AGENCY:

International Trade Administration, U.S. Department of Commerce.

ACTION:

Notice of implementation of a cost recovery program fee with request for comments.

SUMMARY:

Consistent with the guidelines in OMB Circular A-25, the U.S. Department of Commerce's International Trade Administration (ITA) is implementing a cost recovery program fee to support the operation of the EU-U.S. Privacy Shield Framework (Privacy Shield), which will require that U.S. organizations pay an annual fee to ITA in order to participate in the Privacy Shield. The cost recovery program will support the administration and supervision of the Privacy Shield program and support the provision of Start Printed Page 47753Privacy Shield-related services, including education and outreach. The Privacy Shield fee schedule will become effective on August 1, 2016, when ITA will begin accepting self-certifications. ITA also is providing the public with the opportunity to comment on the fee schedule. ITA will reassess the fee schedule after the first year of implementation and, in accordance with OMB Circular A-25, at least every two years thereafter.

DATES:

This fee schedule is effective August 1, 2016. Comments must be received by August 22, 2016.

ADDRESSES:

You may submit comments by either of the following methods:

• Federal eRulemaking Portal: www.Regulations.gov. The identification number is ITA-2016-0007.
• Postal Mail/Commercial Delivery to Grace Harter, Department of Commerce, International Trade Administration, Room 20001, 1401 Constitution Avenue NW., Washington, DC and reference “Privacy Shield Fee Structure, ITA-2016-0007” in the subject line.

Instructions: You must submit comments by one of the above methods to ensure that we receive the comments and consider them. Comments sent by any other method, to any other address or individual, or received after the end of the comment period, may not be considered. All comments received are a part of the public record and will generally be posted to http://www.regulations.gov without change. All Personal Identifying Information (for example, name, address, etc.) voluntarily submitted by the commenter may be publicly accessible. Do not submit Confidential Business Information or otherwise sensitive or protected information.

Commerce Department will accept anonymous comments (enter “N/A” in the required fields if you wish to remain anonymous). Attachments to electronic comments will be accepted in Microsoft Word, Excel, WordPerfect, or Adobe PDF file formats only. Supporting documents and any comments we receive on this docket may be viewed at http://www.regulations.gov/​ITA-2016-0002.

FOR FURTHER INFORMATION CONTACT:

Requests for additional information regarding the EU-U.S. Privacy Shield Framework should be directed to David Ritchie or Grace Harter, Department of Commerce, International Trade Administration, Room 20001, 1401 Constitution Avenue NW., Washington, DC, tel. 202-482-4936 or 202-482-1512 or via email at privacyshield@trade.gov. Additional information on ITA fees is available at trade.gov/fees.

SUPPLEMENTARY INFORMATION:

Background

Consistent with the guidelines in OMB Circular A-25 (https://www.whitehouse.gov/​omb/​circulars_​a025),, federal agencies are responsible for implementing cost recovery program fees.

The role of ITA is to strengthen the competitiveness of U.S. industry, promote trade and investment, and ensure fair trade through the rigorous enforcement of our trade laws and agreements. ITA works to promote privacy policy frameworks to facilitate the flow of data across borders to support international trade.

The United States and the European Union (EU) share the goal of enhancing privacy protection but take different approaches to protecting personal data. Given those differences, the Department of Commerce (DOC) developed the Privacy Shield in consultation with the European Commission, as well as with industry and other stakeholders, to provide organizations in the United States with a reliable mechanism for personal data transfers to the United States from the European Union while ensuring the protection of the data as required by EU law.

In July 2016, the European Commission approved the EU-U.S. Privacy Shield Framework. The published Privacy Shield Principles are available at: [insert link]. The DOC has issued the Privacy Shield Principles under its statutory authority to foster, promote, and develop international commerce (15 U.S.C. 1512). ITA will administer and supervise the Privacy Shield, including by maintaining and making publicly available an authoritative list of U.S. organizations that have self-certified to the DOC. U.S. organizations submit information to ITA to self-certify their compliance with Privacy Shield. ITA will accept self-certification submissions beginning on August 1, 2016. At a future date, ITA will publish for public notice and comment information collections as described in the Privacy Shield Framework consistent with the Paperwork Reduction Act.

U.S. organizations considering self-certifying to the Privacy Shield should review the Privacy Shield Framework. In summary, in order to enter the Privacy Shield, an organization must (a) be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) or the Department of Transportation; (b) publicly declare its commitment to comply with the Principles through self-certification to the DOC; (c) publicly disclose its privacy policies in line with the Principles; and (d) fully implement them.

Self-certification to the DOC is voluntary; however, an organization's failure to comply with the Principles after its self-certification is enforceable under Section 5 of the Federal Trade Commission Act prohibiting unfair and deceptive acts in or affecting commerce (15 U.S.C. 45(a)) or other laws or regulations prohibiting such acts.

ITA is implementing a cost recovery program to support the operation of the Privacy Shield, which will require U.S. organizations to pay an annual fee to ITA in order to participate in the program. The cost recovery program will support the administration and supervision of the Privacy Shield program and support the provision of Privacy Shield-related services, including education and outreach. The fee a given organization will be charged will be based on the organization's annual revenue:

Fee Schedule:

Organizations will have additional direct costs associated with participating in the Privacy Shield. For example, Privacy Shield organizations must provide a readily available independent recourse mechanism to hear individual complaints at no cost to the individual. Furthermore, organizations will be required to pay contributions in connection with the arbitral model, as described in Annex I to the Principles.

Method for Determining Fees

ITA collects, retains, and expends user fees pursuant to delegated authority under the Mutual Educational and Cultural Exchange Act as authorized in its annual appropriations acts.

The EU-U.S. Privacy Shield Framework was developed to provide organizations in the United States with a reliable mechanism for personal data transfers that underpin the trade and investment relationship between the United States and the EU.Start Printed Page 47754

Fees are set taking into account the operational costs borne by ITA to administer and supervise the Privacy Shield program. The Privacy Shield program will require a significant commitment of resources and staff. The Privacy Shield Framework includes commitments from ITA to:

• Maintain a Privacy Shield Web site;
• verify self-certification requirements submitted by organizations to participate in the program;
• expand efforts to follow up with organizations that have been removed from the Privacy Shield List;
• search for and address false claims of participation;
• conduct periodic compliance reviews and assessments of the program;
• provide information regarding the program to targeted audiences;
• increase cooperation with EU data protection authorities;
• facilitate resolution of complaints about non-compliance;
• hold annual meetings with the European Commission and other authorities to review the program, and
• provide an update of laws relevant to Privacy Shield.

In setting the Privacy Shield fee schedule, ITA determined that the services provided offer special benefits to an identifiable recipient beyond those that accrue to the general public. ITA calculated the actual cost of providing its services in order to provide a basis for setting each fee. Actual cost incorporates direct and indirect costs, including operations and maintenance, overhead, and charges for the use of capital facilities. ITA also took into account additional factors, including adequacy of cost recovery, affordability, and costs associated with alternative options available to U.S. organizations for the receipt of personal data from the EU.

ITA is establishing a 5-tiered fee schedule that will promote the participation of small organizations in Privacy Shield. A multiple-tiered fee schedule allows ITA to offer the organizations with lower revenue a lower fee. In setting the 5 tiers, ITA considered, in conjunction with the factors mentioned above: (1) The Small Business Administration's guidance on identifying SMEs in various industries most likely to participate in the Privacy Shield, such as computer services, software and information services; (2) the likelihood that small companies would be expected to receive less personal data and thereby use fewer government resources; and (3) the likelihood that companies with higher revenue would have more customers whose data they process, which would use more government resources dedicated to administering and overseeing Privacy Shield. For example, if a company holds more data it could reasonably produce more questions and complaints from consumers and the European Union's Data Protection Authorities (DPAs). ITA has committed to facilitating the resolution of individual complaints and to communicating with the FTC and the DPAs regarding consumer complaints. Lastly, the fee increases between the tiers are based in part on projected program costs and estimated participation levels among companies within each tier.

Conclusion

Based on the information provided above, ITA believes that its Privacy Shield cost recovery fee schedule is consistent with the objective of OMB Circular A-25 to “promote efficient allocation of the nation's resources by establishing charges for special benefits provided to the recipient that are at least as great as the cost to the U.S. Government of providing the special benefits . . .” OMB Circular A-25(5)(b). ITA is providing the public with the opportunity to comment on the fee schedule, and it will consider these comments when it reassesses the fee schedule. ITA will reassess the fee schedule after the first year of implementation and, in accordance with OMB Circular A-25, at least every two years thereafter.