Last month, the European Commission and U.S. Department of Commerce held their second annual joint review of the EU-U.S. Privacy Shield Framework in Brussels, Belgium. Harry Valetk, a member of Baker McKenzie’s Privacy and Cyber Security Practice Group, was invited to Brussels to share his expertise on the data-transfer agreement. He recently spoke with Privacy Perspectives in this Q&A.
Privacy Perspectives: How did this invitation to take part in the second annual review come about?
Harry Valetk: I received an invitation to participate in the second annual review of the EU-U.S. Privacy Shield in Brussels directly from the U.S. Department of Commerce. As part of my privacy practice at Baker McKenzie, I routinely help companies deploy cross-border data transfer mechanisms, including Privacy Shield. Besides this, I have been a supporter of Shield since its inception and a vocal advocate of its effectiveness on numerous industry roundtables.
Perspectives: What was your first reaction to being invited to the review?
Valetk: My initial reaction to this special once-in-a-lifetime invitation was a deep sense of honor and gratitude for the opportunity to participate in the process. I instantly saw it as a way to help clear up any misconceptions about the role Privacy Shield plays in the marketplace. I hold strong views on Privacy Shield’s effectiveness in enforcing European data protection law outside of the European Union, and this experience has served to reinforce those views.
Perspectives: Could you describe what it was like providing information to the European Commission?
Valetk: To be honest, the atmosphere was more formal than I expected. We were seated in a large room and performing under difficult time constraints. We entered with a limited sense of what to expect, and the group of regulators in attendance asked us difficult questions. For example, several wanted to know what measures companies took to comply with the requirements set out in standard contractual clauses and details about the factors companies took into account when deciding on which adequacy mechanism to use. Thanks to a committed team serving at the U.S. Commerce Department, however, we navigated through those questions and ultimately had our say in this important process.
Perspectives: What information did you provide to the Commission, and what's your opinion of the annual review process now that you have a first-hand experience?
Valetk: I delivered a commercially practical message. The truth is: Privacy Shield is rigorous. Companies spend significant resources implementing extensive administrative, physical, and technical measures to comply with the Privacy Shield’s principles, including implementing new policies and procedures to meet the relevant requirements.
I conveyed that more than 70 percent of Shield registrants are small- to medium-sized enterprises with limited resources. For business-to-consumer companies, Privacy Shield is often the only viable cross-border data transfer mechanism, since binding corporate rules and standard contractual clauses are less viable for those business models.
Finally, I shared that we have had many conversations with existing and prospective clients about Shield certification. For most clients that choose not to proceed with Privacy Shield, the primary concern is the Federal Trade Commission’s enforcement history. For others, the future and long-term political stability of the Privacy Shield arrangement remains a concern. Many U.S. companies actively monitor news reports that claim Privacy Shield will soon be repealed, including the recent votes by Members of the European Parliament to suspend it. These reports – even if inaccurate, exaggerated, or untrue – have served to dissuade many organizations from making the necessary investments to address Shield compliance requirements until a more stable cross-border data transfer solution is made available to the marketplace.
Our sense is that many more organizations would certify under Privacy Shield if its legal and political future was less uncertain.
Perspectives: What were your biggest concerns going into the review?
Valetk: I traveled a long way and invested much of my own time in this important cause. I wanted my contributions to be helpful to the Commerce Department’s aim of maintaining compliant transatlantic data flows. For this reason, my biggest fear was that I wouldn’t get the chance to adequately describe the importance of Privacy Shield in transatlantic commerce.
Perspectives: Now that you've taken part in this process, what are you most proud of?
Valetk: I am most proud that I said what I set out to say. I didn’t read my remarks, and I meant every word. I closed by thanking the Commerce Department for the fine job it has done of publishing Frequently Asked Questions, speaking at conferences, and answering questions from participants about the Privacy Shield certification process.
Perspectives: What could other privacy pros learn from your experience?
Valetk: A key takeaway here is that your voice as privacy practitioners matters. I would encourage every privacy pro to share more about the investments their companies make on Privacy Shield, as well as overall data protection compliance initiatives. Think about a world without Privacy Shield and consider what that would mean to your business model.
Even if you conclude that Privacy Shield wouldn’t impact you directly, think about the impact it would have on your customers, suppliers, or other commercial partners. Actively participate on industry roundtables, and, if you ever get the chance, thank your local Commerce Department representative.
Top image courtesy of the European Commission
If you want to comment on this post, you need to login.