[Federal Register Volume 89, Number 131 (Tuesday, July 9, 2024)]
[Notices]
[Pages 56289-56292]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-14983]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

International Trade Administration

[Docket No. 240702-0183]


Revisions to the Fee Schedule for the Data Privacy Framework 
Program

AGENCY: International Trade Administration, U.S. Department of 
Commerce.

ACTION: Notice of revisions; request for public comments.

-----------------------------------------------------------------------

SUMMARY: Consistent with the guidelines in OMB Circular A-25, the U.S. 
Department of Commerce's International Trade Administration (ITA) is 
revising the fee schedule that was last updated on April 12, 2017. This 
notice revises the Privacy Shield program fee schedule to reflect the 
change in the name of the program from the ``Privacy Shield'' program 
to the ``Data Privacy Framework'' program and to amend the fees. This 
is to support the operation of the EU-U.S. DPF, the UK Extension to the 
EU-U.S. DPF, and the Swiss-U.S. DPF (collectively, the DPF program).

DATES: The revisions to the fee schedule will become effective 30 days 
after the final fee schedule is published. Comments must be received by 
August 7th, 2024.

ADDRESSES: You may submit comments by either of the following methods:
     Federal eRulemaking Portal at www.Regulations.gov. The 
identification number is ITA-2024-0001.
     Postal Mail/Commercial Delivery to Isabella Carlton, 
Department of Commerce, International Trade Administration, Room 11018, 
1401 Constitution Avenue NW, Washington, DC, and reference ``Revisions 
to the Fee Schedule for the Data Privacy Framework Program'' in the 
subject line.
    Instructions: You must submit comments by one of the above methods 
to ensure that the comments are received and considered. Comments sent 
by any other method, to any other address or individual, or received 
after the end of the comment period, may not be considered. All 
comments received are a part of the public record and will generally be 
posted to http://www.regulations.gov without change. All Personal 
Identifying Information (e.g., name, address, etc.) voluntarily 
submitted by the commenter may be publicly accessible. Do not submit 
Confidential Business Information or otherwise sensitive or protected 
information. ITA will accept anonymous comments (enter ``N/A'' in the 
required fields if you wish to remain anonymous). Attachments to 
electronic comments will be accepted in Microsoft Word, Excel, or Adobe 
PDF file formats only. Supporting documents and any comments we receive 
on this docket may be viewed at http://www.regulations.gov/ (http://www.regulations.gov/) ITA-2024-0001.
    More information regarding the DPF program can be found at https://www.dataprivacyframework.gov/Program-Overview.

FOR FURTHER INFORMATION CONTACT: Requests for additional information 
regarding the DPF program should be directed to Isabella Carlton, 
Department of Commerce, International Trade Administration, Room 11018, 
1401 Constitution Avenue NW, Washington, DC, tel. (202) 482-1512 or via 
email at [email protected]. Additional information on ITA fees is 
available at trade.gov/fees.

SUPPLEMENTARY INFORMATION:

Background

    On July 17, 2023, the U.S. Department of Commerce (DOC) launched 
the Data Privacy Framework (DPF) program. The EU-U.S. Data Privacy 
Framework (EU-U.S. DPF), UK Extension to the EU-U.S. DPF, and Swiss-
U.S. Data Privacy Framework (Swiss-U.S. DPF) were respectively 
developed by the DOC and the European Commission, UK Government, and 
Swiss Federal Administration to provide U.S. organizations with 
reliable mechanisms for personal data transfers to the United States 
from the EU, UK, and Switzerland while ensuring data protection that is 
consistent with EU, UK, and Swiss law. The EU-U.S. DPF amends the 
privacy principles that

[[Page 56290]]

organizations adhered to under the EU-U.S. Privacy Shield Framework as 
the ``EU-U.S. Data Privacy Framework Principles'' (EU-U.S. DPF 
Principles), and the Swiss-U.S. DPF amends the privacy principles that 
organizations adhered to under the Swiss-U.S. Privacy Shield Framework 
as the ``Swiss-U.S. Data Privacy Framework Principles'' (Swiss-U.S. DPF 
Principles). For more detailed information on the DPF program, please 
see https://www.dataprivacyframework.gov/Program-Overview.
    Consistent with the guidelines in OMB Circular A-25, Federal 
agencies are responsible for implementing cost recovery program fees. 
The role of ITA is to strengthen the competitiveness of U.S. industry, 
promote trade and investment, and ensure fair trade through the 
rigorous enforcement of U.S. trade laws and agreements. ITA works to 
promote privacy policy frameworks to facilitate the trusted flow of 
data across borders with strong privacy protections, which in turn 
supports international trade.
    The U.S., EU, UK, and Switzerland share a commitment to enhancing 
privacy protection, the rule of law, and a recognition of the 
importance of transatlantic data flows to our respective citizens, 
economies, and societies, but have different legal systems and take 
different approaches to doing so. Given those differences, the DOC 
developed the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the 
Swiss-U.S. DPF in consultation with the European Commission, the UK 
Government, the Swiss Federal Administration, industry, and other 
stakeholders. These arrangements were respectively developed to provide 
U.S. organizations reliable mechanisms for personal data transfers to 
the U.S. from the EU, UK, and Switzerland that are consistent with EU, 
UK, and Swiss law.
    The DOC has issued the EU-U.S. DPF Principles and the Swiss-U.S. 
DPF Principles, including the respective sets of Supplemental 
Principles (collectively, the Principles) and Annex I to the 
Principles, as well as the UK Extension to the EU-U.S. DPF under its 
statutory authority to foster, promote, and develop international 
commerce (15 U.S.C. 1512).
    To participate in the EU-U.S. DPF and, as applicable, the UK 
Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF an organization 
must: (1) be subject to the investigatory and enforcement powers of the 
Federal Trade Commission (FTC), the Department of Transportation (DOT), 
or another statutory body that will effectively ensure compliance with 
the Principles; (2) publicly declare its commitment to comply with the 
Principles; (3) publicly disclose its privacy policies in line with the 
Principles; and (4) fully implement the Principles.
    While the decision by an organization to self-certify its 
compliance and to participate in the DPF is voluntary; effective 
compliance is compulsory: organizations that self-certify to the DOC 
and publicly declare their commitment to adhere to the Principles must 
comply fully with the Principles. Organizations that only wish to self-
certify their compliance pursuant to the EU-U.S. DPF and/or the Swiss-
U.S. DPF may do so; however, organizations that wish to participate in 
the UK Extension to the EU-U.S. DPF must participate in the EU-U.S. 
DPF. Such organizations' commitment to comply with the Principles with 
regard to transfers of personal data from the EU and, as applicable, 
the UK, and/or Switzerland must be reflected in their self-
certification submissions to the DOC, and in their privacy policies. An 
organization's failure to comply with the Principles after its self-
certification is enforceable: (1) by the FTC under Section 5 of the 
Federal Trade Commission (FTC) Act prohibiting unfair or deceptive acts 
in or affecting commerce (15 U.S.C. 45); (2) by the DOT under 49 U.S.C. 
41712 prohibiting a carrier or ticket agent from engaging in an unfair 
or deceptive practice in air transportation or the sale of air 
transportation; or (3) under other laws or regulations prohibiting such 
acts.
    U.S. organizations considering self-certifying their compliance 
pursuant to the EU-U.S. DPF and, as applicable, the UK Extension to the 
EU-U.S. DPF, and/or the Swiss-U.S. DPF should review the requirements 
in their entirety, including the Principles and associated documents 
available in full at www.dataprivacyframework.gov.

Revisions to the Fee Schedule

    ITA initially implemented a cost recovery program to support the 
operation of the EU-U.S. Privacy Shield Framework and the Swiss-U.S. 
Privacy Shield Frameworks (collectively, the Privacy Shield program) 
and is revising that fee schedule to support the operation of the DPF 
program. The cost recovery program will support the administration and 
supervision of the DPF program and support services related to the DPF 
program, including education and outreach. The revisions to the fee 
schedule will become effective 30 days after the final fee schedule is 
published.
    The Cost Recovery Fee Schedule for the EU-U.S. Privacy Shield 
Framework, published September 30, 2016 (81 FR 67293), describes the 
fees implemented by ITA to cover the administration and supervision of 
the EU-U.S. Privacy Shield Framework. The first amendment to the Cost 
Recovery Fee Schedule for the EU-U.S. Privacy Shield Framework, 
published April 4, 2017 (82 FR 16375), describes the additional fees 
implemented by ITA to cover the administration and supervision of the 
Swiss-U.S. Privacy Shield Framework. Under this revision to the fee 
schedule, organizations that opt to self-certify only for the EU-U.S. 
DPF, only the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, or 
only the Swiss-U.S. DPF will pay a single fee when initially self-
certifying or re-certifying. Organizations that opt to self-certify for 
an additional framework will pay an additional 50 percent of that 
single fee when self-certifying or re-certifying for the additional 
framework, reflecting the efficiency savings in administering the DPF 
program for organizations that participate in multiple parts of the DPF 
program. As organizations that wish to participate in the UK Extension 
to the EU-U.S. DPF must participate in the EU-U.S. DPF, the annual fee 
that such organizations are required to pay to ITA to participate in 
the EU-U.S. DPF currently covers both the EU-U.S. DPF and the UK 
Extension to the EU-U.S. DPF.
    These efficiency savings are maximized if organizations self-
certify to multiple parts of the DPF program simultaneously, reducing 
the required staff time and resources for reviewing materials.
    In addition, organizations that participate in the EU-U.S. DPF and, 
as applicable, the UK Extension to the EU-U.S. DPF and/or the Swiss-
U.S. DPF may adjust their annual re-certification due date by re-
certifying early (i.e., before the applicable due date) to the relevant 
part(s) of the DPF program.
    Although an organization may adjust its annual re-certification due 
date by re-certifying early, the re-certification due date would apply 
to all parts of the DPF program in which it participates (i.e., re-
certification to the relevant part(s) of the DPF program is 
synchronized). For example, if an organization initially self-certified 
exclusively to and was placed on the Data Privacy Framework List with 
regard to the EU-U.S. DPF, and then several months later self-certified 
to and was placed on the Data Privacy Framework List with regard to the 
Swiss-U.S. DPF, the organization's next re-certification to both of 
those parts of the DPF program would be due by the same date.

[[Page 56291]]

    Additionally, a fixed annual fee of $260 will be charged per 
applicable framework for organizations that withdraw from the relevant 
part(s) of the DPF program, retain personal data that they received in 
reliance on their participation in the relevant part(s) of the DPF 
program, continue to apply the Principles to such data, and affirm to 
ITA on an annual basis their commitment to apply the Principles to such 
data. This fee has been set to cover staff costs for reviewing the 
``Post-Withdrawal, Annual Affirmation Questionnaire'', which must be 
submitted by organizations that have chosen the aforementioned option 
when withdrawing from the relevant part(s) of the program, as well as 
the necessary website infrastructure to facilitate submission of the 
proper documents. Additionally, this fee is set to be less than any 
organization would be required to pay for re-certification. The fee 
schedule is set forth below:

             Revised Annual Fee Schedule for the DPF Program
------------------------------------------------------------------------
                                             A single          Both
      Organization's annual revenue          framework      frameworks
------------------------------------------------------------------------
Post-withdrawal, annual affirmation fee.            $260            $520
0 to 5 million..........................             260             390
Over 5 million to 25 million............             750           1,125
Over 25 million to 500 million..........           1,600           2,400
Over 500 million to 5 billion...........           4,130           6,195
Over 5 billion..........................           5,530           8,295
------------------------------------------------------------------------

    For purposes of the annual fee schedule described above:
     ``A single framework'' could refer to any of the 
following: only the EU-U.S. DPF; only the EU-U.S. DPF and the UK 
Extension to the EU-U.S. DPF; or only the Swiss-U.S. DPF.
     ``Both frameworks'' could refer to any of the following: 
the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-
U.S. DPF; or only the EU-U.S. DPF and the Swiss-U.S. DPF.
    Organizations will have additional direct costs associated with 
participating in the DPF program. For example, organizations must 
provide a readily available independent recourse mechanism to hear 
individual complaints at no cost to the individual. Furthermore, 
organizations are required to make contributions in connection with the 
arbitral model, as described in Annex I to the Principles.

Method for Determining Fees

    ITA collects, retains, and expends user fees pursuant to delegated 
authority under the Mutual Educational and Cultural Exchange Act as 
authorized in its annual appropriations acts. The EU-U.S. DPF, the UK 
Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF were developed to 
facilitate transatlantic commerce by providing U.S. organizations with 
reliable mechanisms for personal data transfers to the United States 
from the EU/European Economic Area, UK, and Switzerland. The Data 
Privacy Framework program operates in a way that provides strong 
privacy protection as well as a more effective and efficient service to 
participants at a lower cost than other options, including standard 
contractual clauses or binding corporate rules.
    Fees are set by taking into account the operational costs borne by 
ITA to administer and supervise the Data Privacy Framework program. The 
DPF program requires a significant commitment of resources and staff. 
These costs include broad programmatic costs to run the program as well 
as costs specific to EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, 
and the Swiss-U.S. DPF. The DPF program includes commitments from ITA 
to:
     Maintain, upgrade, and update a DPF program website, 
including maintaining the Data Privacy Framework List (i.e., the 
authoritative list of U.S. organizations that have self-certified to 
the DOC, as represented by ITA, and declared their commitment to adhere 
to the Principles;
     Verify self-certification requirements submitted by 
organizations to participate in the DPF program;
     Follow up with organizations that have been removed from 
the Data Privacy Framework List and ensure, where applicable, that 
questionnaires are correctly filed and processed;
     Search for and address false claims of participation;
     Conduct periodic compliance reviews and assessments of the 
program;
     Provide information regarding the program to targeted 
audiences;
     Increase cooperation with European data protection 
authorities;
     Facilitate resolution of complaints about non-compliance;
     Hold periodic meetings with the European Commission, the 
UK government, the Swiss government, and other authorities to review 
the program; and
     Provide the EU, UK, and Switzerland with updates on laws 
relevant to the DPF program.
    In setting these revised DPF program fees, ITA determined that the 
services provided offer special benefits to an identifiable recipient 
beyond those that accrue to the general public. ITA calculated the 
actual cost of providing its services in order to provide a basis for 
setting each fee. This actual cost incorporates direct and indirect 
costs, including operations and maintenance, overhead, and charges for 
the use of capital facilities. ITA also took into account additional 
factors, including inflation, adequacy of cost recovery, affordability, 
and costs associated with alternative options available to U.S. 
organizations for the receipt of personal data from the EU, the UK, and 
Switzerland. Furthermore, ITA considered the cost-savings and 
efficiencies gained in staff hours through simultaneous review of self-
certifications for the EU-U.S. DPF, the UK Extension to the EU-U.S. 
DPF, and the Swiss-U.S. DPF. This analysis balanced these cost savings 
with projected expenses, including, but not limited to, website 
development, further negotiations with the EU, the UK, and Switzerland, 
periodic reviews, certification reviews, and facilitating complaint 
resolutions.
    ITA will continue to use the established five-tiered fee schedule 
(see 82 FR 16375) that promoted participation of small organizations in 
the Privacy Shield program, while amending the fees at each tier to 
account for increased program administration costs. A multiple-tiered 
fee schedule allows ITA to offer organizations with lower revenue a 
lower fee. In setting the five tiers, ITA considered, in conjunction 
with the factors mentioned above: (1) the Small Business 
Administration's guidance on

[[Page 56292]]

identifying small and medium enterprises (SMEs) in various industries 
most likely to participate in the DPF program, such as computer 
services, software and information services; (2) the likelihood that 
small companies would be expected to receive less personal data and 
thereby use fewer government resources; and (3) the likelihood that 
companies with higher revenue would have more customers whose data they 
process, which would use more government resources dedicated to 
administering and overseeing the DPF program. For example, if a company 
holds more data, it could reasonably produce more questions and 
complaints from consumers and European data protection authorities 
(DPAs). ITA has committed to facilitating the resolution of individual 
complaints and to communicating with the FTC and the DPAs regarding 
consumer complaints. Lastly, the fee increases between the tiers are 
based in part on projected program costs and estimated participation 
levels among companies within each tier.
    As noted above, the revisions to the fee schedule recoups the costs 
to ITA for operating and maintaining the DPF program. ITA has taken 
into account the efficiencies and economies of scale experienced when 
organizations participate in multiple Frameworks by providing a 50 
percent discount off adding another framework program and requiring 
organizations to synchronize their re-certifications. The added cost of 
joining an additional framework program reflects the additional 
expenses incurred, including, but not limited to, for communications 
with DPAs and website infrastructure and development, as well as the 
additional costs of cooperating and communicating separately with the 
EU, UK, and Swiss representatives and governments.
    The fee applied to organizations that withdraw from relevant 
part(s) of the DPF program, but that maintain data, is meant to cover 
the programmatic costs associated with ITA's processing of such 
organizations' annual affirmation of commitment to continue to apply 
the Principles to the personal data they received while participating 
in the relevant part(s) of the DPF program. The flat fee is based on 
the expectation that government resources required to process this 
annual affirmation will be similar for all companies, regardless of 
size.
    Based on the information provided above, ITA believes that the 
revised DPF program cost recovery fee schedule is consistent with the 
objective of OMB Circular A-25 to ``promote efficient allocation of the 
nation's resources by establishing charges for special benefits 
provided to the recipient that are at least as great as the cost to the 
U.S. Government of providing the special benefits . . .'' (OMB Circular 
A-25(5)(b)). ITA is providing the public with the opportunity to 
comment on the revisions to the fee schedule. ITA will then review all 
comments and publish the final fee schedule 30 days before the final 
fee schedule becomes effective. ITA administers and supervises the DPF 
program, including maintaining and making publicly available the Data 
Privacy Framework List, an authoritative list of U.S. organizations 
that have self-certified to the DOC and declared their commitment to 
adhere to the Principles pursuant to the EU-U.S. DPF and, as 
applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. 
DPF.

Paperwork Reduction Act

    In accordance with the Paperwork Reduction Act of 1995 (PRA), ITA 
published proposed information collection as described in the EU-U.S. 
DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF for 
public notice and comment (88 FR 19067 and 88 FR 37509). The approved 
OMB Control Number for that information collection is 0625-0280 
(expires 07/31/2026). That approval allows ITA to collect information 
from organizations in the United States, including information 
concerning their annual revenue, to enable such organizations to self-
certify to the DOC. Such information collection is critical to ITA's 
administration and supervision of the DPF program, including its 
maintenance of the authoritative, public list of U.S. organizations 
that have self-certified to the DOC and declared their commitment to 
adhere to the Principles. The instant revisions to the DPF program cost 
recovery fee schedule do not impose any new information collection 
request (ICR) requirements or revise the current approved burden hours 
and administrative costs associated with the self-certification process 
under the approved OMB Control Number.

    Dated: July 2, 2024.
Neema Guliani,
Deputy Assistant Secretary for Service, Industry & Analysis, 
International Trade Administration, U.S. Department of Commerce.
[FR Doc. 2024-14983 Filed 7-8-24; 8:45 am]
BILLING CODE 3510-DR-P