82 FR 7796 - Submission for OMB Review; Comment Request Information Collection for Self-Certification to the EU-U.S. Privacy Shield Framework

DEPARTMENT OF COMMERCE

Federal Register Volume 82, Issue 13 (January 23, 2017)

[Federal Register Volume 82, Number 13 (Monday, January 23, 2017)]
[Notices]
[Pages 7796-7797]
From the Federal Register Online  [www.thefederalregister.org]
[FR Doc No: 2017-01334]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE


Submission for OMB Review; Comment Request Information Collection 
for Self-Certification to the EU-U.S. Privacy Shield Framework

    The Department of Commerce will submit to the Office of Management 
and Budget (OMB) for clearance the following proposal for collection of 
information under the provisions of the Paperwork Reduction Act (44 
U.S.C. Chapter 35).
    Agency: International Trade Administration (ITA).
    Title: Information Collection for Self-Certification to the EU-U.S. 
Privacy Shield Framework.
    OMB Control Number: 0625-0276.
    Form Number(s): None.
    Type of Request: Regular submission.
    Number of Respondents: 3,600.
    Average Hours per Response: 38 minutes.
    Burden Hours: 2,954.
    Needs and Uses: The United States and the European Union (EU) share 
the goal of enhancing privacy protection for their citizens, but take 
different approaches to protecting personal data. Given those 
differences, the Department of Commerce (DOC) developed the EU-U.S. 
Privacy Shield Framework (Privacy Shield) in consultation with the 
European Commission, as well as with industry and other stakeholders, 
to provide organizations in the United States with a reliable mechanism 
for personal data transfers to the United States from the European 
Union while ensuring the protection of the data as required by EU law.
    On July 12, 2016, the European Commission deemed the Privacy Shield 
Framework adequate to enable data transfers under EU law, and the DOC 
began accepting self-certification submissions from organizations on 
August 1, 2016. More information on the Privacy Shield is available at: 
https://www.privacyshield.gov/welcome.
    The DOC has issued the Privacy Shield Principles under its 
statutory authority to foster, promote, and develop international 
commerce (15 U.S.C. 1512). The International Trade Administration (ITA) 
administers and supervises the Privacy Shield, including by maintaining 
and making publicly available an authoritative list of U.S. 
organizations that have self-certified to the DOC. U.S. organizations 
submit information to ITA to self-certify their compliance with Privacy 
Shield.
    U.S. organizations considering self-certifying to the Privacy 
Shield should review the Privacy Shield Framework.

[[Page 7797]]

In summary, in order to enter the Privacy Shield, an organization must 
(a) be subject to the investigatory and enforcement powers of the 
Federal Trade Commission (FTC), the Department of Transportation, or 
another statutory body that will effectively ensure compliance with the 
Principles; (b) publicly declare its commitment to comply with the 
Principles; (c) publicly disclose its privacy policies in line with the 
Principles; and (d) fully implement them.
    Self-certification to the DOC is voluntary; however, an 
organization's failure to comply with the Principles after its self-
certification is enforceable under Section 5 of the Federal Trade 
Commission Act prohibiting unfair and deceptive acts in or affecting 
commerce (15 U.S.C. 45(a)) or other laws or regulations prohibiting 
such acts.
    In order to rely on the Privacy Shield for transfers of personal 
data from the EU, an organization must self-certify its adherence to 
the Principles to the DOC, be placed by ITA on the Privacy Shield List, 
and remain on the Privacy Shield List. To self-certify for the Privacy 
Shield, an organization must provide to the DOC a self-certification 
submission that contains the information specified in the Privacy 
Shield Principles. The Privacy Shield self-certification form would be 
the means by which an organization would provide the relevant 
information to ITA.
    ITA has committed to follow up with organizations that have been 
removed from the Privacy Shield List. ITA will send questionnaires to 
organizations that fail to complete the annual certification or who 
have withdrawn from the Privacy Shield to verify whether they will 
return, delete, or continue to apply the Principles to the personal 
information that they received while they participated in the Privacy 
Shield, and if personal information will be retained, verify who within 
the organization will serve as an ongoing point of contact for Privacy 
Shield-related questions.
    In addition, ITA has committed to conduct compliance reviews on an 
ongoing basis, including through sending detailed questionnaires to 
participating organizations. In particular, such compliance reviews 
shall take place when: (a) The DOC has received specific non-frivolous 
complaints about an organization's compliance with the Principles, (b) 
an organization does not respond satisfactorily to inquiries by the DOC 
for information relating to the Privacy Shield, or (c) there is 
credible evidence that an organization does not comply with its 
commitments under the Privacy Shield.
    Affected Public: Primarily businesses or other for-profit 
organizations.
    Frequency: Annual and periodic.
    Respondent's Obligation: Voluntary.
    This information collection request may be viewed at 
www.reginfo.gov. Follow the instructions to view the Department of 
Commerce collections currently under review by OMB.
    Written comments and recommendations for the proposed information 
collection should be sent within 30 days of publication of this notice 
to OIRA [email protected] or fax to (202) 975-5806.

Sheleen Dumas,
PRA Departmental Lead, Office of the Chief Information Officer.
[FR Doc. 2017-01334 Filed 1-19-17; 8:45 am]
 BILLING CODE 3510-DS-P