AGENCY:

International Trade Administration, U.S. Department of Commerce.

ACTION:

Notice of amendment to the Privacy Shield cost recovery program fees, with request for comments.

SUMMARY:

Consistent with the guidelines in OMB Circular A-25, the U.S. Department of Commerce's International Trade Administration (ITA) is revising the fee schedule implemented on August 1, 2016. On January 12, 2017, the Swiss Government announced the approval of the Swiss-U.S. Privacy Shield Framework as a valid legal mechanism to comply with Swiss requirements when transferring personal data from Switzerland to the United States. For more detailed information on the Swiss-U.S. Privacy Shield Framework and the announcement, please see https://www.privacyshield.gov/​Program-Overview.

This notice revises the Privacy Shield fee structure to incorporate the Swiss-U.S. Privacy Shield Framework in addition to the existing EU-U.S. Privacy Shield Framework. This is to support the operation of both the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (Privacy Shield).

DATES:

These fees are effective April 12, 2017. Comments must be received by May 4, 2017.

ADDRESSES:

You may submit comments by either of the following methods:

• Federal eRulemaking Portal: www.Regulations.gov. The identification number is ITA-2017-0001.
• Postal Mail/Commercial Delivery to Joshua Blume, Department of Commerce, International Trade Start Printed Page 16376Administration, Room 11022, 1401 Constitution Avenue NW., Washington, DC and reference “Privacy Shield Fee Structure, ITA-2017-0001” in the subject line.

Instructions: You must submit comments by one of the above methods to ensure that the comments are received and considered. Comments sent by any other method, to any other address or individual, or received after the end of the comment period, may not be considered. All comments received are a part of the public record and will generally be posted to http://www.regulations.gov without change. All Personal Identifying Information (for example, name, address, etc.) voluntarily submitted by the commenter may be publicly accessible. Do not submit Confidential Business Information or otherwise sensitive or protected information. ITA will accept anonymous comments (enter “N/A” in the required fields if you wish to remain anonymous). Attachments to electronic comments will be accepted in Microsoft Word, Excel, or Adobe PDF file formats only. Supporting documents and any comments we receive on this docket may be viewed at http://www.regulations.gov/​ ITA-2017-0001.

More information regarding the Privacy Shield can be found at https://www.privacyshield.gov/​Program-Overview.

FOR FURTHER INFORMATION CONTACT:

Requests for additional information regarding the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks should be directed to Joshua Blume, Department of Commerce, International Trade Administration, Room 11022, 1401 Constitution Avenue NW., Washington, DC, tel. 202-482-0988 or 202-482-1512 or via email at privacyshield@trade.gov. Additional information on ITA fees is available at trade.gov/fees.

SUPPLEMENTARY INFORMATION:

Background:

In the revised fee structure, there will be one annual fee applied to U.S. organizations to participate in either the Swiss-U.S. or EU-U.S. Privacy Shield Frameworks. Should a U.S. organization opt to self-certify for both programs, they will be provided a reduced rate for the second Framework and be required to synchronize their recertifications to both Frameworks to maximize efficiency. Additionally, a fee will be applied annually to organizations that withdraw from the Privacy Shield and continue to maintain data received while they participated in the Privacy Shield. The cost recovery program will support the administration and supervision of the Privacy Shield and support Privacy Shield services including education and outreach. The revised Privacy Shield fee structure will become effective on April 12, 2017, when ITA will begin accepting certifications to the Swiss-U.S. Privacy Shield.

While the revised fees will be effective April 12, 2017, ITA is providing the public with the opportunity to comment on these revised fees. ITA will then review all comments and reassess the Privacy Shield fees after August 1, 2017, a full year from initial implementation of Privacy Shield, as originally discussed in the Cost Recovery Fee Schedule for the EU-U.S. Privacy Shield Framework, published September 30, 2016. The review will recur at least every two years thereafter, in accordance with OMB Circular A-25.

Consistent with the guidelines in OMB Circular A-25, federal agencies are responsible for implementing cost recovery program fees. The role of ITA is to strengthen the competitiveness of U.S. industry, promote trade and investment, and ensure fair trade through the rigorous enforcement of our trade laws and agreements. ITA works to promote privacy policy frameworks to facilitate the flow of data across borders and support international trade.

The United States, the European Union (EU), and Switzerland share the goal of enhancing privacy protection but take different approaches to protecting personal data. Given those differences, the Department of Commerce (DOC) developed the Privacy Shield Frameworks in consultation with the European Commission, the Swiss Government, and with industry and other stakeholders, to provide organizations in the United States with a reliable mechanism for personal data transfers to the United States from the European Union and Switzerland while ensuring the data is protected in a manner consistent with EU and Swiss law.

As referenced in the Cost Recovery Fee Schedule for the EU-U.S. Privacy Shield Framework, published September 30, 2016 (81 FR 67293), the European Commission approved the EU-U.S. Privacy Shield Framework on July 12, 2016. More recently, on January 12, 2017, the Swiss government approved the Swiss-U.S. Privacy Shield Framework, which is based on the EU-U.S. Privacy Shield. The published Privacy Shield is available at https://www.privacyshield.gov/​. The DOC has issued the Privacy Shield Framework Principles under its statutory authority to foster, promote, and develop international commerce (15 U.S.C. 1512).

ITA administers and supervises the EU-U.S. Privacy Shield Framework, including by maintaining and making publicly available an authoritative list of U.S. organizations that have self-certified to the DOC. U.S. organizations submit information to ITA to self-certify their compliance with Privacy Shield. ITA similarly will administer and supervise the Swiss-U.S. Privacy Shield Framework. ITA will accept self-certification submissions for the Swiss-U.S. Privacy Shield beginning on April 12, 2017. Consistent with the Paperwork Reduction Act, ITA published proposed information collections as described in the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks for public notice and comment (81 FR 78775 and 82 FR 7796; and 82 FR 6492, respectively).

U.S. organizations considering self-certifying to the Privacy Shield should review the Privacy Shield Frameworks. In summary, to enter either the EU or Swiss-U.S. Privacy Shield Framework, an organization must (a) be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) or the Department of Transportation; (b) publicly declare its commitment to comply with the Privacy Shield Framework Principles through self-certification to the DOC; (c) publicly disclose its privacy policies in line with the Privacy Shield Framework Principles; and (d) fully implement them.

Self-certification to the DOC is voluntary. However, an organization's failure to comply with the Privacy Shield Framework Principles after its self-certification is enforceable under Section 5 of the Federal Trade Commission Act prohibiting unfair and deceptive acts in or affecting commerce (15 U.S.C. 45(a)) or other laws or regulations prohibiting such acts.

ITA implemented a cost recovery program to support the operation of the EU-U.S. Privacy Shield and is revising that fee schedule to additionally support the operation of the Swiss-U.S. Privacy Shield. The fee a given organization will be charged will be based on the organization's annual revenue. A separate fee will be applied annually to organizations that withdraw from the Privacy Shield and continue to maintain data received while they participated in the Privacy Shield. The cost recovery program will support the administration and supervision of the Privacy Shield program and support the provision of Privacy Shield-related services, including education and outreach.

The Cost Recovery Fee Schedule for the EU-U.S. Privacy Shield Framework, Start Printed Page 16377published September 30, 2016 (81 FR 67293), describes the fees implemented by ITA to cover the administration and supervision of the EU-U.S. Privacy Shield Framework. Under this revision to the fee structure, organizations that join only one Privacy Shield Framework, whether EU or Swiss, will pay the same single fee when initially self-certifying or re-certifying. Organizations that join both Frameworks will pay an additional 50 percent of that single fee when self-certifying or re-certifying for the second Framework, reflecting the efficiency savings in administering the Program for organizations that participate in both Frameworks.

These efficiency savings are maximized if organizations self-certify to both Frameworks simultaneously, reducing the required staff time and resources for reviewing materials. Accordingly, organizations that join both Frameworks will be required to synchronize recertification between the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks by renewing their certifications to both Frameworks simultaneously.

In addition, in order to allow organizations to set their own annual schedules, organizations that participate in one or both Frameworks may adjust their annual recertification date by re-certifying early to one or both Frameworks.

For example, organizations that already have joined the EU Framework and wish to join the Swiss Framework as well will have three options for timing the synchronized recertification. Such organizations may (a) self-certify to the Swiss Framework before the EU renewal comes due and re-certify early to the EU Framework at the same time; (b) wait until their certification to the EU Framework is up for renewal and self-certify to the Swiss Framework at the same time as they renew their certification to the EU Framework; or (c) self-certify to the Swiss Framework separately (without waiting for their recertification to the EU Framework to come due), and then re-certify to both Frameworks when their recertification to the EU Framework comes due.

Finally, a fixed annual fee of $200 will be charged for organizations that withdraw from the Privacy Shield and maintain data received under Privacy Shield. This fee has been set to cover staff costs for reviewing the questionnaires of organizations withdrawing from the program, as well as the necessary Web site infrastructure to facilitate submission of the proper documents. Additionally, this fee is set to be less than any organization would be required to pay for recertification. These fees are set forth below:

Annual Fee for Retaining Data after Withdrawal: $200.

Organizations will have additional direct costs associated with participating in the Privacy Shield. For example, Privacy Shield organizations must provide a readily available independent recourse mechanism to hear individual complaints at no cost to the individual. Furthermore, organizations will be required to pay contributions in connection with the arbitral model, as described in Annex I to the Principles.

Method for Determining Fees

ITA collects, retains, and expends user fees pursuant to delegated authority under the Mutual Educational and Cultural Exchange Act as authorized in its annual appropriations acts. The Privacy Shield was developed to provide organizations in the United States with a reliable mechanism for personal data transfers that underpin the trade and investment relationships between the United States and (1) the EU, and (2) Switzerland. As one of only several valid data transfer mechanisms, Privacy Shield operates in a way that provides strong consumer protection as well as a more effective and efficient service to corporations at a lower cost than other options, including standard contractual clauses or binding corporate rules.

Fees are set taking into account the operational costs borne by ITA to administer and supervise the Privacy Shield program. As described in the Cost Recovery Fee Schedule for the EU-U.S. Privacy Shield Framework, published September 30, 2016 (81 FR 267293), the Privacy Shield program requires a significant commitment of resources and staff. These costs include broad programmatic costs to run the Privacy Shield as well as costs specific to each of the Privacy Shield Frameworks and to the program that allows Participants to retain data after withdrawal from Privacy Shield. The Privacy Shield includes commitments from ITA to:

• Maintain, upgrade, and update a Privacy Shield Web site;
• verify self-certification requirements submitted by organizations to participate in the Privacy Shield;
• expand efforts to follow up with organizations that have been removed from the Privacy Shield List and ensure, where applicable, that questionnaires are correctly filed and processed;
• search for and address false claims of participation;
• conduct periodic compliance reviews and assessments of the program;
• provide information regarding the program to targeted audiences;
• increase cooperation with EU and Swiss data protection authorities;
• facilitate resolution of complaints about non-compliance;
• hold annual meetings with the European Commission, Swiss government, and other authorities to review the program; and
• provide an update of laws relevant to Privacy Shield.

In setting these revised Privacy Shield fees, ITA determined that the services provided offer special benefits to an identifiable recipient beyond those that accrue to the general public. ITA calculated the actual cost of providing its services in order to provide a basis for setting each fee. This actual cost incorporates direct and indirect costs, including operations and maintenance, overhead, and charges for the use of capital facilities. ITA also took into account additional factors, including adequacy of cost recovery, affordability, and costs associated with alternative options available to U.S. organizations for the receipt of personal data from the EU and Switzerland. Furthermore, ITA considered the cost-savings and efficiencies gained in staff hours through simultaneous review of self-certifications for both the Swiss-U.S. and EU-U.S. Privacy Shield Frameworks. This analysis balanced these cost savings with projected expenses, including, but not limited to, Web site development, further negotiations with the EU and Switzerland, an annual review, certification review, and facilitating complaint resolutions.

ITA will continue to use the established five-tiered fee schedule (81 FR 267293) that has promoted participation of small organizations in Privacy Shield, while implementing a reduced rate for organizations self-certifying to both the Swiss-U.S. and EU-U.S. Privacy Shield Frameworks. A Start Printed Page 16378multiple-tiered fee schedule allows ITA to offer organizations with lower revenue a lower fee. In setting the five tiers, ITA considered, in conjunction with the factors mentioned above: (1) The Small Business Administration's guidance on identifying small and medium enterprises (SMEs) in various industries most likely to participate in the Privacy Shield, such as computer services, software and information services; (2) the likelihood that small companies would be expected to receive less personal data and thereby use fewer government resources; and (3) the likelihood that companies with higher revenue would have more customers whose data they process, which would use more government resources dedicated to administering and overseeing Privacy Shield. For example, if a company holds more data it could reasonably produce more questions and complaints from consumers and EU and Swiss Data Protection Authorities (DPAs). ITA has committed to facilitating the resolution of individual complaints and to communicating with the FTC and the DPAs regarding consumer complaints. Lastly, the fee increases between the tiers are based in part on projected program costs and estimated participation levels among companies within each tier.

As noted above, the revised fee schedule recoups the costs to ITA for operating and maintaining Privacy Shield. Organizations seeking to join the Swiss-U.S. Privacy Shield Framework may do so beginning on April 12, 2017, through Privacyshield.gov. ITA has taken into account efficiencies and economies of scale experienced when organizations participate in both Frameworks by providing a 50 percent discount off the second Framework and requiring organizations to synchronize their recertifications. The added cost of joining a second Framework reflects the additional expenses incurred, including, but not limited to, for communications with DPAs and Web site infrastructure and development, as well as the additional costs of cooperating and communicating separately with the EU and Swiss representatives and governments.

The fee applied to organizations that withdraw from Privacy Shield but maintain data is meant to cover the programmatic costs associated with ITA's processing of such organizations' annual affirmation of commitment to continue to apply the Privacy Shield Framework Principles to the personal information they received while participating in the Privacy Shield. The flat fee is based on the expectation that government resources required to process this annual affirmation will be similar for all companies, regardless of size.

Conclusion

Based on the information provided above, ITA believes that the revised Privacy Shield cost recovery fees are consistent with the objective of OMB Circular A-25 to “promote efficient allocation of the nation's resources by establishing charges for special benefits provided to the recipient that are at least as great as the cost to the U.S. Government of providing the special benefits . . .” OMB Circular A-25(5)(b). ITA is providing the public with the opportunity to comment on the fee schedule, and it will consider these comments when it next reassesses the fee schedule. As noted in the Cost Recovery Fee Schedule for the EU-U.S. Privacy Shield Framework, published September 30, 2016 (81 FR 267293), ITA will conduct its next fee reassessment after August 1, 2017, at the conclusion of the first year of implementation of the Privacy Shield. ITA will continue to conduct reassessments thereafter at least every two years, in accordance with OMB Circular A-25.