also reflect the current laws as they are; when the new set of laws goes into effect in 2023 (the CPRA), only 8% say that they are fully prepared for the change.

Cross-border data transfers were considered the toughest current challenge by privacy governance pros by nearly a 2x margin over the next possibility, but other challenges were reported by 1/3 to 1/4 of these organizations: conducting DPIAs or PIAs, training employees, understanding regulatory oversight and managing DSRs.