[Federal Register Volume 81, Number 190 (Friday, September 30, 2016)]
[Notices]
[Pages 67293-67295]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-23666]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

International Trade Administration

[Docket No. 160713610-6783-02]
RIN 0625-XC020


Cost Recovery Fee Schedule for the EU-U.S. Privacy Shield 
Framework

AGENCY: International Trade Administration, U.S. Department of 
Commerce.

ACTION: Final notice of implementation of a cost recovery program fee.

-----------------------------------------------------------------------

SUMMARY: The Department of Commerce published the Cost Recovery Fee 
Schedule for the EU-U.S. Privacy Shield Framework on July 22, 2016 (81 
FR 47752). We gave interested parties an opportunity to comment on the 
fee schedule. No comments were received and so the fee schedule is 
considered final until further review one year after implementation of 
the program. Consistent with the guidelines in OMB Circular A-25,\1\ 
the U.S. Department of Commerce's International Trade Administration 
(ITA) has implemented a cost recovery program fee to support the 
operation of the EU-U.S. Privacy Shield Framework (Privacy Shield), 
which requires that U.S. organizations pay an annual fee to ITA in 
order to participate in the Privacy Shield. The cost recovery program 
supports the administration and supervision of the Privacy Shield 
program and supports the provision of Privacy Shield-related services, 
including education and outreach. The Privacy Shield fee schedule was 
effective on August 1, 2016, when ITA began accepting self-
certifications under the Privacy Shield Framework.
---------------------------------------------------------------------------

    \1\ https://www.whitehouse.gov/omb/circulars_a025.

---------------------------------------------------------------------------
DATES: This fee schedule was effective August 1, 2016.

FOR FURTHER INFORMATION CONTACT: Requests for additional information 
regarding the EU-U.S. Privacy Shield Framework should be directed to 
Grace Harter, Department of Commerce, International Trade 
Administration, Room 20001, 1401 Constitution Avenue NW, Washington, 
DC, tel. 202-482-4936 or 202-482-1512 or via email at 
[email protected]. Additional information on ITA fees is 
available at trade.gov/fees.

SUPPLEMENTARY INFORMATION:

Background

    Consistent with the guidelines in OMB Circular A-25, federal 
agencies are responsible for implementing cost recovery program fees.
    The role of ITA is to strengthen the competitiveness of U.S. 
industry, promote trade and investment, and ensure fair trade through 
the rigorous enforcement of our trade laws and agreements. ITA works to 
promote privacy policy frameworks to facilitate the flow of data across 
borders to support international trade.
    The United States and the European Union (EU) share the goal of 
enhancing privacy protection but take different approaches to 
protecting personal data. Given those differences, the Department of 
Commerce (DOC) developed the Privacy Shield in consultation with the 
European Commission, as well as with industry and other stakeholders, 
to provide organizations in the United States with a reliable mechanism 
for personal data transfers to the United States from the European 
Union while ensuring the protection of the data as required by EU law.
    In July 2016, the European Commission approved the EU-U.S. Privacy 
Shield Framework. The published Privacy Shield Principles are available 
at: [insert link]. The DOC has issued the Privacy Shield Principles 
under its statutory authority to foster, promote, and develop 
international commerce (15 U.S.C. 1512). ITA will

[[Page 67294]]

administer and supervise the Privacy Shield, including by maintaining 
and making publicly available an authoritative list of U.S. 
organizations that have self-certified to the DOC. U.S. organizations 
submit information to ITA to self-certify their compliance with Privacy 
Shield. ITA will accept self-certification submissions beginning on 
August 1, 2016. At a future date, ITA will publish for public notice 
and comment information collections as described in the Privacy Shield 
Framework consistent with the Paperwork Reduction Act.
    U.S. organizations considering self-certifying to the Privacy 
Shield should review the Privacy Shield Framework. In summary, in order 
to enter the Privacy Shield, an organization must (a) be subject to the 
investigatory and enforcement powers of the Federal Trade Commission 
(FTC) or the Department of Transportation; (b) publicly declare its 
commitment to comply with the Principles through self-certification to 
the DOC; (c) publicly disclose its privacy policies in line with the 
Principles; and (d) fully implement them.
    Self-certification to the DOC is voluntary; however, an 
organization's failure to comply with the Principles after its self-
certification is enforceable under Section 5 of the Federal Trade 
Commission Act prohibiting unfair and deceptive acts in or affecting 
commerce (15 U.S.C. 45(a)) or other laws or regulations prohibiting 
such acts.
    ITA has implemented a cost recovery program to support the 
operation of the Privacy Shield, which requires U.S. organizations to 
pay an annual fee to ITA in order to participate in the program. The 
cost recovery program supports the administration and supervision of 
the Privacy Shield program and supports the provision of Privacy 
Shield-related services, including education and outreach. The fee a 
given organization is charged is based on the organization's annual 
revenue:

Fee Schedule

         EU-U.S. Privacy Shield Framework Cost Recovery Program
------------------------------------------------------------------------
               Organization's annual revenue                  Annual fee
------------------------------------------------------------------------
$0 to $5 million...........................................         $250
Over $5 million to $25 million.............................          650
Over $25 million to $500 million...........................        1,000
Over $500 million to $5 billion............................        2,500
Over $5 billion............................................        3,250
------------------------------------------------------------------------

    Organizations will have additional direct costs associated with 
participating in the Privacy Shield. For example, Privacy Shield 
organizations must provide a readily available independent recourse 
mechanism to hear individual complaints at no cost to the individual. 
Furthermore, organizations are required to pay contributions in 
connection with the arbitral model, as described in Annex I to the 
Principles.

Method for Determining Fees

    ITA collects, retains, and expends user fees pursuant to delegated 
authority under the Mutual Educational and Cultural Exchange Act as 
authorized in its annual appropriations acts.
    The EU-U.S. Privacy Shield Framework was developed to provide 
organizations in the United States with a reliable mechanism for 
personal data transfers that underpin the trade and investment 
relationship between the United States and the EU.
    Fees are set taking into account the operational costs borne by ITA 
to administer and supervise the Privacy Shield program. The Privacy 
Shield program requires a significant commitment of resources and 
staff. The Privacy Shield Framework includes commitments from ITA to:

 Maintain a Privacy Shield Web site;
 verify self-certification requirements submitted by 
organizations to participate in the program;
 expand efforts to follow up with organizations that have been 
removed from the Privacy Shield List;
 search for and address false claims of participation;
 conduct periodic compliance reviews and assessments of the 
program;
 provide information regarding the program to targeted 
audiences;
 increase cooperation with EU data protection authorities;
 facilitate resolution of complaints about non-compliance;
 hold annual meetings with the European Commission and other 
authorities to review the program, and
 provide an update of laws relevant to Privacy Shield.

    In setting the Privacy Shield fee schedule, ITA determined that the 
services provided offer special benefits to an identifiable recipient 
beyond those that accrue to the general public. ITA calculated the 
actual cost of providing its services in order to provide a basis for 
setting each fee. Actual cost incorporates direct and indirect costs, 
including operations and maintenance, overhead, and charges for the use 
of capital facilities. ITA also took into account additional factors, 
including adequacy of cost recovery, affordability, and costs 
associated with alternative options available to U.S. organizations for 
the receipt of personal data from the EU.
    ITA established a 5-tiered fee schedule that promotes the 
participation of small organizations in Privacy Shield. A multiple-
tiered fee schedule allows ITA to offer the organizations with lower 
revenue a lower fee. In setting the 5 tiers, ITA considered, in 
conjunction with the factors mentioned above: (1) The Small Business 
Administration's guidance on identifying SMEs in various industries 
most likely to participate in the Privacy Shield, such as computer 
services, software and information services; (2) the likelihood that 
small companies would be expected to receive less personal data and 
thereby use fewer government resources; and (3) the likelihood that 
companies with higher revenue would have more customers whose data they 
process, which would use more government resources dedicated to 
administering and overseeing Privacy Shield. For example, if a company 
holds more data it could reasonably produce more questions and 
complaints from consumers and the European Union's Data Protection 
Authorities (DPAs). ITA has committed to facilitating the resolution of 
individual complaints and to communicating with the FTC and the DPAs 
regarding consumer complaints. Lastly, the fee increases between the 
tiers are based in part on projected program costs and estimated 
participation levels among companies within each tier.

Conclusion

    Based on the information provided above, ITA believes that its 
Privacy Shield cost recovery fee schedule is consistent with the 
objective of OMB Circular A-25 to ``promote efficient allocation of the 
nation's resources by establishing charges for special benefits 
provided to the recipient that are at least as great as the cost to the 
U.S. Government of providing the special benefits . . .'' OMB Circular 
A-25(5)(b). ITA did not receive any public comments on the interim 
final rule it published on July 22, 2016 (PUT IN FR CITE) and is not 
revising the fee schedule at this time. ITA will reassess the fee 
schedule after the first year of implementation and, in accordance with 
OMB Circular A-25, at least every two years thereafter.


[[Page 67295]]


    Dated: September 20, 2016.
Edward M. Dean,
Deputy Assistant Secretary for Services, International Trade 
Administration, U.S. Department of Commerce.
[FR Doc. 2016-23666 Filed 9-29-16; 8:45 am]
 BILLING CODE 3510-DR-P