Skip to Content


Submission for OMB Review; Comment Request Information Collection for Self-Certification to the EU-U.S. Privacy Shield Framework

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

The Department of Commerce will submit to the Office of Management and Budget (OMB) for clearance the following proposal for collection of information under the provisions of the Paperwork Reduction Act (44 U.S.C. Chapter 35).

Agency: International Trade Administration (ITA).

Title: Information Collection for Self-Certification to the EU-U.S. Privacy Shield Framework.

OMB Control Number: 0625-0276.

Form Number(s): None.

Type of Request: Regular submission.

Number of Respondents: 3,600.

Average Hours per Response: 38 minutes.

Burden Hours: 2,954.

Needs and Uses: The United States and the European Union (EU) share the goal of enhancing privacy protection for their citizens, but take different approaches to protecting personal data. Given those differences, the Department of Commerce (DOC) developed the EU-U.S. Privacy Shield Framework (Privacy Shield) in consultation with the European Commission, as well as with industry and other stakeholders, to provide organizations in the United States with a reliable mechanism for personal data transfers to the United States from the European Union while ensuring the protection of the data as required by EU law.

On July 12, 2016, the European Commission deemed the Privacy Shield Framework adequate to enable data transfers under EU law, and the DOC began accepting self-certification submissions from organizations on August 1, 2016. More information on the Privacy Shield is available at:​welcome.

The DOC has issued the Privacy Shield Principles under its statutory authority to foster, promote, and develop international commerce (15 U.S.C. 1512). The International Trade Administration (ITA) administers and supervises the Privacy Shield, including by maintaining and making publicly available an authoritative list of U.S. organizations that have self-certified to the DOC. U.S. organizations submit information to ITA to self-certify their compliance with Privacy Shield.

U.S. organizations considering self-certifying to the Privacy Shield should review the Privacy Shield Framework. Start Printed Page 7797In summary, in order to enter the Privacy Shield, an organization must (a) be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC), the Department of Transportation, or another statutory body that will effectively ensure compliance with the Principles; (b) publicly declare its commitment to comply with the Principles; (c) publicly disclose its privacy policies in line with the Principles; and (d) fully implement them.

Self-certification to the DOC is voluntary; however, an organization's failure to comply with the Principles after its self-certification is enforceable under Section 5 of the Federal Trade Commission Act prohibiting unfair and deceptive acts in or affecting commerce (15 U.S.C. 45(a)) or other laws or regulations prohibiting such acts.

In order to rely on the Privacy Shield for transfers of personal data from the EU, an organization must self-certify its adherence to the Principles to the DOC, be placed by ITA on the Privacy Shield List, and remain on the Privacy Shield List. To self-certify for the Privacy Shield, an organization must provide to the DOC a self-certification submission that contains the information specified in the Privacy Shield Principles. The Privacy Shield self-certification form would be the means by which an organization would provide the relevant information to ITA.

ITA has committed to follow up with organizations that have been removed from the Privacy Shield List. ITA will send questionnaires to organizations that fail to complete the annual certification or who have withdrawn from the Privacy Shield to verify whether they will return, delete, or continue to apply the Principles to the personal information that they received while they participated in the Privacy Shield, and if personal information will be retained, verify who within the organization will serve as an ongoing point of contact for Privacy Shield-related questions.

In addition, ITA has committed to conduct compliance reviews on an ongoing basis, including through sending detailed questionnaires to participating organizations. In particular, such compliance reviews shall take place when: (a) The DOC has received specific non-frivolous complaints about an organization's compliance with the Principles, (b) an organization does not respond satisfactorily to inquiries by the DOC for information relating to the Privacy Shield, or (c) there is credible evidence that an organization does not comply with its commitments under the Privacy Shield.

Affected Public: Primarily businesses or other for-profit organizations.

Frequency: Annual and periodic.

Respondent's Obligation: Voluntary.

This information collection request may be viewed at Follow the instructions to view the Department of Commerce collections currently under review by OMB.

Written comments and recommendations for the proposed information collection should be sent within 30 days of publication of this notice to OIRA or fax to (202) 975-5806.

Start Signature

Sheleen Dumas,

PRA Departmental Lead, Office of the Chief Information Officer.

End Signature End Preamble

[FR Doc. 2017-01334 Filed 1-19-17; 8:45 am]