[Federal Register Volume 89, Number 169 (Friday, August 30, 2024)]
[Notices]
[Pages 70597-70600]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-19541]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

[Docket No.: 240826-0227]


Revisions to the Fee Schedule for the Data Privacy Framework 
Program

AGENCY: International Trade Administration, U.S. Department of 
Commerce.

ACTION: Final notice of implementation of revisions to the fee schedule 
for the Data Privacy Framework Program.

-----------------------------------------------------------------------

SUMMARY: The U.S. Department of Commerce (DOC) published the Revisions 
to the Fee Schedule for the Data Privacy Framework Program on July 9, 
2024. We gave interested parties an opportunity to comment on the 
revisions to the fee schedule. No comments were received; therefore, 
the revised fee schedule is considered the final fee schedule subject 
to future review in accordance with OMB Circular A-25 and will become 
effective October 1st, 2024.

DATES: This fee schedule will become effective October 1, 2024.

FOR FURTHER INFORMATION CONTACT: Requests for additional information 
regarding the DPF program should be directed to Isabella Carlton, 
Department of Commerce, International Trade Administration, Room 11018, 
1401 Constitution Avenue NW, Washington, DC, tel. (202) 482-1512 or via 
email at [email protected]. Additional information on ITA fees is 
available at trade.gov/fees.

SUPPLEMENTARY INFORMATION:

Background

    Consistent with the guidelines in OMB Circular A-25, Federal 
agencies are responsible for implementing cost recovery program fees. 
The role of ITA is to strengthen the competitiveness of U.S. industry, 
promote trade and investment, and ensure fair trade through the 
rigorous enforcement of U.S. trade laws and agreements. ITA works to 
promote privacy policy frameworks to facilitate the trusted flow of 
data across borders with strong privacy protections, which in turn 
supports international trade.
    The U.S., EU, UK, and Switzerland share a commitment to enhancing 
privacy protection, the rule of law, and a recognition of the 
importance of transatlantic data flows to our respective citizens, 
economies, and societies, but have different legal systems and take 
different approaches to doing so. Given those differences, the DOC 
developed the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the 
Swiss-U.S. DPF in consultation with the European Commission, the UK 
Government, the Swiss Federal Administration, industry, and other 
stakeholders. These arrangements were respectively developed to provide 
U.S. organizations reliable mechanisms for personal data transfers to 
the U.S. from the EU, UK, and Switzerland that are consistent with EU, 
UK, and Swiss law.
    The DOC has issued the EU-U.S. DPF Principles and the Swiss-U.S. 
DPF Principles, including the respective sets of Supplemental 
Principles (collectively, the Principles) and Annex I to the 
Principles, as well as the UK Extension to the EU-U.S. DPF under its 
statutory authority to foster, promote, and develop international 
commerce (15 U.S.C. 1512).
    To participate in the EU-U.S. DPF and, as applicable, the UK 
Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF an organization 
must: (1) be subject to the investigatory and enforcement powers of the 
Federal Trade Commission (FTC), the Department of Transportation (DOT), 
or another statutory body that will effectively ensure compliance with 
the Principles; (2) publicly declare its commitment to comply with the 
Principles; (3) publicly disclose its privacy policies in line with the 
Principles; and (4) fully implement the Principles.
    While the decision by an organization to self-certify its 
compliance and to participate in the DPF is voluntary; effective 
compliance is compulsory: organizations that self-certify to the DOC 
and publicly declare their commitment to adhere to the Principles must 
comply fully with the Principles. Organizations that only wish to self-
certify their compliance pursuant to the EU-U.S. DPF and/or the Swiss-
U.S. DPF may do so; however, organizations that wish to participate in 
the UK Extension to the EU-U.S. DPF must participate in the EU-U.S. 
DPF. Such organizations' commitment to comply with the Principles with 
regard to transfers of personal data from the EU and, as applicable, 
the UK, and/or Switzerland must be reflected in their self-

[[Page 70598]]

certification submissions to the DOC, and in their privacy policies. An 
organization's failure to comply with the Principles after its self-
certification is enforceable: (1) by the FTC under Section 5 of the 
Federal Trade Commission (FTC) Act prohibiting unfair or deceptive acts 
in or affecting commerce (15 U.S.C. 45); (2) by the DOT under 49 U.S.C. 
41712 prohibiting a carrier or ticket agent from engaging in an unfair 
or deceptive practice in air transportation or the sale of air 
transportation; or (3) under other laws or regulations prohibiting such 
acts.
    U.S. organizations considering self-certifying their compliance 
pursuant to the EU-U.S. DPF and, as applicable, the UK Extension to the 
EU-U.S. DPF, and/or the Swiss-U.S. DPF should review the requirements 
in their entirety, including the Principles and associated documents 
available in full at www.dataprivacyframework.gov.

Revisions to the Fee Schedule

    ITA initially implemented a cost recovery program to support the 
operation of the EU-U.S. Privacy Shield Framework and the Swiss-U.S. 
Privacy Shield Frameworks (collectively, the Privacy Shield program) 
and is revising that fee schedule to support the operation of the DPF 
program. The cost recovery program will support the administration and 
supervision of the DPF program and support services related to the DPF 
program, including education and outreach. The revisions to the fee 
schedule will become effective October 1st, 2024, which is 30 days 
after this final fee schedule was published.
    The Cost Recovery Fee Schedule for the EU-U.S. Privacy Shield 
Framework, published September 30, 2016 (81 FR 67293), describes the 
fees implemented by ITA to cover the administration and supervision of 
the EU-U.S. Privacy Shield Framework. The first amendment to the Cost 
Recovery Fee Schedule for the EU-U.S. Privacy Shield Framework, 
published April 4, 2017 (82 FR 16375), describes the additional fees 
implemented by ITA to cover the administration and supervision of the 
Swiss-U.S. Privacy Shield Framework. Under this revision to the fee 
schedule, organizations that opt to self-certify only for the EU-U.S. 
DPF, only the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, or 
only the Swiss-U.S. DPF will pay a single fee when initially self-
certifying or re-certifying. Organizations that opt to self-certify for 
an additional framework will pay an additional 50 percent of that 
single fee when self-certifying or re-certifying for the additional 
framework, reflecting the efficiency savings in administering the DPF 
program for organizations that participate in multiple parts of the DPF 
program. As organizations that wish to participate in the UK Extension 
to the EU-U.S. DPF must participate in the EU-U.S. DPF, the annual fee 
that such organizations are required to pay to ITA to participate in 
the EU-U.S. DPF currently covers both the EU-U.S. DPF and the UK 
Extension to the EU-U.S. DPF.
    These efficiency savings are maximized if organizations self-
certify to multiple parts of the DPF program simultaneously, reducing 
the required staff time and resources for reviewing materials. In 
addition, organizations that participate in the EU-U.S. DPF and, as 
applicable, the UK Extension to the EU-U.S. DPF and/or the Swiss-U.S. 
DPF may adjust their annual re-certification due date by re-certifying 
early (i.e., before the applicable due date) to the relevant part(s) of 
the DPF program.
    Although an organization may adjust its annual re-certification due 
date by re-certifying early, the re-certification due date would apply 
to all parts of the DPF program in which it participates (i.e., re-
certification to the relevant part(s) of the DPF program is 
synchronized). For example, if an organization initially self-certified 
exclusively to and was placed on the Data Privacy Framework List with 
regard to the EU-U.S. DPF, and then several months later self-certified 
to and was placed on the Data Privacy Framework List with regard to the 
Swiss-U.S. DPF, the organization's next re-certification to both of 
those parts of the DPF program would be due by the same date.
    Additionally, a fixed annual fee of $260 will be charged per 
applicable framework for organizations that withdraw from the relevant 
part(s) of the DPF program, retain personal data that they received in 
reliance on their participation in the relevant part(s) of the DPF 
program, continue to apply the Principles to such data, and affirm to 
ITA on an annual basis their commitment to apply the Principles to such 
data. This fee has been set to cover staff costs for reviewing the 
``Post-Withdrawal, Annual Affirmation Questionnaire'', which must be 
submitted by organizations that have chosen the aforementioned option 
when withdrawing from the relevant part(s) of the program, as well as 
the necessary website infrastructure to facilitate submission of the 
proper documents. Additionally, this fee is set to be less than any 
organization would be required to pay for re-certification. The fee 
schedule is set forth below:

             Revised Annual Fee Schedule for the DPF Program
------------------------------------------------------------------------
                                             A single          Both
      Organization's annual revenue          framework      frameworks
------------------------------------------------------------------------
$0 to $5 million........................            $260            $390
Over $5 million to $25 million..........             750           1,125
Over $25 million to $500 million........           1,600           2,400
Over $500 million to $5 billion.........           4,130           6,195
Over $5 billion.........................           5,530           8,295
------------------------------------------------------------------------


------------------------------------------------------------------------
                                            A single
                                           framework     Both frameworks
------------------------------------------------------------------------
Post-withdrawal, annual affirmation               $260             $520
 fee..................................
------------------------------------------------------------------------

    For purposes of the annual fee schedule described above:
     ``A single framework'' could refer to any of the 
following: only the EU-U.S. DPF; only the EU-U.S. DPF and the UK 
Extension to the EU-U.S. DPF; or only the Swiss-U.S. DPF
     ``Both frameworks'' could refer to any of the following: 
the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-
U.S. DPF; or only the EU-U.S. DPF and the Swiss-U.S. DPF.
    Organizations will have additional direct costs associated with 
participating in the DPF program. For

[[Page 70599]]

example, organizations must provide a readily available independent 
recourse mechanism to hear individual complaints at no cost to the 
individual. Furthermore, organizations are required to make 
contributions in connection with the arbitral model, as described in 
Annex I to the Principles.

Method for Determining Fees

    ITA collects, retains, and expends user fees pursuant to delegated 
authority under the Mutual Educational and Cultural Exchange Act as 
authorized in its annual appropriations acts. The EU-U.S. DPF, the UK 
Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF were developed to 
facilitate transatlantic commerce by providing U.S. organizations with 
reliable mechanisms for personal data transfers to the United States 
from the EU/European Economic Area, UK, and Switzerland. The Data 
Privacy Framework program operates in a way that provides strong 
privacy protection as well as a more effective and efficient service to 
participants at a lower cost than other options, including standard 
contractual clauses or binding corporate rules.
    Fees are set by taking into account the operational costs borne by 
ITA to administer and supervise the Data Privacy Framework program. The 
DPF program requires a significant commitment of resources and staff. 
These costs include broad programmatic costs to run the program as well 
as costs specific to EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, 
and the Swiss-U.S. DPF. The DPF program includes commitments from ITA 
to:
     Maintain, upgrade, and update a DPF program website, 
including maintaining the Data Privacy Framework List (i.e., the 
authoritative list of U.S. organizations that have self-certified to 
the DOC, as represented by ITA, and declared their commitment to adhere 
to the Principles);
     Verify self-certification requirements submitted by 
organizations to participate in the DPF program;
     Follow up with organizations that have been removed from 
the Data Privacy Framework List and ensure, where applicable, that 
questionnaires are correctly filed and processed;
     Search for and address false claims of participation;
     Conduct periodic compliance reviews and assessments of the 
program;
     Provide information regarding the program to targeted 
audiences;
     Increase cooperation with European data protection 
authorities;
     Facilitate resolution of complaints about non-compliance;
     Hold periodic meetings with the European Commission, the 
UK government, the Swiss government, and other authorities to review 
the program; and
     Provide the EU, UK, and Switzerland with updates on laws 
relevant to the DPF program.
    In setting these revised DPF program fees, ITA determined that the 
services provided offer special benefits to an identifiable recipient 
beyond those that accrue to the general public. ITA calculated the 
actual cost of providing its services in order to provide a basis for 
setting each fee. This actual cost incorporates direct and indirect 
costs, including operations and maintenance, overhead, and charges for 
the use of capital facilities. ITA also took into account additional 
factors, including inflation, adequacy of cost recovery, affordability, 
and costs associated with alternative options available to U.S. 
organizations for the receipt of personal data from the EU, the UK, and 
Switzerland. Furthermore, ITA considered the cost-savings and 
efficiencies gained in staff hours through simultaneous review of self-
certifications for the EU-U.S. DPF, the UK Extension to the EU-U.S. 
DPF, and the Swiss-U.S. DPF. This analysis balanced these cost savings 
with projected expenses, including, but not limited to, website 
development, further negotiations with the EU, the UK, and Switzerland, 
periodic reviews, certification reviews, and facilitating complaint 
resolutions.
    ITA will continue to use the established five-tiered fee schedule 
(see 82 FR 16375) that promoted participation of small organizations in 
the Privacy Shield program, while amending the fees at each tier to 
account for increased program administration costs. A multiple-tiered 
fee schedule allows ITA to offer organizations with lower revenue a 
lower fee. In setting the five tiers, ITA considered, in conjunction 
with the factors mentioned above: (1) the Small Business 
Administration's guidance on identifying small and medium enterprises 
(SMEs) in various industries most likely to participate in the DPF 
program, such as computer services, software and information services; 
(2) the likelihood that small companies would be expected to receive 
less personal data and thereby use fewer government resources; and (3) 
the likelihood that companies with higher revenue would have more 
customers whose data they process, which would use more government 
resources dedicated to administering and overseeing the DPF program. 
For example, if a company holds more data, it could reasonably produce 
more questions and complaints from consumers and European data 
protection authorities (DPAs). ITA has committed to facilitating the 
resolution of individual complaints and to communicating with the FTC 
and the DPAs regarding consumer complaints. Lastly, the fee increases 
between the tiers are based in part on projected program costs and 
estimated participation levels among companies within each tier.
    As noted above, the revisions to the fee schedule recoups the costs 
to ITA for operating and maintaining the DPF program. ITA has taken 
into account the efficiencies and economies of scale experienced when 
organizations participate in multiple Frameworks by providing a 50 
percent discount off adding another framework program and requiring 
organizations to synchronize their re-certifications. The added cost of 
joining an additional framework program reflects the additional 
expenses incurred, including, but not limited to, for communications 
with DPAs and website infrastructure and development, as well as the 
additional costs of cooperating and communicating separately with the 
EU, UK, and Swiss representatives and governments. The fee applied to 
organizations that withdraw from relevant part(s) of the DPF program, 
but that maintain data, is meant to cover the programmatic costs 
associated with ITA's processing of such organizations' annual 
affirmation of commitment to continue to apply the Principles to the 
personal data they received while participating in the relevant part(s) 
of the DPF program. The flat fee is based on the expectation that 
government resources required to process this annual affirmation will 
be similar for all companies, regardless of size.
    Based on the information provided above, ITA believes that the 
revised DPF program cost recovery fee schedule is consistent with the 
objective of OMB Circular A-25 to ``promote efficient allocation of the 
nation's resources by establishing charges for special benefits 
provided to the recipient that are at least as great as the cost to the 
U.S. Government of providing the special benefits . . .'' (OMB Circular 
A-25(5)(b)). ITA has provided the public with the opportunity to 
comment on the revisions to the fee schedule (89 FR 56289, July 9, 
2024). ITA did not receive any comments and is publishing the final fee 
schedule 30 days before the final fee schedule becomes effective.

[[Page 70600]]

ITA administers and supervises the DPF program, including maintaining 
and making publicly available the Data Privacy Framework List, an 
authoritative list of U.S. organizations that have self-certified to 
the DOC and declared their commitment to adhere to the Principles 
pursuant to the EU-U.S. DPF and, as applicable, the UK Extension to the 
EU-U.S. DPF, and/or the Swiss-U.S. DPF.

    Dated: August 26, 2024.
Lesley Elouaradia,
Acting Deputy Assistant Secretary for Services, Industry & Analysis, 
International Trade Administration, U.S. Department of Commerce.
[FR Doc. 2024-19541 Filed 8-29-24; 8:45 am]
BILLING CODE 3510-DR-P