[Federal Register Volume 69, Number 37 (Wednesday, February 25, 2004)]
[Notices]
[Pages 8621-8622]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 04-4072]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

International Trade Administration


Information for Self-Certification Under FAQ 6 of the United 
States--European Union Safe Harbor Privacy Framework

AGENCY: International Trade Administration, Commerce.

ACTION: Proposed collection; comment request.

-----------------------------------------------------------------------

SUMMARY: The Department of Commerce, as part of its continuing effort 
to reduce paperwork and respondent burdens, invites the general public 
and other Federal agencies to take this opportunity to comment on the 
continuing information collections, as required by the Paperwork 
Reduction Act of 1995, Pub. L. 104-13 (44 U.S.C. 35068(2)(A).

DATES: Written comments must be submitted on or before April 26, 2004.

ADDRESSES: Direct all written comments to Diana Hynek, Departmental 
Paperwork, Clearance Officer, Department of Commerce, Room 6625, 14th & 
Constitution Avenue, NW., Washington, DC 20230 (or via the Internet at 
[email protected]).

FOR FURTHER INFORMATION CONTACT: Requests for additional information or 
copies of the information collection instrument and instructions should 
be directed to: Jeff Rohlmeier, U.S. Department of Commerce, 
International Trade Administration, Room 2003, 14th & Constitution 
Avenues, NW., Washington, DC 20230; Phone number: (202) 482-1614 and 
fax number: (202) 482-5522.

SUPPLEMENTARY INFORMATION:

I. Abstract

    In response to the European Union Directive on Data Protection that 
restricts transfers of personal information from Europe to countries 
whose privacy practices are not deemed ``adequate,'' the U.S. 
Department of Commerce has developed a ``Safe Harbor'' framework that 
will allow U.S. organizations to satisfy the European Directives 
requirements and ensure that personal data flows to the United States 
are not interrupted. In this process, the Department of Commerce 
repeatedly consulted with U.S. organizations affected by the European 
Directive and interested non-government organizations. On July 27, 
2000, the European Commission issued its decision in accordance with 
Article 25.6 of the Directive that the Safe Harbor Privacy Principles 
provide adequate privacy protection. The Safe Harbor framework bridges 
the differences between the European Union (EU) and U.S. approaches to 
privacy protection. The complete set of Safe Harbor documents and 
additional guidance materials may be found at http://export.gov/safeharbor.
    Once the Safe Harbor was deemed ``adequate'' by the European 
Commission on July 27, 2000, the Department of Commerce began working 
on the requirements that are necessary to put this accord into effect. 
The European Member States implemented the decision made by the 
Commission within 90 days. Therefore, the Safe Harbor became 
operational on November 1, 2000. The Department of Commerce created a 
list for U.S. organizations to sign up to the Safe

[[Page 8622]]

Harbor and provided guidance on the mechanics of signing up to this 
list. As of January 28, 2004, 448 U.S. organizations have been placed 
on the Safe Harbor List, located at http://export.gov/safeharbor. 
Organizations that have signed up to this list are deemed ``adequate'' 
under the Directive and do not have to provide further documentation to 
European officials. This list will be used by EU organizations to 
determine whether further information and contracts will be needed for 
a U.S. organization to receive personally identifiable information. 
This list is necessary to make the Safe Harbor accord operational, and 
was a key demand of the Europeans in agreeing that the Principles were 
providing ``adequate'' privacy protection. The Safe Harbor provides a 
number of important benefits to U.S. firms. Most importantly, it 
provides predictability and continuity for U.S. organizations that 
receive personal information from the European Union. Personally 
identifiable information is defined as any that can be identified to a 
specific person, for example an employees name and extension would be 
considered personally identifiable information. All 15 member countries 
are bound by the European Commissions finding of ``adequacy''. The Safe 
Harbor also eliminates the need for prior approval to begin data 
transfers, or makes approval from the appropriate EU member countries 
automatic. The Safe Harbor principles offer a simpler and cheaper means 
of complying with the adequacy requirements of the Directive, which 
should particularly benefit small and medium enterprises.
    The decision to enter the Safe Harbor is entirely voluntary. 
Organizations that decide to participate in the Safe Harbor must comply 
with the safe harbors requirements and publicly declare that they do 
so. To be assured of Safe Harbor benefits, an organization needs to 
reaffirm its self-certification annually to the Department of Commerce 
that it agrees to adhere to the safe harbor's requirements, which 
includes elements such as notice, choice, access, data integrity, 
security and enforcement. This list will be most regularly used by 
European Union organizations to determine whether further information 
and contracts will be needed by a U.S. organization to receive 
personally identifiable information. It will be used by the European 
Data Protection Authorities to determine whether a company is providing 
``adequate'' protection, and whether a company has requested to 
cooperate with the Data Protection Authority. This list will be 
accessed when there is a complaint logged in the EU against a U.S. 
organization. This will be on a monthly basis. It will be used by the 
Federal Trade Commission and the Department of Transportation to 
determine whether a company is part of the Safe Harbor. This will be 
accessed if a company is practicing ``unfair and deceptive'' practices 
and has misrepresented itself to the public. It will be used by the 
Department of Commerce and the European Commission to determine if 
organizations are signing up to the list. This list is updated on a 
regular basis.

II. Method of Collection

    The self-certification form is provided via the Internet at http://export.gov/safeharbor and by mail to requesting U.S. firms.

III. Data

    OMB Number: 0625-0239.
    Form Number: N/A.
    Expiration Date: 5/31/04.
    Type of Review: Regular submission.
    Affected Public: Business or other for-profit organizations.
    Estimated Number of Respondents: 500.
    Estimated Time Per Response: 20 minutes--website; 40 minutes--
letter.
    Estimated Total Annual Burden Hours: 400 hours.
    Estimated Total Annual Costs to Public: $20, 000.

IV. Request for Comments

    Comments are invited on: (a) Whether the proposed collection of 
information is necessary for the proper performance of the functions of 
the agency, including whether the information shall have practical 
utility; (b) the accuracy of the agency's estimate of the burden 
(including hours and costs) of the proposed collection of information; 
(c) ways to enhance the quality, utility, and clarity of the 
information to be collected; and (d) ways to minimize the burden of the 
collection of information on respondents, including through the use of 
automated collection techniques or forms of information technology. 
Comments submitted in response to this notice will be summarized and/or 
included in the request for OMB approval of this information 
collection; they also will become a matter of public record.

    Dated: February 19, 2004.
Madeleine Clayton,
Management Analyst, Office of the Chief Information Officer.
[FR Doc. 04-4072 Filed 2-24-04; 8:45 am]
BILLING CODE 3510-DR-P