Cost Recovery Fee Schedule for the EU-U.S. Privacy Shield Framework

AGENCY:

International Trade Administration, U.S. Department of Commerce.

ACTION:

Final notice of implementation of a cost recovery program fee.

SUMMARY:

The Department of Commerce published the Cost Recovery Fee Schedule for the EU-U.S. Privacy Shield Framework on July 22, 2016 (81 FR 47752). We gave interested parties an opportunity to comment on the fee schedule. No comments were received and so the fee schedule is considered final until further review one year after implementation of the program. Consistent with the guidelines in OMB Circular A-25, the U.S. Department of Commerce's International Trade Administration (ITA) has implemented a cost recovery program fee to support the operation of the EU-U.S. Privacy Shield Framework (Privacy Shield), which requires that U.S. organizations pay an annual fee to ITA in order to participate in the Privacy Shield. The cost recovery program supports the administration and supervision of the Privacy Shield program and supports the provision of Privacy Shield-related services, including education and outreach. The Privacy Shield fee schedule was effective on August 1, 2016, when ITA began accepting self-certifications under the Privacy Shield Framework.

DATES:

This fee schedule was effective August 1, 2016.

FOR FURTHER INFORMATION CONTACT:

Requests for additional information regarding the EU-U.S. Privacy Shield Framework should be directed to Grace Harter, Department of Commerce, International Trade Administration, Room 20001, 1401 Constitution Avenue NW, Washington, DC, tel. 202-482-4936 or 202-482-1512 or via email at privacyshield@trade.gov. Additional information on ITA fees is available at trade.gov/fees.

SUPPLEMENTARY INFORMATION:

Background

Consistent with the guidelines in OMB Circular A-25, federal agencies are responsible for implementing cost recovery program fees.

The role of ITA is to strengthen the competitiveness of U.S. industry, promote trade and investment, and ensure fair trade through the rigorous enforcement of our trade laws and agreements. ITA works to promote privacy policy frameworks to facilitate the flow of data across borders to support international trade.

The United States and the European Union (EU) share the goal of enhancing privacy protection but take different approaches to protecting personal data. Given those differences, the Department of Commerce (DOC) developed the Privacy Shield in consultation with the European Commission, as well as with industry and other stakeholders, to provide organizations in the United States with a reliable mechanism for personal data transfers to the United States from the European Union while ensuring the protection of the data as required by EU law.

In July 2016, the European Commission approved the EU-U.S. Privacy Shield Framework. The published Privacy Shield Principles are available at: [insert link]. The DOC has issued the Privacy Shield Principles under its statutory authority to foster, promote, and develop international commerce (15 U.S.C. 1512). ITA will administer and supervise the Privacy Shield, including by maintaining and making publicly available an authoritative list of U.S. organizations that have self-certified to the DOC. U.S. organizations submit information to ITA to self-certify their compliance with Privacy Shield. ITA will accept self-certification submissions beginning on August 1, 2016. At a future date, ITA will publish for public notice and comment information collections as described in the Privacy Shield Framework consistent with the Paperwork Reduction Act.

U.S. organizations considering self-certifying to the Privacy Shield should review the Privacy Shield Framework. In summary, in order to enter the Privacy Shield, an organization must (a) be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) or the Department of Transportation; (b) publicly declare its commitment to comply with the Principles through self-certification to the DOC; (c) publicly disclose its privacy policies in line with the Principles; and (d) fully implement them.

Self-certification to the DOC is voluntary; however, an organization's failure to comply with the Principles after its self-certification is enforceable under Section 5 of the Federal Trade Commission Act prohibiting unfair and deceptive acts in or affecting commerce (15 U.S.C. 45(a)) or other laws or regulations prohibiting such acts.

ITA has implemented a cost recovery program to support the operation of the Privacy Shield, which requires U.S. organizations to pay an annual fee to ITA in order to participate in the program. The cost recovery program supports the administration and supervision of the Privacy Shield program and supports the provision of Privacy Shield-related services, including education and outreach. The fee a given organization is charged is based on the organization's annual revenue:

Fee Schedule

Organizations will have additional direct costs associated with participating in the Privacy Shield. For example, Privacy Shield organizations must provide a readily available independent recourse mechanism to hear individual complaints at no cost to the individual. Furthermore, organizations are required to pay contributions in connection with the arbitral model, as described in Annex I to the Principles.

Method for Determining Fees

ITA collects, retains, and expends user fees pursuant to delegated authority under the Mutual Educational and Cultural Exchange Act as authorized in its annual appropriations acts.

The EU-U.S. Privacy Shield Framework was developed to provide organizations in the United States with a reliable mechanism for personal data transfers that underpin the trade and investment relationship between the United States and the EU.

Fees are set taking into account the operational costs borne by ITA to administer and supervise the Privacy Shield program. The Privacy Shield program requires a significant commitment of resources and staff. The Privacy Shield Framework includes commitments from ITA to:

• Maintain a Privacy Shield Web site;
• verify self-certification requirements submitted by organizations to participate in the program;
• expand efforts to follow up with organizations that have been removed from the Privacy Shield List;
• search for and address false claims of participation;
• conduct periodic compliance reviews and assessments of the program;
• provide information regarding the program to targeted audiences;
• increase cooperation with EU data protection authorities;
• facilitate resolution of complaints about non-compliance;
• hold annual meetings with the European Commission and other authorities to review the program, and
• provide an update of laws relevant to Privacy Shield.

In setting the Privacy Shield fee schedule, ITA determined that the services provided offer special benefits to an identifiable recipient beyond those that accrue to the general public. ITA calculated the actual cost of providing its services in order to provide a basis for setting each fee. Actual cost incorporates direct and indirect costs, including operations and maintenance, overhead, and charges for the use of capital facilities. ITA also took into account additional factors, including adequacy of cost recovery, affordability, and costs associated with alternative options available to U.S. organizations for the receipt of personal data from the EU.

ITA established a 5-tiered fee schedule that promotes the participation of small organizations in Privacy Shield. A multiple-tiered fee schedule allows ITA to offer the organizations with lower revenue a lower fee. In setting the 5 tiers, ITA considered, in conjunction with the factors mentioned above: (1) The Small Business Administration's guidance on identifying SMEs in various industries most likely to participate in the Privacy Shield, such as computer services, software and information services; (2) the likelihood that small companies would be expected to receive less personal data and thereby use fewer government resources; and (3) the likelihood that companies with higher revenue would have more customers whose data they process, which would use more government resources dedicated to administering and overseeing Privacy Shield. For example, if a company holds more data it could reasonably produce more questions and complaints from consumers and the European Union's Data Protection Authorities (DPAs). ITA has committed to facilitating the resolution of individual complaints and to communicating with the FTC and the DPAs regarding consumer complaints. Lastly, the fee increases between the tiers are based in part on projected program costs and estimated participation levels among companies within each tier.

Conclusion

Based on the information provided above, ITA believes that its Privacy Shield cost recovery fee schedule is consistent with the objective of OMB Circular A-25 to “promote efficient allocation of the nation's resources by establishing charges for special benefits provided to the recipient that are at least as great as the cost to the U.S. Government of providing the special benefits . . .” OMB CircularA-25(5)(b). ITA did not receive any public comments on the interim final rule it published on July 22, 2016 (PUT IN FR CITE) and is not revising the fee schedule at this time. ITA will reassess the fee schedule after the first year of implementation and, in accordance with OMB Circular A-25, at least every two years thereafter.