[Federal Register Volume 82, Number 63 (Tuesday, April 4, 2017)]
[Notices]
[Pages 16375-16378]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-06437]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
International Trade Administration
[Docket No.: 170301219-7219-01]
RIN 0625-XC029
Amendment to the Privacy Shield Cost Recovery Fees
AGENCY: International Trade Administration, U.S. Department of
Commerce.
ACTION: Notice of amendment to the Privacy Shield cost recovery program
fees, with request for comments.
-----------------------------------------------------------------------
SUMMARY: Consistent with the guidelines in OMB Circular A-25, the U.S.
Department of Commerce's International Trade Administration (ITA) is
revising the fee schedule implemented on August 1, 2016. On January 12,
2017, the Swiss Government announced the approval of the Swiss-U.S.
Privacy Shield Framework as a valid legal mechanism to comply with
Swiss requirements when transferring personal data from Switzerland to
the United States. For more detailed information on the Swiss-U.S.
Privacy Shield Framework and the announcement, please see https://www.privacyshield.gov/Program-Overview.
This notice revises the Privacy Shield fee structure to incorporate
the Swiss-U.S. Privacy Shield Framework in addition to the existing EU-
U.S. Privacy Shield Framework. This is to support the operation of both
the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (Privacy Shield).
DATES: These fees are effective April 12, 2017. Comments must be
received by May 4, 2017.
ADDRESSES: You may submit comments by either of the following methods:
Federal eRulemaking Portal: www.Regulations.gov. The
identification number is ITA-2017-0001.
Postal Mail/Commercial Delivery to Joshua Blume,
Department of Commerce, International Trade
[[Page 16376]]
Administration, Room 11022, 1401 Constitution Avenue NW., Washington,
DC and reference ``Privacy Shield Fee Structure, ITA-2017-0001'' in the
subject line.
Instructions: You must submit comments by one of the above methods
to ensure that the comments are received and considered. Comments sent
by any other method, to any other address or individual, or received
after the end of the comment period, may not be considered. All
comments received are a part of the public record and will generally be
posted to http://www.regulations.gov without change. All Personal
Identifying Information (for example, name, address, etc.) voluntarily
submitted by the commenter may be publicly accessible. Do not submit
Confidential Business Information or otherwise sensitive or protected
information. ITA will accept anonymous comments (enter ``N/A'' in the
required fields if you wish to remain anonymous). Attachments to
electronic comments will be accepted in Microsoft Word, Excel, or Adobe
PDF file formats only. Supporting documents and any comments we receive
on this docket may be viewed at http://www.regulations.gov/ ITA-2017-
0001.
More information regarding the Privacy Shield can be found at
https://www.privacyshield.gov/Program-Overview.
FOR FURTHER INFORMATION CONTACT: Requests for additional information
regarding the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks should
be directed to Joshua Blume, Department of Commerce, International
Trade Administration, Room 11022, 1401 Constitution Avenue NW.,
Washington, DC, tel. 202-482-0988 or 202-482-1512 or via email at
[email protected]. Additional information on ITA fees is
available at trade.gov/fees.
SUPPLEMENTARY INFORMATION:
Background:
In the revised fee structure, there will be one annual fee applied
to U.S. organizations to participate in either the Swiss-U.S. or EU-
U.S. Privacy Shield Frameworks. Should a U.S. organization opt to self-
certify for both programs, they will be provided a reduced rate for the
second Framework and be required to synchronize their recertifications
to both Frameworks to maximize efficiency. Additionally, a fee will be
applied annually to organizations that withdraw from the Privacy Shield
and continue to maintain data received while they participated in the
Privacy Shield. The cost recovery program will support the
administration and supervision of the Privacy Shield and support
Privacy Shield services including education and outreach. The revised
Privacy Shield fee structure will become effective on April 12, 2017,
when ITA will begin accepting certifications to the Swiss-U.S. Privacy
Shield.
While the revised fees will be effective April 12, 2017, ITA is
providing the public with the opportunity to comment on these revised
fees. ITA will then review all comments and reassess the Privacy Shield
fees after August 1, 2017, a full year from initial implementation of
Privacy Shield, as originally discussed in the Cost Recovery Fee
Schedule for the EU-U.S. Privacy Shield Framework, published September
30, 2016. The review will recur at least every two years thereafter, in
accordance with OMB Circular A-25.
Consistent with the guidelines in OMB Circular A-25, federal
agencies are responsible for implementing cost recovery program fees.
The role of ITA is to strengthen the competitiveness of U.S. industry,
promote trade and investment, and ensure fair trade through the
rigorous enforcement of our trade laws and agreements. ITA works to
promote privacy policy frameworks to facilitate the flow of data across
borders and support international trade.
The United States, the European Union (EU), and Switzerland share
the goal of enhancing privacy protection but take different approaches
to protecting personal data. Given those differences, the Department of
Commerce (DOC) developed the Privacy Shield Frameworks in consultation
with the European Commission, the Swiss Government, and with industry
and other stakeholders, to provide organizations in the United States
with a reliable mechanism for personal data transfers to the United
States from the European Union and Switzerland while ensuring the data
is protected in a manner consistent with EU and Swiss law.
As referenced in the Cost Recovery Fee Schedule for the EU-U.S.
Privacy Shield Framework, published September 30, 2016 (81 FR 67293),
the European Commission approved the EU-U.S. Privacy Shield Framework
on July 12, 2016. More recently, on January 12, 2017, the Swiss
government approved the Swiss-U.S. Privacy Shield Framework, which is
based on the EU-U.S. Privacy Shield. The published Privacy Shield is
available at https://www.privacyshield.gov/. The DOC has issued the
Privacy Shield Framework Principles under its statutory authority to
foster, promote, and develop international commerce (15 U.S.C. 1512).
ITA administers and supervises the EU-U.S. Privacy Shield
Framework, including by maintaining and making publicly available an
authoritative list of U.S. organizations that have self-certified to
the DOC. U.S. organizations submit information to ITA to self-certify
their compliance with Privacy Shield. ITA similarly will administer and
supervise the Swiss-U.S. Privacy Shield Framework. ITA will accept
self-certification submissions for the Swiss-U.S. Privacy Shield
beginning on April 12, 2017. Consistent with the Paperwork Reduction
Act, ITA published proposed information collections as described in the
EU-U.S. and Swiss-U.S. Privacy Shield Frameworks for public notice and
comment (81 FR 78775 and 82 FR 7796; and 82 FR 6492, respectively).
U.S. organizations considering self-certifying to the Privacy
Shield should review the Privacy Shield Frameworks. In summary, to
enter either the EU or Swiss-U.S. Privacy Shield Framework, an
organization must (a) be subject to the investigatory and enforcement
powers of the Federal Trade Commission (FTC) or the Department of
Transportation; (b) publicly declare its commitment to comply with the
Privacy Shield Framework Principles through self-certification to the
DOC; (c) publicly disclose its privacy policies in line with the
Privacy Shield Framework Principles; and (d) fully implement them.
Self-certification to the DOC is voluntary. However, an
organization's failure to comply with the Privacy Shield Framework
Principles after its self-certification is enforceable under Section 5
of the Federal Trade Commission Act prohibiting unfair and deceptive
acts in or affecting commerce (15 U.S.C. 45(a)) or other laws or
regulations prohibiting such acts.
ITA implemented a cost recovery program to support the operation of
the EU-U.S. Privacy Shield and is revising that fee schedule to
additionally support the operation of the Swiss-U.S. Privacy Shield.
The fee a given organization will be charged will be based on the
organization's annual revenue. A separate fee will be applied annually
to organizations that withdraw from the Privacy Shield and continue to
maintain data received while they participated in the Privacy Shield.
The cost recovery program will support the administration and
supervision of the Privacy Shield program and support the provision of
Privacy Shield-related services, including education and outreach.
The Cost Recovery Fee Schedule for the EU-U.S. Privacy Shield
Framework,
[[Page 16377]]
published September 30, 2016 (81 FR 67293), describes the fees
implemented by ITA to cover the administration and supervision of the
EU-U.S. Privacy Shield Framework. Under this revision to the fee
structure, organizations that join only one Privacy Shield Framework,
whether EU or Swiss, will pay the same single fee when initially self-
certifying or re-certifying. Organizations that join both Frameworks
will pay an additional 50 percent of that single fee when self-
certifying or re-certifying for the second Framework, reflecting the
efficiency savings in administering the Program for organizations that
participate in both Frameworks.
These efficiency savings are maximized if organizations self-
certify to both Frameworks simultaneously, reducing the required staff
time and resources for reviewing materials. Accordingly, organizations
that join both Frameworks will be required to synchronize
recertification between the EU-U.S. and Swiss-U.S. Privacy Shield
Frameworks by renewing their certifications to both Frameworks
simultaneously.
In addition, in order to allow organizations to set their own
annual schedules, organizations that participate in one or both
Frameworks may adjust their annual recertification date by re-
certifying early to one or both Frameworks.
For example, organizations that already have joined the EU
Framework and wish to join the Swiss Framework as well will have three
options for timing the synchronized recertification. Such organizations
may (a) self-certify to the Swiss Framework before the EU renewal comes
due and re-certify early to the EU Framework at the same time; (b) wait
until their certification to the EU Framework is up for renewal and
self-certify to the Swiss Framework at the same time as they renew
their certification to the EU Framework; or (c) self-certify to the
Swiss Framework separately (without waiting for their recertification
to the EU Framework to come due), and then re-certify to both
Frameworks when their recertification to the EU Framework comes due.
Finally, a fixed annual fee of $200 will be charged for
organizations that withdraw from the Privacy Shield and maintain data
received under Privacy Shield. This fee has been set to cover staff
costs for reviewing the questionnaires of organizations withdrawing
from the program, as well as the necessary Web site infrastructure to
facilitate submission of the proper documents. Additionally, this fee
is set to be less than any organization would be required to pay for
recertification. These fees are set forth below:
Revised Annual Fee Schedule for the EU-U.S. and Swiss-U.S. Privacy
Shield Frameworks
------------------------------------------------------------------------
Single Both
Organization's annual revenue framework frameworks
------------------------------------------------------------------------
$0 to $5 million................................ $250 $375
Over $5 million to $25 million.................. 650 975
Over $25 million to $500 million................ 1,000 1,500
Over $500 million to $5 billion................. 2,500 3,750
Over $5 billion................................. 3,250 4,875
------------------------------------------------------------------------
Annual Fee for Retaining Data after Withdrawal: $200.
Organizations will have additional direct costs associated with
participating in the Privacy Shield. For example, Privacy Shield
organizations must provide a readily available independent recourse
mechanism to hear individual complaints at no cost to the individual.
Furthermore, organizations will be required to pay contributions in
connection with the arbitral model, as described in Annex I to the
Principles.
Method for Determining Fees
ITA collects, retains, and expends user fees pursuant to delegated
authority under the Mutual Educational and Cultural Exchange Act as
authorized in its annual appropriations acts. The Privacy Shield was
developed to provide organizations in the United States with a reliable
mechanism for personal data transfers that underpin the trade and
investment relationships between the United States and (1) the EU, and
(2) Switzerland. As one of only several valid data transfer mechanisms,
Privacy Shield operates in a way that provides strong consumer
protection as well as a more effective and efficient service to
corporations at a lower cost than other options, including standard
contractual clauses or binding corporate rules.
Fees are set taking into account the operational costs borne by ITA
to administer and supervise the Privacy Shield program. As described in
the Cost Recovery Fee Schedule for the EU-U.S. Privacy Shield
Framework, published September 30, 2016 (81 FR 267293), the Privacy
Shield program requires a significant commitment of resources and
staff. These costs include broad programmatic costs to run the Privacy
Shield as well as costs specific to each of the Privacy Shield
Frameworks and to the program that allows Participants to retain data
after withdrawal from Privacy Shield. The Privacy Shield includes
commitments from ITA to:
Maintain, upgrade, and update a Privacy Shield Web site;
verify self-certification requirements submitted by
organizations to participate in the Privacy Shield;
expand efforts to follow up with organizations that have
been removed from the Privacy Shield List and ensure, where applicable,
that questionnaires are correctly filed and processed;
search for and address false claims of participation;
conduct periodic compliance reviews and assessments of the
program;
provide information regarding the program to targeted
audiences;
increase cooperation with EU and Swiss data protection
authorities;
facilitate resolution of complaints about non-compliance;
hold annual meetings with the European Commission, Swiss
government, and other authorities to review the program; and
provide an update of laws relevant to Privacy Shield.
In setting these revised Privacy Shield fees, ITA determined that
the services provided offer special benefits to an identifiable
recipient beyond those that accrue to the general public. ITA
calculated the actual cost of providing its services in order to
provide a basis for setting each fee. This actual cost incorporates
direct and indirect costs, including operations and maintenance,
overhead, and charges for the use of capital facilities. ITA also took
into account additional factors, including adequacy of cost recovery,
affordability, and costs associated with alternative options available
to U.S. organizations for the receipt of personal data from the EU and
Switzerland. Furthermore, ITA considered the cost-savings and
efficiencies gained in staff hours through simultaneous review of self-
certifications for both the Swiss-U.S. and EU-U.S. Privacy Shield
Frameworks. This analysis balanced these cost savings with projected
expenses, including, but not limited to, Web site development, further
negotiations with the EU and Switzerland, an annual review,
certification review, and facilitating complaint resolutions.
ITA will continue to use the established five-tiered fee schedule
(81 FR 267293) that has promoted participation of small organizations
in Privacy Shield, while implementing a reduced rate for organizations
self-certifying to both the Swiss-U.S. and EU-U.S. Privacy Shield
Frameworks. A
[[Page 16378]]
multiple-tiered fee schedule allows ITA to offer organizations with
lower revenue a lower fee. In setting the five tiers, ITA considered,
in conjunction with the factors mentioned above: (1) The Small Business
Administration's guidance on identifying small and medium enterprises
(SMEs) in various industries most likely to participate in the Privacy
Shield, such as computer services, software and information services;
(2) the likelihood that small companies would be expected to receive
less personal data and thereby use fewer government resources; and (3)
the likelihood that companies with higher revenue would have more
customers whose data they process, which would use more government
resources dedicated to administering and overseeing Privacy Shield. For
example, if a company holds more data it could reasonably produce more
questions and complaints from consumers and EU and Swiss Data
Protection Authorities (DPAs). ITA has committed to facilitating the
resolution of individual complaints and to communicating with the FTC
and the DPAs regarding consumer complaints. Lastly, the fee increases
between the tiers are based in part on projected program costs and
estimated participation levels among companies within each tier.
As noted above, the revised fee schedule recoups the costs to ITA
for operating and maintaining Privacy Shield. Organizations seeking to
join the Swiss-U.S. Privacy Shield Framework may do so beginning on
April 12, 2017, through Privacyshield.gov. ITA has taken into account
efficiencies and economies of scale experienced when organizations
participate in both Frameworks by providing a 50 percent discount off
the second Framework and requiring organizations to synchronize their
recertifications. The added cost of joining a second Framework reflects
the additional expenses incurred, including, but not limited to, for
communications with DPAs and Web site infrastructure and development,
as well as the additional costs of cooperating and communicating
separately with the EU and Swiss representatives and governments.
The fee applied to organizations that withdraw from Privacy Shield
but maintain data is meant to cover the programmatic costs associated
with ITA's processing of such organizations' annual affirmation of
commitment to continue to apply the Privacy Shield Framework Principles
to the personal information they received while participating in the
Privacy Shield. The flat fee is based on the expectation that
government resources required to process this annual affirmation will
be similar for all companies, regardless of size.
Conclusion
Based on the information provided above, ITA believes that the
revised Privacy Shield cost recovery fees are consistent with the
objective of OMB Circular A-25 to ``promote efficient allocation of the
nation's resources by establishing charges for special benefits
provided to the recipient that are at least as great as the cost to the
U.S. Government of providing the special benefits . . .'' OMB Circular
A-25(5)(b). ITA is providing the public with the opportunity to comment
on the fee schedule, and it will consider these comments when it next
reassesses the fee schedule. As noted in the Cost Recovery Fee Schedule
for the EU-U.S. Privacy Shield Framework, published September 30, 2016
(81 FR 267293), ITA will conduct its next fee reassessment after August
1, 2017, at the conclusion of the first year of implementation of the
Privacy Shield. ITA will continue to conduct reassessments thereafter
at least every two years, in accordance with OMB Circular A-25.
Dated: March 28, 2017.
Alysha Taylor,
Acting Deputy Assistant Secretary for Services, Industry & Analysis,
International Trade Administration, U.S. Department of Commerce.
[FR Doc. 2017-06437 Filed 4-3-17; 8:45 am]
BILLING CODE 3510-DR-P