Federal Register, Volume 79 Issue 70 (Friday, April 11, 2014)

[Federal Register Volume 79, Number 70 (Friday, April 11, 2014)]
[Notices]
[Pages 20169-20171]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2014-08197]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

International Trade Administration


Proposed Information Collection; Comment Request; Information for 
Self-Certification Under FAQ 6 of the U.S.-European Union and U.S.-
Switzerland Safe Harbor Frameworks

AGENCY: International Trade Administration, Commerce.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: The Department of Commerce, as part of its continuing effort 
to reduce paperwork and respondent burden, invites the general public 
and other Federal agencies to take this opportunity to comment on 
proposed and/or continuing information collections, as required by the 
Paperwork Reduction Act of 1995.

DATES: Written comments must be submitted on or before June 10, 2014.

ADDRESSES: Direct all written comments to Jennifer Jessup, Departmental 
Paperwork Clearance Officer, Department of Commerce, Room 6616, 14th 
and Constitution Avenue NW., Washington, DC 20230 (or via the Internet 
at [email protected]).

FOR FURTHER INFORMATION CONTACT: Requests for additional information or 
copies of the information collection instrument and instructions should 
be directed to: David Ritchie or Nick Enz, U.S. Department of Commerce, 
International Trade Administration, U.S.-EU & U.S.-Swiss Safe Harbor 
Programs, 1401 Constitution Avenue NW., Room 20007, Washington, DC 
20230; (or via the Internet at [email protected]); tel. 202-482-
4936 or 202-482-1512.

SUPPLEMENTARY INFORMATION: 

I. Abstract

    The Safe Harbor self-certification form is used by U.S. 
organizations in order to certify their compliance with one or both of 
the Safe Harbor Frameworks. The form has been revised to provide 
additional guidance and the option to select Swiss Safe Harbor in the 
drop down menu.
    The European Union Directive on Data Protection (EU Directive) and 
the Swiss Federal Act on Data Protection

[[Page 20170]]

(Swiss FADP) generally restrict transfers of personal data to countries 
that are not deemed to provide ``adequate'' privacy protection. In 
order to ensure continued flows of personal data to the United States 
from the EU and Switzerland, the U.S. Department of Commerce (DOC) 
developed similar, but separate arrangements with the European 
Commission and the Federal Data Protection and Information Commissioner 
of Switzerland (Swiss FDPIC) (i.e., the U.S.-EU Safe Harbor Framework 
and U.S.-Swiss Safe Harbor Framework) to provide eligible U.S. 
organizations with a streamlined means of complying with the relevant 
requirements of the EU Directive and the Swiss FADP.
    On July 26, 2000, the European Commission issued a decision--in 
accordance with Article 25.6 of the EU Directive--finding that for all 
of the activities within the scope of the EU Directive, the Safe Harbor 
Privacy Principles, implemented in accordance with the guidance 
provided by the Frequently Asked Questions issued by the DOC are 
considered to ensure an ``adequate'' level of protection for personal 
data transferred from the EU to organizations established in the United 
States. The U.S.-EU Safe Harbor Framework, which the European Economic 
Area (EEA) also has recognized as providing adequate data protection, 
became operational on November 1, 2000. The U.S.-Swiss Safe Harbor 
Framework, which was developed later, became operational in 2009. The 
complete set of U.S.-EU and U.S.-Swiss Safe Harbor documents and 
additional guidance materials may be found at http://export.gov/safeharbor.
    For purposes of the Safe Harbor Frameworks, ``personal data'' and 
``personal information'' are data about an identified or identifiable 
individual that are within the scope of the EU Directive, received by a 
U.S. organization from the EU/EEA and/or Switzerland, and recorded in 
any form. ``Personal data'' is defined in the EU Directive as ``. . . 
any information relating to an identified or identifiable natural 
person''. The scope of the EU Directive extends with a few exceptions 
to all ``processing of data'', which is defined as ``. . . any 
operation or set of operations which is performed upon personal data, 
whether or not by automatic means, such as collection, recording, 
organization, storage, adaptation or alteration, retrieval, 
consultation, use, disclosure by transmission, dissemination or 
otherwise making available, alignment or combination, blocking, erasure 
or destruction''.
    The decision by an organization to self-certify its compliance with 
one or both of the Safe Harbor Frameworks is entirely voluntary; 
however, once made, the organization must comply with the requirements 
of the relevant Safe Harbor Framework and publicly declare that it does 
so. To be assured of Safe Harbor benefits, an organization must 
reaffirm its self-certification annually, via Form ITA-4149P, to the 
DOC in accordance with the requirements specified in the Framework(s) 
and guidance provided by the DOC. An organization's self-certification 
and the appearance of the organization on the relevant Safe Harbor 
List(s) pursuant to the self-certification, constitutes an enforceable 
representation to the DOC and the public that it adheres to a privacy 
policy that complies with the relevant Safe Harbor Framework(s). Any 
public misrepresentation concerning an organization's participation in 
the Safe Harbor or compliance with one or both of the Safe Harbor 
Frameworks may be actionable by the Federal Trade Commission (FTC) or 
other relevant government body (e.g. the Department of Transportation).
    The Safe Harbor Frameworks provide a number of important benefits, 
especially predictability and continuity, to U.S. organizations that 
receive personal data for processing from the EU/EEA and/or 
Switzerland. All 28 EU Member States, and by extension all EEA Member 
States, are bound by the European Commission's finding of ``adequacy''. 
Organizations that have self-certified, appear on the relevant Safe 
Harbor List(s), and have not allowed their certification status to 
lapse are presumed to provide ``adequate'' data protection in 
accordance with the EU Directive and/or the Swiss FADP and therefore 
are not required to provide further documentation to European officials 
on this point. The Safe Harbor eliminates the need for prior approval 
to begin data transfers or makes approval from the appropriate national 
data protection authority automatic. The Safe Harbor Frameworks offer a 
simple and cost-effective means of complying with the relevant 
requirements of the EU Directive and Swiss FADP, which should 
particularly benefit small and medium enterprises.
    The DOC maintains and updates regularly public lists of U.S. 
organizations that have self-certified and provides guidance on 
substantive requirements associated with self-certification. The Lists, 
referred to as the Safe Harbor Lists (i.e. U.S.-EU Safe Harbor List and 
U.S.-Swiss Safe Harbor List) are necessary to make the Safe Harbor 
Frameworks operational, and were a key demand of the European 
Commission and the Swiss FDPIC in agreeing that compliance with the 
Safe Harbor Frameworks provide ``adequate'' privacy protection. The 
Safe Harbor Lists, which are made available to the public on the DOC's 
Safe Harbor Web site, are used not only by European citizens and 
organizations to determine whether a U.S. organization is presumed to 
provide ``adequate'' data protection, but also by U.S. and European 
authorities to determine whether an organization has self-certified its 
compliance with one or both Safe Harbor Frameworks, especially when a 
complaint has been lodged against that U.S. organization.

II. Method of Collection

    The self-certification form is available via the Internet on the 
DOC Safe Harbor Web site: http://export.gov/safeharbor/.

III. Data

    OMB Control Number: 0625-0239.
    Form Number(s): ITA-4149P.
    Type of Review: Regular submission (revision of a currently 
approved information collection).
    Affected Public: Business or for-profit organizations.
    Estimated Number of Respondents: 780.
    Estimated Time per Response: 40 minutes completing and making 
initial self-certification submission online via the DOC Safe Harbor 
Web site.
    Estimated Total Annual Burden Hours: 520.
    Estimated Total Annual Cost to Public: $174,200 (certification 
fees).

IV. Request for Comments

    Comments are invited on: (a) Whether the proposed collection of 
information is necessary for the proper performance of the functions of 
the agency, including whether the information shall have practical 
utility; (b) the accuracy of the agency's estimate of the burden 
(including hours and cost) of the proposed collection of information; 
(c) ways to enhance the quality, utility, and clarity of the 
information to be collected; and (d) ways to minimize the burden of the 
collection of information on respondents, including through the use of 
automated collection techniques or other forms of information 
technology.
    Comments submitted in response to this notice will be summarized 
and/or included in the request for OMB approval of this information 
collection; they also will become a matter of public record.


[[Page 20171]]


    Dated: April 8, 2014.
Gwellnar Banks,
Management Analyst, Office of the Chief Information Officer.
[FR Doc. 2014-08197 Filed 4-10-14; 8:45 am]
BILLING CODE 3510-DR-P