[Federal Register Volume 82, Number 63 (Tuesday, April 4, 2017)]
[Notices]
[Pages 16375-16378]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-06437]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

International Trade Administration

[Docket No.: 170301219-7219-01]
RIN 0625-XC029


Amendment to the Privacy Shield Cost Recovery Fees

AGENCY: International Trade Administration, U.S. Department of 
Commerce.

ACTION: Notice of amendment to the Privacy Shield cost recovery program 
fees, with request for comments.

-----------------------------------------------------------------------

SUMMARY: Consistent with the guidelines in OMB Circular A-25, the U.S. 
Department of Commerce's International Trade Administration (ITA) is 
revising the fee schedule implemented on August 1, 2016. On January 12, 
2017, the Swiss Government announced the approval of the Swiss-U.S. 
Privacy Shield Framework as a valid legal mechanism to comply with 
Swiss requirements when transferring personal data from Switzerland to 
the United States. For more detailed information on the Swiss-U.S. 
Privacy Shield Framework and the announcement, please see https://www.privacyshield.gov/Program-Overview.
    This notice revises the Privacy Shield fee structure to incorporate 
the Swiss-U.S. Privacy Shield Framework in addition to the existing EU-
U.S. Privacy Shield Framework. This is to support the operation of both 
the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (Privacy Shield).

DATES: These fees are effective April 12, 2017. Comments must be 
received by May 4, 2017.

ADDRESSES: You may submit comments by either of the following methods:
     Federal eRulemaking Portal: www.Regulations.gov. The 
identification number is ITA-2017-0001.
     Postal Mail/Commercial Delivery to Joshua Blume, 
Department of Commerce, International Trade

[[Page 16376]]

Administration, Room 11022, 1401 Constitution Avenue NW., Washington, 
DC and reference ``Privacy Shield Fee Structure, ITA-2017-0001'' in the 
subject line.
    Instructions: You must submit comments by one of the above methods 
to ensure that the comments are received and considered. Comments sent 
by any other method, to any other address or individual, or received 
after the end of the comment period, may not be considered. All 
comments received are a part of the public record and will generally be 
posted to http://www.regulations.gov without change. All Personal 
Identifying Information (for example, name, address, etc.) voluntarily 
submitted by the commenter may be publicly accessible. Do not submit 
Confidential Business Information or otherwise sensitive or protected 
information. ITA will accept anonymous comments (enter ``N/A'' in the 
required fields if you wish to remain anonymous). Attachments to 
electronic comments will be accepted in Microsoft Word, Excel, or Adobe 
PDF file formats only. Supporting documents and any comments we receive 
on this docket may be viewed at http://www.regulations.gov/ ITA-2017-
0001.
    More information regarding the Privacy Shield can be found at 
https://www.privacyshield.gov/Program-Overview.

FOR FURTHER INFORMATION CONTACT: Requests for additional information 
regarding the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks should 
be directed to Joshua Blume, Department of Commerce, International 
Trade Administration, Room 11022, 1401 Constitution Avenue NW., 
Washington, DC, tel. 202-482-0988 or 202-482-1512 or via email at 
[email protected]. Additional information on ITA fees is 
available at trade.gov/fees.

SUPPLEMENTARY INFORMATION: 

Background:

    In the revised fee structure, there will be one annual fee applied 
to U.S. organizations to participate in either the Swiss-U.S. or EU-
U.S. Privacy Shield Frameworks. Should a U.S. organization opt to self-
certify for both programs, they will be provided a reduced rate for the 
second Framework and be required to synchronize their recertifications 
to both Frameworks to maximize efficiency. Additionally, a fee will be 
applied annually to organizations that withdraw from the Privacy Shield 
and continue to maintain data received while they participated in the 
Privacy Shield. The cost recovery program will support the 
administration and supervision of the Privacy Shield and support 
Privacy Shield services including education and outreach. The revised 
Privacy Shield fee structure will become effective on April 12, 2017, 
when ITA will begin accepting certifications to the Swiss-U.S. Privacy 
Shield.
    While the revised fees will be effective April 12, 2017, ITA is 
providing the public with the opportunity to comment on these revised 
fees. ITA will then review all comments and reassess the Privacy Shield 
fees after August 1, 2017, a full year from initial implementation of 
Privacy Shield, as originally discussed in the Cost Recovery Fee 
Schedule for the EU-U.S. Privacy Shield Framework, published September 
30, 2016. The review will recur at least every two years thereafter, in 
accordance with OMB Circular A-25.
    Consistent with the guidelines in OMB Circular A-25, federal 
agencies are responsible for implementing cost recovery program fees. 
The role of ITA is to strengthen the competitiveness of U.S. industry, 
promote trade and investment, and ensure fair trade through the 
rigorous enforcement of our trade laws and agreements. ITA works to 
promote privacy policy frameworks to facilitate the flow of data across 
borders and support international trade.
    The United States, the European Union (EU), and Switzerland share 
the goal of enhancing privacy protection but take different approaches 
to protecting personal data. Given those differences, the Department of 
Commerce (DOC) developed the Privacy Shield Frameworks in consultation 
with the European Commission, the Swiss Government, and with industry 
and other stakeholders, to provide organizations in the United States 
with a reliable mechanism for personal data transfers to the United 
States from the European Union and Switzerland while ensuring the data 
is protected in a manner consistent with EU and Swiss law.
    As referenced in the Cost Recovery Fee Schedule for the EU-U.S. 
Privacy Shield Framework, published September 30, 2016 (81 FR 67293), 
the European Commission approved the EU-U.S. Privacy Shield Framework 
on July 12, 2016. More recently, on January 12, 2017, the Swiss 
government approved the Swiss-U.S. Privacy Shield Framework, which is 
based on the EU-U.S. Privacy Shield. The published Privacy Shield is 
available at https://www.privacyshield.gov/. The DOC has issued the 
Privacy Shield Framework Principles under its statutory authority to 
foster, promote, and develop international commerce (15 U.S.C. 1512).
    ITA administers and supervises the EU-U.S. Privacy Shield 
Framework, including by maintaining and making publicly available an 
authoritative list of U.S. organizations that have self-certified to 
the DOC. U.S. organizations submit information to ITA to self-certify 
their compliance with Privacy Shield. ITA similarly will administer and 
supervise the Swiss-U.S. Privacy Shield Framework. ITA will accept 
self-certification submissions for the Swiss-U.S. Privacy Shield 
beginning on April 12, 2017. Consistent with the Paperwork Reduction 
Act, ITA published proposed information collections as described in the 
EU-U.S. and Swiss-U.S. Privacy Shield Frameworks for public notice and 
comment (81 FR 78775 and 82 FR 7796; and 82 FR 6492, respectively).
    U.S. organizations considering self-certifying to the Privacy 
Shield should review the Privacy Shield Frameworks. In summary, to 
enter either the EU or Swiss-U.S. Privacy Shield Framework, an 
organization must (a) be subject to the investigatory and enforcement 
powers of the Federal Trade Commission (FTC) or the Department of 
Transportation; (b) publicly declare its commitment to comply with the 
Privacy Shield Framework Principles through self-certification to the 
DOC; (c) publicly disclose its privacy policies in line with the 
Privacy Shield Framework Principles; and (d) fully implement them.
    Self-certification to the DOC is voluntary. However, an 
organization's failure to comply with the Privacy Shield Framework 
Principles after its self-certification is enforceable under Section 5 
of the Federal Trade Commission Act prohibiting unfair and deceptive 
acts in or affecting commerce (15 U.S.C. 45(a)) or other laws or 
regulations prohibiting such acts.
    ITA implemented a cost recovery program to support the operation of 
the EU-U.S. Privacy Shield and is revising that fee schedule to 
additionally support the operation of the Swiss-U.S. Privacy Shield. 
The fee a given organization will be charged will be based on the 
organization's annual revenue. A separate fee will be applied annually 
to organizations that withdraw from the Privacy Shield and continue to 
maintain data received while they participated in the Privacy Shield. 
The cost recovery program will support the administration and 
supervision of the Privacy Shield program and support the provision of 
Privacy Shield-related services, including education and outreach.
    The Cost Recovery Fee Schedule for the EU-U.S. Privacy Shield 
Framework,

[[Page 16377]]

published September 30, 2016 (81 FR 67293), describes the fees 
implemented by ITA to cover the administration and supervision of the 
EU-U.S. Privacy Shield Framework. Under this revision to the fee 
structure, organizations that join only one Privacy Shield Framework, 
whether EU or Swiss, will pay the same single fee when initially self-
certifying or re-certifying. Organizations that join both Frameworks 
will pay an additional 50 percent of that single fee when self-
certifying or re-certifying for the second Framework, reflecting the 
efficiency savings in administering the Program for organizations that 
participate in both Frameworks.
    These efficiency savings are maximized if organizations self-
certify to both Frameworks simultaneously, reducing the required staff 
time and resources for reviewing materials. Accordingly, organizations 
that join both Frameworks will be required to synchronize 
recertification between the EU-U.S. and Swiss-U.S. Privacy Shield 
Frameworks by renewing their certifications to both Frameworks 
simultaneously.
    In addition, in order to allow organizations to set their own 
annual schedules, organizations that participate in one or both 
Frameworks may adjust their annual recertification date by re-
certifying early to one or both Frameworks.
    For example, organizations that already have joined the EU 
Framework and wish to join the Swiss Framework as well will have three 
options for timing the synchronized recertification. Such organizations 
may (a) self-certify to the Swiss Framework before the EU renewal comes 
due and re-certify early to the EU Framework at the same time; (b) wait 
until their certification to the EU Framework is up for renewal and 
self-certify to the Swiss Framework at the same time as they renew 
their certification to the EU Framework; or (c) self-certify to the 
Swiss Framework separately (without waiting for their recertification 
to the EU Framework to come due), and then re-certify to both 
Frameworks when their recertification to the EU Framework comes due.
    Finally, a fixed annual fee of $200 will be charged for 
organizations that withdraw from the Privacy Shield and maintain data 
received under Privacy Shield. This fee has been set to cover staff 
costs for reviewing the questionnaires of organizations withdrawing 
from the program, as well as the necessary Web site infrastructure to 
facilitate submission of the proper documents. Additionally, this fee 
is set to be less than any organization would be required to pay for 
recertification. These fees are set forth below:

   Revised Annual Fee Schedule for the EU-U.S. and Swiss-U.S. Privacy
                            Shield Frameworks
------------------------------------------------------------------------
                                                    Single       Both
          Organization's annual revenue            framework  frameworks
------------------------------------------------------------------------
$0 to $5 million................................        $250        $375
Over $5 million to $25 million..................         650         975
Over $25 million to $500 million................       1,000       1,500
Over $500 million to $5 billion.................       2,500       3,750
Over $5 billion.................................       3,250       4,875
------------------------------------------------------------------------

    Annual Fee for Retaining Data after Withdrawal: $200.
    Organizations will have additional direct costs associated with 
participating in the Privacy Shield. For example, Privacy Shield 
organizations must provide a readily available independent recourse 
mechanism to hear individual complaints at no cost to the individual. 
Furthermore, organizations will be required to pay contributions in 
connection with the arbitral model, as described in Annex I to the 
Principles.

Method for Determining Fees

    ITA collects, retains, and expends user fees pursuant to delegated 
authority under the Mutual Educational and Cultural Exchange Act as 
authorized in its annual appropriations acts. The Privacy Shield was 
developed to provide organizations in the United States with a reliable 
mechanism for personal data transfers that underpin the trade and 
investment relationships between the United States and (1) the EU, and 
(2) Switzerland. As one of only several valid data transfer mechanisms, 
Privacy Shield operates in a way that provides strong consumer 
protection as well as a more effective and efficient service to 
corporations at a lower cost than other options, including standard 
contractual clauses or binding corporate rules.
    Fees are set taking into account the operational costs borne by ITA 
to administer and supervise the Privacy Shield program. As described in 
the Cost Recovery Fee Schedule for the EU-U.S. Privacy Shield 
Framework, published September 30, 2016 (81 FR 267293), the Privacy 
Shield program requires a significant commitment of resources and 
staff. These costs include broad programmatic costs to run the Privacy 
Shield as well as costs specific to each of the Privacy Shield 
Frameworks and to the program that allows Participants to retain data 
after withdrawal from Privacy Shield. The Privacy Shield includes 
commitments from ITA to:
     Maintain, upgrade, and update a Privacy Shield Web site;
     verify self-certification requirements submitted by 
organizations to participate in the Privacy Shield;
     expand efforts to follow up with organizations that have 
been removed from the Privacy Shield List and ensure, where applicable, 
that questionnaires are correctly filed and processed;
     search for and address false claims of participation;
     conduct periodic compliance reviews and assessments of the 
program;
     provide information regarding the program to targeted 
audiences;
     increase cooperation with EU and Swiss data protection 
authorities;
     facilitate resolution of complaints about non-compliance;
     hold annual meetings with the European Commission, Swiss 
government, and other authorities to review the program; and
     provide an update of laws relevant to Privacy Shield.
    In setting these revised Privacy Shield fees, ITA determined that 
the services provided offer special benefits to an identifiable 
recipient beyond those that accrue to the general public. ITA 
calculated the actual cost of providing its services in order to 
provide a basis for setting each fee. This actual cost incorporates 
direct and indirect costs, including operations and maintenance, 
overhead, and charges for the use of capital facilities. ITA also took 
into account additional factors, including adequacy of cost recovery, 
affordability, and costs associated with alternative options available 
to U.S. organizations for the receipt of personal data from the EU and 
Switzerland. Furthermore, ITA considered the cost-savings and 
efficiencies gained in staff hours through simultaneous review of self-
certifications for both the Swiss-U.S. and EU-U.S. Privacy Shield 
Frameworks. This analysis balanced these cost savings with projected 
expenses, including, but not limited to, Web site development, further 
negotiations with the EU and Switzerland, an annual review, 
certification review, and facilitating complaint resolutions.
    ITA will continue to use the established five-tiered fee schedule 
(81 FR 267293) that has promoted participation of small organizations 
in Privacy Shield, while implementing a reduced rate for organizations 
self-certifying to both the Swiss-U.S. and EU-U.S. Privacy Shield 
Frameworks. A

[[Page 16378]]

multiple-tiered fee schedule allows ITA to offer organizations with 
lower revenue a lower fee. In setting the five tiers, ITA considered, 
in conjunction with the factors mentioned above: (1) The Small Business 
Administration's guidance on identifying small and medium enterprises 
(SMEs) in various industries most likely to participate in the Privacy 
Shield, such as computer services, software and information services; 
(2) the likelihood that small companies would be expected to receive 
less personal data and thereby use fewer government resources; and (3) 
the likelihood that companies with higher revenue would have more 
customers whose data they process, which would use more government 
resources dedicated to administering and overseeing Privacy Shield. For 
example, if a company holds more data it could reasonably produce more 
questions and complaints from consumers and EU and Swiss Data 
Protection Authorities (DPAs). ITA has committed to facilitating the 
resolution of individual complaints and to communicating with the FTC 
and the DPAs regarding consumer complaints. Lastly, the fee increases 
between the tiers are based in part on projected program costs and 
estimated participation levels among companies within each tier.
    As noted above, the revised fee schedule recoups the costs to ITA 
for operating and maintaining Privacy Shield. Organizations seeking to 
join the Swiss-U.S. Privacy Shield Framework may do so beginning on 
April 12, 2017, through Privacyshield.gov. ITA has taken into account 
efficiencies and economies of scale experienced when organizations 
participate in both Frameworks by providing a 50 percent discount off 
the second Framework and requiring organizations to synchronize their 
recertifications. The added cost of joining a second Framework reflects 
the additional expenses incurred, including, but not limited to, for 
communications with DPAs and Web site infrastructure and development, 
as well as the additional costs of cooperating and communicating 
separately with the EU and Swiss representatives and governments.
    The fee applied to organizations that withdraw from Privacy Shield 
but maintain data is meant to cover the programmatic costs associated 
with ITA's processing of such organizations' annual affirmation of 
commitment to continue to apply the Privacy Shield Framework Principles 
to the personal information they received while participating in the 
Privacy Shield. The flat fee is based on the expectation that 
government resources required to process this annual affirmation will 
be similar for all companies, regardless of size.

Conclusion

    Based on the information provided above, ITA believes that the 
revised Privacy Shield cost recovery fees are consistent with the 
objective of OMB Circular A-25 to ``promote efficient allocation of the 
nation's resources by establishing charges for special benefits 
provided to the recipient that are at least as great as the cost to the 
U.S. Government of providing the special benefits . . .'' OMB Circular 
A-25(5)(b). ITA is providing the public with the opportunity to comment 
on the fee schedule, and it will consider these comments when it next 
reassesses the fee schedule. As noted in the Cost Recovery Fee Schedule 
for the EU-U.S. Privacy Shield Framework, published September 30, 2016 
(81 FR 267293), ITA will conduct its next fee reassessment after August 
1, 2017, at the conclusion of the first year of implementation of the 
Privacy Shield. ITA will continue to conduct reassessments thereafter 
at least every two years, in accordance with OMB Circular A-25.

    Dated: March 28, 2017.
Alysha Taylor,
Acting Deputy Assistant Secretary for Services, Industry & Analysis, 
International Trade Administration, U.S. Department of Commerce.
[FR Doc. 2017-06437 Filed 4-3-17; 8:45 am]
 BILLING CODE 3510-DR-P