[Federal Register Volume 88, Number 61 (Thursday, March 30, 2023)] [Notices] [Pages 19067-19069] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2023-06645] ----------------------------------------------------------------------- DEPARTMENT OF COMMERCE International Trade Administration Agency Information Collection Activities; Submission to the Office of Management and Budget (OMB) for Review and Approval; Comment Request; Self-Certifications Under the Data Privacy Framework Program AGENCY: International Trade Administration, Department of Commerce. ACTION: Notice of information collection, request for comment. ----------------------------------------------------------------------- SUMMARY: The Department of Commerce, in accordance with the Paperwork Reduction Act of 1995 (PRA), invites the general public and other Federal agencies to comment on proposed, and continuing information collections, which helps us assess the impact of our information collection requirements and minimize the public's reporting burden. The purpose of this notice is to allow for 60 days of public comment preceding submission of the collection to OMB. DATES: To ensure consideration, comments regarding this proposed information collection must be received on or before May 30, 2023. ADDRESSES: Interested persons are invited to submit written comments to Leo Kim, ITA Paperwork Clearance Officer, International Trade Administration, Department of Commerce, Room 23016RA, 14th and Constitution Avenue NW, Washington, DC 20230 (or via the internet at [email protected]). Do not submit Confidential Business Information or otherwise sensitive or protected information. FOR FURTHER INFORMATION CONTACT: Requests for additional information or specific questions related to collection activities should be directed to David Ritchie, Senior Policy Advisor, International Trade Administration, Department of Commerce via email at [email protected], or by telephone at 202-482-1512. SUPPLEMENTARY INFORMATION: I. Abstract The United States, the European Union (EU), the United Kingdom (UK), and Switzerland share a commitment to enhancing privacy protection, the rule of law, and a recognition of the importance of transatlantic data flows to our respective citizens, economies, and societies, but take different approaches to doing so. Given those differences, the Department of Commerce (DOC) developed the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) in consultation with the European Commission, the UK Government, the Swiss Federal Administration, industry, and other stakeholders. These arrangements were respectively developed to provide U.S. organizations reliable mechanisms for personal data transfers to the United States from the European Union, the United Kingdom, and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss law. The DOC is issuing the EU-U.S. DPF Principles and the Swiss-U.S. DPF Principles, including the respective sets of Supplemental Principles (collectively the Principles) and Annex I of the Principles, as well as the UK Extension to the EU-U.S. DPF under its statutory authority to foster, promote, and develop international commerce (15 U.S.C. 1512). The International Trade Administration (ITA) will administer and supervise the Data Privacy Framework program, including maintaining and making publicly available the Data Privacy Framework List, an authoritative list of U.S. organizations that have self- certified to the DOC and declared their commitment to adhere to the Principles pursuant to the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF. On the basis of the Principles, Executive Order 14086, 28 CFR part 201, and accompanying letters and materials, including ITA's commitments regarding the administration and supervision of the Data Privacy Framework program, it is the DOC's expectation that the European Commission, the UK Government, and the Swiss Federal Administration will respectively recognize the adequacy of the protection provided by the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss- U.S. DPF thereby enabling personal data transfers from each respective jurisdiction to U.S. organizations participating in the relevant part of the Data Privacy Framework program. The EU-U.S. DPF, [[Page 19068]] the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF will not enter into effect until they have respectively received such recognition (i.e., until such formal recognition enters into effect). In order to participate in the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF an organization must (a) be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC), the Department of Transportation (DOT), or another statutory body that will effectively ensure compliance with the Principles; (b) publicly declare its commitment to comply with the Principles; (c) publicly disclose its privacy policies in line with the Principles; and (d) fully implement them. While the decision by an organization to self-certify its compliance pursuant to the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF and by extension participate in the Data Privacy Framework program is voluntary; effective compliance is compulsory: organizations that self- certify to the DOC and publicly declare their commitment to adhere to the Principles must comply fully with the Principles. Organizations that only wish to self-certify their compliance pursuant to the EU-U.S. DPF and/or the Swiss-U.S. DPF may do so; however, organizations that wish to participate in the UK Extension to the EU-U.S. DPF must participate in the EU-U.S. DPF. Such organizations' commitment to comply with the Principles with regard to transfers of personal data from the European Union and, as applicable, the United Kingdom, and/or Switzerland must be reflected in their self-certification submissions to the DOC, and in their privacy policies. An organization's failure to comply with the Principles after its self-certification is enforceable by the FTC under Section 5 of the Federal Trade Commission (FTC) Act prohibiting unfair or deceptive acts in or affecting commerce (15 U.S.C. 45); by the DOT under 49 U.S.C. 41712 prohibiting a carrier or ticket agent from engaging in an unfair or deceptive practice in air transportation or the sale of air transportation; or under other laws or regulations prohibiting such acts. To rely on the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF for transfers of personal data from the European Union and, as applicable, the United Kingdom, and/or Switzerland an organization must self-certify its adherence to the Principles to the DOC, and both be placed and remain on the Data Privacy Framework List. The DOC will update the Data Privacy Framework List on the basis of annual re-certification submissions made by participating organizations and by removing organizations when they voluntarily withdraw, fail to complete the annual re-certification in accordance with the DOC's procedures, or are found to persistently fail to comply. The DOC will also maintain and make available to the public an authoritative record of U.S. organizations that have been removed from the Data Privacy Framework List and will identify the reason each organization was removed. The aforementioned authoritative list and record will remain available to the public on the DOC's Data Privacy Framework program website. Any organization removed from the Data Privacy Framework List must cease making claims that it participates in or complies with the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF and that it may receive personal information pursuant to same. Such an organization must nevertheless continue to apply the Principles to such personal information that it received while it participated in the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF for as long as it retains such personal information. To initially self-certify or subsequently re-certify for the EU- U.S. DPF and, as applicable, UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF, an organization must on each occasion provide to the DOC a submission that contains the relevant information specified in the Principles. The submission must be made via the DOC's Data Privacy Framework program website by an individual within the organization who is authorized to make representations on behalf of the organization and any of its covered U.S. entities regarding its adherence to the Principles. Such an organization must respond promptly to inquiries and other requests for information from the DOC relating to the organization's adherence to the Principles. ITA has committed to follow up with organizations that have been or wish to be removed from the Data Privacy Framework List. ITA will direct organizations that allow their self-certifications to lapse to verify whether they intend to re-certify or instead intend to withdraw. An organization that intends to re-certify will be required to further verify to the DOC that during the lapse of its certification status it applied the Principles to relevant personal data received in reliance on its participation in the Data Privacy Framework program and clarify what steps it will take to address the outstanding issues that have delayed its re-certification. An organization that intends to withdraw will be required to further verify to the DOC what it will do and/or has done (as applicable) with the relevant personal data that it received in reliance on its participation in the Data Privacy Framework program (i.e., (a) retain such data, continue to apply the Principles to such data, and affirm to the DOC on an annual basis its commitment to apply the Principles to such data; (b) retain such data and provide ``adequate'' protection for such data by another authorized means; or (c) return or delete all such data by a specified date) and who within the organization will serve as an ongoing point of contact for Principles-related questions. Organizations will be required to provide such verification to the DOC by completing and submitting appropriate questionnaires to the DOC. ITA has also committed to conduct compliance reviews on an ongoing basis, including, as appropriate, through sending detailed questionnaires to participating organizations. The DOC will require that a participating organization complete and submit to the DOC such a questionnaire when: (a) the DOC has received any specific, non- frivolous complaints about the organization's compliance with the Principles; (b) the organization does not respond satisfactorily to inquiries by the DOC for information relating to the organization's adherence to the Principles; or (c) there is credible evidence that the organization does not comply with its commitments under the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF. II. Method of Collection Organizations would make their initial self-certification, as well as annual re-certification submissions under the Data Privacy Framework program (i.e., the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF) to the DOC online via the DOC's Data Privacy Framework program website (https://www.dataprivacyframework.gov/). An organization that already participates in the EU-U.S. DPF and intends to extend its participation to also cover personal data received from the United Kingdom would make its election to participate in the UK Extension to the EU-U.S. DPF either: (a) as part of its annual re-certification to the EU-U.S. DPF, or (b) outside of its [[Page 19069]] annual re-certification to the EU-U.S. DPF provided it makes that election no later than six months from the effective date for the UK Extension to the EU-U.S. DPF (n.b., in either scenario the organization would make the relevant submission to the DOC online via the DOC's Data Privacy Framework program website). Organizations would complete and submit Data Privacy Framework program questionnaires to the DOC online via the DOC's Data Privacy Framework program website or via email at [email protected] (as applicable) in accordance with Data Privacy Framework program requirements. The DOC previously requested and obtained approval of analogous information collection that has allowed the DOC, as represented by ITA, to collect information from organizations in the United States to enable them to self-certify their commitment to comply with the EU-U.S. Privacy Shield Framework Principles and/or the Swiss-U.S. Privacy Shield Framework Principles (OMB Control No. 0625-0276). Pursuant to the EU-U.S. DPF, the EU-U.S. Privacy Shield Framework Principles will be amended as the ``EU-U.S. Data Privacy Framework Principles''; and pursuant to the Swiss-U.S. DPF, the Swiss-U.S. Privacy Shield Framework Principles will be amended as the ``Swiss-U.S. Data Privacy Framework Principles''. Organizations that self-certified their commitment to comply with the EU-U.S. Privacy Shield Framework Principles and/or the Swiss-U.S. Privacy Shield Framework Principles that wish to enjoy the benefits of participating in the EU-U.S. DPF and/or the Swiss-U.S. DPF (as applicable) must comply with the amended Principles once those amendments have entered into effect. More information on self- certification, including annual re-certification under the Data Privacy Framework program will be made available on the DOC's Data Privacy Framework program website (https://www.dataprivacyframework.gov/) once that is launched; however, such information will also be made available, as appropriate, on the DOC's Privacy Shield program website (https://www.privacyshield.gov/welcome). III. Data OMB Control Number: New Collection. Not yet assigned. Form Number(s): None. Type of Review: Regular submission, new information collection. Affected Public: Primarily businesses or other for-profit organizations. Estimated Number of Respondents: 4,000. Estimated Time per Response: 40 minutes. Estimated Total Annual Burden Hours: 3,062. Estimated Total Annual Cost to Public: $3,260,000. Legal Authority: The DOC's statutory authority to foster, promote, and develop the foreign and domestic commerce of the United States (15 U.S.C. 1512). IV. Request for Comments We are soliciting public comments to permit the Department/Bureau to: (a) Evaluate whether the proposed information collection is necessary for the proper functions of the Department, including whether the information will have practical utility; (b) Evaluate the accuracy of our estimate of the time and cost burden for this proposed collection, including the validity of the methodology and assumptions used; (c) Evaluate ways to enhance the quality, utility, and clarity of the information to be collected; and (d) Minimize the reporting burden on those who are to respond, including the use of automated collection techniques or other forms of information technology. Comments that you submit in response to this notice are a matter of public record. We will include or summarize each comment in our request to OMB to approve this information collection request (ICR). Before including your address, phone number, email address, or other personal identifying information in your comment, you should be aware that your entire comment--including your personal identifying information--may be made publicly available at any time. While you may ask us in your comment to withhold your personal identifying information from public review, we cannot guarantee that we will be able to do so. Sheleen Dumas, Department PRA Clearance Officer, Office of the Under Secretary for Economic Affairs, Commerce Department. [FR Doc. 2023-06645 Filed 3-29-23; 8:45 am] BILLING CODE 3510-DS-P