[Federal Register Volume 82, Number 12 (Thursday, January 19, 2017)]
[Notices]
[Pages 6492-6493]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-01156]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

International Trade Administration


Proposed Information Collection; Comment Request; Information 
Collection for Self-Certification to the Swiss-U.S. Privacy Shield 
Framework

AGENCY: International Trade Administration (ITA).

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: The Department of Commerce, as part of its continuing effort 
to reduce paperwork and respondent burden, invites the general public 
and other Federal agencies to take this opportunity to comment on 
proposed and/or continuing information collections, as required by the 
Paperwork Reduction Act of 1995.

DATES: Written comments must be submitted on or before March 20, 2017.

ADDRESSES: Direct all written comments to Jennifer Jessup, Departmental 
Paperwork Clearance Officer, Department of Commerce, Room 6616, 14th 
and Constitution Avenue NW., Washington, DC 20230 (or via the Internet 
at [email protected].

FOR FURTHER INFORMATION CONTACT: Requests for additional information or 
copies of the information collection instrument and instructions should 
be directed to David Ritchie, Department of Commerce, International 
Trade Administration, Room 20001, 1401 Constitution Avenue NW., 
Washington, DC, (or via the Internet at [email protected], and 
tel. 202-482-1512).

SUPPLEMENTARY INFORMATION:

I. Abstract

    The United States and Switzerland share the goal of enhancing 
privacy protection for their citizens, but take different approaches to 
protecting personal data. Given those differences, the Department of 
Commerce (DOC) developed the Swiss-U.S. Privacy Shield Framework 
(Privacy Shield) in consultation with the Swiss Administration, as well 
as with industry and other stakeholders, to provide organizations in 
the United States with a reliable mechanism for personal data transfers 
to the United States from Switzerland while ensuring the protection of 
the data as required by Swiss law.
    On January 12, 2017, the Swiss Administration deemed the Privacy 
Shield Framework adequate to enable data transfers under Swiss law. To 
provide organizations the time needed to review the Privacy Shield 
Principles and the commitment that they entail, the DOC will begin 
accepting self-certification submissions from organizations on April 
12, 2017. More information on the Privacy Shield is available at: 
https://www.privacyshield.gov/welcome.
    The DOC has issued the Privacy Shield Principles under its 
statutory authority to foster, promote, and develop international 
commerce (15 U.S.C. 1512). The International Administration (ITA) 
administers and supervises the Privacy Shield, including by maintaining 
and making publicly available an authoritative list of U.S. 
organizations that have self-certified to the DOC. U.S. organizations 
submit information to ITA to self-certify their compliance with Privacy 
Shield.
    U.S. organizations considering self-certifying to the Privacy 
Shield should review the Privacy Shield Framework. In summary, in order 
to enter the Privacy Shield, an organization must (a) be subject to the 
investigatory and enforcement powers of the Federal Trade Commission 
(FTC), the Department of Transportation, or another statutory body that 
will effectively ensure compliance with the Principles; (b) publicly 
declare its commitment to comply with the Principles; (c) publicly 
disclose its privacy policies in line with the Principles; and (d) 
fully implement them.
    Self-certification to the DOC is voluntary; however, an 
organization's failure to comply with the Principles after its self-
certification is enforceable under Section 5 of the Federal Trade 
Commission Act prohibiting unfair and

[[Page 6493]]

deceptive acts in or affecting commerce (15 U.S.C. 45(a)) or other laws 
or regulations prohibiting such acts.
    In order to rely on the Privacy Shield for transfers of personal 
data from Switzerland, an organization must self-certify its adherence 
to the Principles to the DOC, be placed by ITA on the Privacy Shield 
List, and remain on the Privacy Shield List. To self-certify for the 
Privacy Shield, an organization must provide to the DOC a self-
certification submission that contains the information specified in the 
Privacy Shield Principles. The Privacy Shield self-certification form 
would be the means by which an organization would provide the relevant 
information to ITA.
    ITA has committed to follow up with organizations that have been 
removed from the Privacy Shield List. ITA will send questionnaires to 
organizations that fail to complete the annual certification or who 
have withdrawn from the Privacy Shield to verify whether they will 
return, delete, or continue to apply the Principles to the personal 
information that they received while they participated in the Privacy 
Shield, and if personal information will be retained, verify who within 
the organization will serve as an ongoing point of contact for Privacy 
Shield-related questions.
    In addition, ITA has committed to conduct compliance reviews on an 
ongoing basis, including through sending detailed questionnaires to 
participating organizations. In particular, such compliance reviews 
shall take place when: (a) The DOC has received specific non-frivolous 
complaints about an organization's compliance with the Principles, (b) 
an organization does not respond satisfactorily to inquiries by the DOC 
for information relating to the Privacy Shield, or (c) there is 
credible evidence that an organization does not comply with its 
commitments under the Privacy Shield.
    The proposed information collection for the Swiss-U.S. Privacy 
Shield Framework is substantially similar to the previously approved 
information collection for the EU-U.S. Privacy Shield Framework (OMB 
Control Number: 0625-0276).

II. Method of Collection

    The Privacy Shield self-certification is submitted electronically 
by organizations through the DOC's Privacy Shield Web site (https://www.privacyshield.gov/). It is anticipated that the Privacy Shield 
questionnaires and the corresponding responses provided by 
organizations would be conveyed electronically via email or through the 
DOC's Privacy Shield Web site.

III. Data

    OMB Control Number: None.
    Form Number(s): None.
    Type of Review: Regular submission.
    Affected Public: primarily businesses or other for-profit 
organizations.
    Estimated Number of Respondents: 2,700.
    Estimated Time per Response: 38 minutes.
    Estimated Total Annual Burden Hours: 2,215.
    Estimated Total Annual Cost to Public: $2,118,150.

IV. Request for Comments

    Comments are invited on: (a) Whether the proposed collection of 
information is necessary for the proper performance of the functions of 
the agency, including whether the information shall have practical 
utility; (b) the accuracy of the agency's estimate of the burden 
(including hours and cost) of the proposed collection of information; 
(c) ways to enhance the quality, utility, and clarity of the 
information to be collected; and (d) ways to minimize the burden of the 
collection of information on respondents, including through the use of 
automated collection techniques or other forms of information 
technology.
    Comments submitted in response to this notice will be summarized 
and/or included in the request for OMB approval of this information 
collection; they also will become a matter of public record.

Sheleen Dumas,
PRA Departmental Lead, Office of the Chief Information Officer.
[FR Doc. 2017-01156 Filed 1-18-17; 8:45 am]
 BILLING CODE 3510-DS-P