[Federal Register Volume 69, Number 88 (Thursday, May 6, 2004)]
[Notices]
[Pages 25369-25370]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 04-10347]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE


Submission for OMB Review; Comment Request

    DOC has submitted to the Office of Management and Budget (OMB) for 
clearance the following proposal for collection of information under 
the provisions of the Paperwork Reduction Act of 1995, Public Law 104-
13.
    Bureau: International Trade Administration.
    Title: Information for Self-Certification Under FAQ 6 of the United 
States European Union Safe Harbor Privacy Framework.
    Agency Form Number: N/A.
    OMB Number: 0625-0239.
    Type of Request: Regular Submission.

[[Page 25370]]

    Burden: 350 hours.
    Number of Respondents: 500.
    Avg. Hours Per Response: 20-40 minutes.
    Needs and Uses: In response to the European Union Directive on Data 
Protection that restricts transfers of personal information from Europe 
to countries whose privacy practices are not deemed ``adequate,'' the 
U.S. Department of Commerce has developed a ``Safe Harbor'' framework 
that will allow U.S. organizations to satisfy the European Directive's 
requirements and ensure that personal data flows to the United States 
are not interrupted. In this process, the Department of Commerce 
repeatedly consulted with U.S. organizations affected by the European 
Directive and interested non-government organizations. On July 27, 
2000, the European Commission issued its decision in accordance with 
Article 25.6 of the Directive that the Safe Harbor Privacy Principles 
provide adequate privacy protection. The Safe Harbor framework bridges 
the differences between the European Union (EU) and U.S. approaches to 
privacy protection. The complete set of Safe Harbor documents and 
additional guidance materials may be found at http://export.gov/safeharbor.
    Once the Safe Harbor was deemed ``adequate'' by the European 
Commission on July 27, 2000, the Department of Commerce began working 
on the requirements that are necessary to put this accord into effect. 
The European Member States implemented the decision made by the 
Commission within 90 days. Therefore, the Safe Harbor became 
operational on November 1, 2000. The Department of Commerce created a 
list for U.S. organizations to sign up to the Safe Harbor and provided 
guidance on the mechanics of signing up to this list. As of April 22, 
2004, 487 U.S. organizations have been placed on the Safe Harbor List, 
located at http://export.gov/safeharbor.
    Organizations that have signed up to this list are deemed 
``adequate'' under the Directive and do not have to provide further 
documentation to European officials. This list will be used by EU 
organizations to determine whether further information and contracts 
will be needed for a U.S. organization to receive personally 
identifiable information. This list is necessary to make the Safe 
Harbor accord operational, and was a key demand of the Europeans in 
agreeing that the Principles were providing ``adequate'' privacy 
protection.
    The Safe Harbor provides a number of important benefits to U.S. 
firms. Most importantly, it provides predictability and continuity for 
U.S. organizations that receive personal information from the European 
Union. Personally identifiable information is defined as any that can 
be identified to a specific person, for example an employee's name and 
extension would be considered personally identifiable information. All 
15 member countries are bound by the European Commission's finding of 
``adequacy''. The Safe Harbor also eliminates the need for prior 
approval to begin data transfers, or makes approval from the 
appropriate EU member countries automatic. The Safe Harbor principles 
offer a simpler and cheaper means of complying with the adequacy 
requirements of the Directive, which should particularly benefit small 
and medium enterprises.
    The decision to enter the Safe Harbor is entirely voluntary. 
Organizations that decide to participate in the Safe Harbor must comply 
with the Safe Harbor's requirements and publicly declare that they do 
so. To be assured of Safe Harbor benefits, an organization needs to 
reaffirm its self-certification annually to the Department of Commerce 
that it agrees to adhere to the safe harbor's requirements, which 
includes elements such as notice, choice, access, data integrity, 
security and enforcement.
    This list will be most regularly used by European Union 
organizations to determine whether further information and contracts 
will be needed by a U.S. organization to receive personally 
identifiable information. It will be used by the European Data 
Protection Authorities to determine whether a company is providing 
``adequate'' protection, and whether a company has requested to 
cooperate with the Data Protection Authority. This list will be 
accessed when there is a complaint logged in the EU against a U.S. 
organization. This will be on a monthly basis. It will be used by the 
Federal Trade Commission and the Department of Transportation to 
determine whether a company is part of the Safe Harbor. This will be 
accessed if a company is practicing ``unfair and deceptive'' practices 
and has misrepresented itself to the public. It will be used by the 
Department of Commerce and the European Commission to determine if 
organizations are signing up to the list. This list is updated on a 
regular basis.
    Affected Public: Businesses or other for-profit.
    Frequency: Annually.
    Respondent's Obligations: Voluntary.
    OMB Desk Officer: David Rostker, (202) 395-7340.
    Copies of the above information collection proposal can be obtained 
by writing Diana Hynek, Departmental Paperwork, Clearance Officer, 
Department of Commerce, Room 6625, 14th & Constitution Avenue, NW., 
Washington, DC 20230 (or via the Internet at [email protected]).
    Written comments and recommendations for the proposed information 
collection should be sent to David Rostker, OMB Desk Officer, Room 
10202, New Executive Office Building, Washington, DC 20503 within 30 
days of the publication of this notice in the Federal Register.

    Dated: May 3, 2004.
Madeleine Clayton,
Management Analyst, Office of the Chief Information Officer.
[FR Doc. 04-10347 Filed 5-5-04; 8:45 am]
BILLING CODE 3510-DR-P