Skip to Content


Proposed Information Collection; Comment Request; Information for Self-Certification Under FAQ 6 of the U.S.-European Union and U.S.-Switzerland Safe Harbor Frameworks

Document Details

Information about this document as published in the Federal Register.

Document Statistics
Document page views are updated periodically throughout the day and are cumulative counts for this document including its time on Public Inspection. Counts are subject to sampling, reprocessing and revision (up or down) throughout the day.
Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble


International Trade Administration, Commerce.




The Department of Commerce, as part of its continuing effort to reduce paperwork and respondent burden, invites the general public and other Federal agencies to take this opportunity to comment on proposed and/or continuing information collections, as required by the Paperwork Reduction Act of 1995.


Written comments must be submitted on or before June 10, 2014.


Direct all written comments to Jennifer Jessup, Departmental Paperwork Clearance Officer, Department of Commerce, Room 6616, 14th and Constitution Avenue NW., Washington, DC 20230 (or via the Internet at

Start Further Info


Requests for additional information or copies of the information collection instrument and instructions should be directed to: David Ritchie or Nick Enz, U.S. Department of Commerce, International Trade Administration, U.S.-EU & U.S.-Swiss Safe Harbor Programs, 1401 Constitution Avenue NW., Room 20007, Washington, DC 20230; (or via the Internet at; tel. 202-482-4936 or 202-482-1512.

End Further Info End Preamble Start Supplemental Information


I. Abstract

The Safe Harbor self-certification form is used by U.S. organizations in order to certify their compliance with one or both of the Safe Harbor Frameworks. The form has been revised to provide additional guidance and the option to select Swiss Safe Harbor in the drop down menu.

The European Union Directive on Data Protection (EU Directive) and the Swiss Federal Act on Data Protection Start Printed Page 20170(Swiss FADP) generally restrict transfers of personal data to countries that are not deemed to provide “adequate” privacy protection. In order to ensure continued flows of personal data to the United States from the EU and Switzerland, the U.S. Department of Commerce (DOC) developed similar, but separate arrangements with the European Commission and the Federal Data Protection and Information Commissioner of Switzerland (Swiss FDPIC) (i.e., the U.S.-EU Safe Harbor Framework and U.S.-Swiss Safe Harbor Framework) to provide eligible U.S. organizations with a streamlined means of complying with the relevant requirements of the EU Directive and the Swiss FADP.

On July 26, 2000, the European Commission issued a decision—in accordance with Article 25.6 of the EU Directive—finding that for all of the activities within the scope of the EU Directive, the Safe Harbor Privacy Principles, implemented in accordance with the guidance provided by the Frequently Asked Questions issued by the DOC are considered to ensure an “adequate” level of protection for personal data transferred from the EU to organizations established in the United States. The U.S.-EU Safe Harbor Framework, which the European Economic Area (EEA) also has recognized as providing adequate data protection, became operational on November 1, 2000. The U.S.-Swiss Safe Harbor Framework, which was developed later, became operational in 2009. The complete set of U.S.-EU and U.S.-Swiss Safe Harbor documents and additional guidance materials may be found at​safeharbor.

For purposes of the Safe Harbor Frameworks, “personal data” and “personal information” are data about an identified or identifiable individual that are within the scope of the EU Directive, received by a U.S. organization from the EU/EEA and/or Switzerland, and recorded in any form. “Personal data” is defined in the EU Directive as “. . . any information relating to an identified or identifiable natural person”. The scope of the EU Directive extends with a few exceptions to all “processing of data”, which is defined as “. . . any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction”.

The decision by an organization to self-certify its compliance with one or both of the Safe Harbor Frameworks is entirely voluntary; however, once made, the organization must comply with the requirements of the relevant Safe Harbor Framework and publicly declare that it does so. To be assured of Safe Harbor benefits, an organization must reaffirm its self-certification annually, via Form ITA-4149P, to the DOC in accordance with the requirements specified in the Framework(s) and guidance provided by the DOC. An organization's self-certification and the appearance of the organization on the relevant Safe Harbor List(s) pursuant to the self-certification, constitutes an enforceable representation to the DOC and the public that it adheres to a privacy policy that complies with the relevant Safe Harbor Framework(s). Any public misrepresentation concerning an organization's participation in the Safe Harbor or compliance with one or both of the Safe Harbor Frameworks may be actionable by the Federal Trade Commission (FTC) or other relevant government body (e.g. the Department of Transportation).

The Safe Harbor Frameworks provide a number of important benefits, especially predictability and continuity, to U.S. organizations that receive personal data for processing from the EU/EEA and/or Switzerland. All 28 EU Member States, and by extension all EEA Member States, are bound by the European Commission's finding of “adequacy”. Organizations that have self-certified, appear on the relevant Safe Harbor List(s), and have not allowed their certification status to lapse are presumed to provide “adequate” data protection in accordance with the EU Directive and/or the Swiss FADP and therefore are not required to provide further documentation to European officials on this point. The Safe Harbor eliminates the need for prior approval to begin data transfers or makes approval from the appropriate national data protection authority automatic. The Safe Harbor Frameworks offer a simple and cost-effective means of complying with the relevant requirements of the EU Directive and Swiss FADP, which should particularly benefit small and medium enterprises.

The DOC maintains and updates regularly public lists of U.S. organizations that have self-certified and provides guidance on substantive requirements associated with self-certification. The Lists, referred to as the Safe Harbor Lists (i.e. U.S.-EU Safe Harbor List and U.S.-Swiss Safe Harbor List) are necessary to make the Safe Harbor Frameworks operational, and were a key demand of the European Commission and the Swiss FDPIC in agreeing that compliance with the Safe Harbor Frameworks provide “adequate” privacy protection. The Safe Harbor Lists, which are made available to the public on the DOC's Safe Harbor Web site, are used not only by European citizens and organizations to determine whether a U.S. organization is presumed to provide “adequate” data protection, but also by U.S. and European authorities to determine whether an organization has self-certified its compliance with one or both Safe Harbor Frameworks, especially when a complaint has been lodged against that U.S. organization.

II. Method of Collection

The self-certification form is available via the Internet on the DOC Safe Harbor Web site:​safeharbor/​.

III. Data

OMB Control Number: 0625-0239.

Form Number(s): ITA-4149P.

Type of Review: Regular submission (revision of a currently approved information collection).

Affected Public: Business or for-profit organizations.

Estimated Number of Respondents: 780.

Estimated Time per Response: 40 minutes completing and making initial self-certification submission online via the DOC Safe Harbor Web site.

Estimated Total Annual Burden Hours: 520.

Estimated Total Annual Cost to Public: $174,200 (certification fees).

IV. Request for Comments

Comments are invited on: (a) Whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information shall have practical utility; (b) the accuracy of the agency's estimate of the burden (including hours and cost) of the proposed collection of information; (c) ways to enhance the quality, utility, and clarity of the information to be collected; and (d) ways to minimize the burden of the collection of information on respondents, including through the use of automated collection techniques or other forms of information technology.

Comments submitted in response to this notice will be summarized and/or included in the request for OMB approval of this information collection; they also will become a matter of public record.

Start Signature
Start Printed Page 20171

Dated: April 8, 2014.

Gwellnar Banks,

Management Analyst, Office of the Chief Information Officer.

End Signature End Supplemental Information

[FR Doc. 2014-08197 Filed 4-10-14; 8:45 am]