Skip to Content

Notice

Information for Self-Certification Under FAQ 6 of the United States European Union Safe Harbor Privacy Framework

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

International Trade Administration, United States Department of Commerce.

ACTION:

Proposed information collection; comment request.

SUMMARY:

The Department of Commerce, as part of its continuing effort to reduce paperwork and respondent burdens, invites the general public and other Federal agencies to take this opportunity to comment on the continuing information collections, as required by the Paperwork Reduction Act of 1995 (44 U.S.C. Chapter 35).

DATES:

Written comments must be submitted on or before June 18, 2007.

ADDRESSES:

Direct all written comments to Diana Hynek, Departmental Paperwork, Clearance Officer, Department of Commerce, Room 6625, 14th and Constitution Avenue, NW., Washington, DC 20230 (or via the Internet at dHynek@doc.gov).

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Requests for additional information or copies of the information collection instrument and instructions should be directed to: Damon Greer, U.S. Department of Commerce, International Trade Administration, Room 2003, 1401 Constitution Avenue, NW., Washington, DC 20230; Phone number: (202) 482-5023 and fax number: (202) 482-5522.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

I. Abstract

In response to the European Union Directive on Data Protection that restricts transfers of personal information from Europe to countries whose privacy practices are not deemed “adequate,” the U.S. Department of Commerce (DOC) has developed a “Safe Harbor” framework that will allow U.S. organizations to satisfy the European Directive's requirements and ensure that personal data flows to the United States are not interrupted. In this process, the DOC repeatedly consulted with U.S. organizations affected by the European Directive and interested non-government organizations. On July 27, 2000, the European Commission issued its decision in accordance with Article 25.6 of the Directive that the Safe Harbor Privacy Principles provide adequate privacy protection. The Safe Harbor framework bridges the differences between the European Union (EU) and U.S. approaches to privacy protection. The complete set of Safe Harbor documents and additional guidance materials may be found at http://export.gov/​safeharbor.

Once the Safe Harbor was deemed “adequate” by the European Commission on July 27, 2000, DOC began working on the requirements that are necessary to put this accord into effect. The European Member States implemented the decision made by the Commission within 90 days. Therefore, the Safe Harbor became operational on November 1, 2000. The DOC created a list for U.S. organizations to sign up to the Safe Harbor and provided guidance on the mechanics of signing up to this list. As of March 1, 2007, 1,100 U.S. organizations have been placed on the Safe Harbor List, located at http://export.gov/​safeharbor.

Organizations that have signed up to this list are deemed “adequate” under the Directive and do not have to provide further documentation to European officials. This list will be used by EU organizations to determine whether further information and contracts will be needed for a U.S. organization to receive personally identifiable information. This list is necessary to make the Safe Harbor accord operational, and was a key demand of the Europeans in agreeing that the Principles were providing “adequate” privacy protection.

The Safe Harbor provides a number of important benefits to U.S. firms. Most importantly, it provides predictability and continuity for U.S. organizations that receive personal information from the European Union. Personally identifiable information is defined as any information that can be identified to a specific person, for example an employee's name and extension would be considered personally identifiable information. All 15 member countries are bound by the European Commission's finding of “adequacy”. The Safe Harbor also eliminates the need for prior approval to begin data transfers, or makes approval from the appropriate EU member countries automatic. The Safe Harbor principles offer a simpler and cheaper means of complying with the adequacy requirements of the Directive, which should particularly benefit small and medium enterprises.

The decision to enter the Safe Harbor is entirely voluntary. Organizations that decide to participate in the Safe Harbor must comply with the safe harbor's requirements and publicly declare that they do so. To be assured of Safe Harbor benefits, an organization needs to reaffirm its self-certification annually to the Department of Commerce that it agrees to adhere to the safe harbor's requirements, which includes elements such as notice, choice, access, data integrity, security and enforcement.

This list will be most regularly used by European Union organizations to determine whether further information and contracts will be needed by a U.S. organization to receive personally identifiable information. It will be used by the European Data Protection Authorities to determine whether a company is providing “adequate” protection, and whether a company has requested to cooperate with the Data Protection Authority. This list will be accessed when there is a complaint logged in the EU against a U.S. organization. This will be on a monthly basis. It will be used by the Federal Trade Commission and the Department of Transportation to determine whether a company is part of the Safe Harbor. This will be accessed if a company is practicing “unfair and deceptive” practices and has misrepresented itself to the public. It will be used by the Department of Commerce and the European Commission to determine if organizations are signing up to the list. Start Printed Page 19173

II. Method of Collection

The self-certification form is provided via the Internet at http://export.gov/​safeharbor and by mail to requesting U.S. firms.

III. Data

OMB Number: 0625-0239.

Form Number: None.

Type of Review: Regular submission.

Affected Public: Business or other for-profit organizations.

Estimated Number of Respondents: 500.

Estimated Time per Response: Web site, 20 minutes; and paper format, 40 minutes.

Estimated Total Annual Burden Hours: 400.

Estimated Total Annual Costs to Public: $20,000.

IV. Request for Comments

Comments are invited on: (a) Whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information shall have practical utility; (b) the accuracy of the agency's estimate of the burden (including hours and costs) of the proposed collection of information; (c) ways to enhance the quality, utility, and clarity of the information to be collected; and (d) ways to minimize the burden of the collection of information on respondents, including through the use of automated collection techniques or forms of information technology.

Comments submitted in response to this notice will be summarized and/or included in the request for OMB approval of this information collection; they also will become a matter of public record.

Start Signature

Dated: April 11, 2007.

Gwellnar Banks,

Management Analyst, Office of the Chief Information Officer.

End Signature End Supplemental Information

[FR Doc. E7-7215 Filed 4-16-07; 8:45 am]

BILLING CODE 3510-DR-P