View Information Collection Request (ICR) Package

OMB Control No: 0625-0280	ICR Reference No: 202306-0625-002
Status: Active	Previous ICR Reference No:
Agency/Subagency: DOC/ITA	Agency Tracking No:
Title: Self-Certifications under the Data Privacy Framework Program
Type of Information Collection: New collection (Request for a new OMB Control Number)	Common Form ICR: No
Type of Review Request: Regular
OIRA Conclusion Action: Approved without change	Conclusion Date: 07/10/2023
	Date Received in OIRA: 06/08/2023
Terms of Clearance:

	Inventory as of this Action	Requested	Previously Approved
Expiration Date	07/31/2026	36 Months From Approved
Responses	4,775	0	0
Time Burden (Hours)	3,062	0	0
Cost Burden (Dollars)	217,091	0	0

Abstract: The United States, the European Union (EU), the United Kingdom (UK), and Switzerland share a commitment to enhancing privacy protection, the rule of law, and a recognition of the importance of transatlantic data flows to our respective citizens, economies, and societies, but take different approaches to doing so. Given those differences, the Department of Commerce (DOC) developed the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) in consultation with the European Commission, the UK Government, the Swiss Federal Administration, industry, and other stakeholders. These arrangements were respectively developed to provide U.S. organizations reliable mechanisms for personal data transfers to the United States from the European Union, the United Kingdom (and, as applicable, Gibraltar), and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss law. The DOC is issuing the EU-U.S. DPF Principles and the Swiss-U.S. DPF Principles, including the respective sets of Supplemental Principles (collectively the Principles) and Annex I of the Principles, as well as the UK Extension to the EU-U.S. DPF under its statutory authority to foster, promote, and develop international commerce (15 U.S.C. 1512). The International Trade Administration (ITA) will administer and supervise the Data Privacy Framework program, including maintaining and making publicly available the Data Privacy Framework List, an authoritative list of U.S. organizations that have self-certified to the DOC and declared their commitment to adhere to the Principles pursuant to the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF. On the basis of the Principles, Executive Order 14086, 28 CFR part 201, and accompanying letters and materials, including ITA's commitments regarding the administration and supervision of the Data Privacy Framework program, it is the DOC's expectation that the European Commission, the UK Government, and the Swiss Federal Administration will respectively recognize the adequacy of the protection provided by the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF thereby enabling personal data transfers from each respective jurisdiction to U.S. organizations participating in the relevant part of the Data Privacy Framework program. It is the DOC’s present expectation that the effective date of the EU-U.S. DPF Principles would coincide with the entry into force of the European Commission’s anticipated recognition of adequacy, whereas the respective effective dates of the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF Principles would occur before the entry into force of the anticipated, respective recognitions of adequacy (i.e., to enable U.S. organizations from the earliest possible date to self-certify their compliance with multiple parts of the Data Privacy Framework program). Personal data cannot be received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF until they have respectively received such recognition (i.e., until such formal recognition enters into force). To initially self-certify or subsequently re-certify for the EU-U.S. DPF and, as applicable, UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF, an organization must on each occasion provide to the DOC a submission that contains the relevant information specified in the Principles. The submission must be made via the DOC's Data Privacy Framework program website by an individual within the organization who is authorized to make representations on behalf of the organization and any of its covered U.S. entities regarding its adherence to the Principles. Such an organization must respond promptly to inquiries and other requests for information from the DOC.

Authorizing Statute(s): US Code: 15 USC 1512

Citations for New Statutory Requirements: None

Associated Rulemaking Information
RIN:	Stage of Rulemaking:	Federal Register Citation:	Date:
	Not associated with rulemaking

Federal Register Notices & Comments
60-day Notice:	Federal Register Citation:	Citation Date:
	88 FR 19067	03/30/2023
30-day Notice:	Federal Register Citation:	Citation Date:
	88 FR 37509	06/08/2023
Did the Agency receive public comments on this ICR? No

ICR Summary of Burden

	Total Approved	Change Due to Agency Discretion
Annual Number of Responses	4,775	4,775
Annual Time Burden (Hours)	3,062	3,062
Annual Cost Burden (Dollars)	217,091	217,091

Burden increases because of Program Change due to Agency Discretion: Yes

Burden Increase Due to: Miscellaneous Actions

Burden decreases because of Program Change due to Agency Discretion: No

Burden Reduction Due to:

Short Statement: As approval is being sought for a new information collection concerning critical components of the Data Privacy Framework (DPF) program, certain updates have had to be made with regard to the total estimated, annualized costs to respondents..

Annual Cost to Federal Government: $468,583

Does this IC contain surveys, censuses, or employ statistical methods? No

Does this ICR request any personally identifiable information (see OMB Circular No. A-130 for an explanation of this term)? Please consult with your agency's privacy program when making this determination. Yes

Does this ICR include a form that requires a Privacy Act Statement (see 5 U.S.C. §552a(e)(3))? Please consult with your agency's privacy program when making this determination. Yes

Is this ICR related to the Affordable Care Act [Pub. L. 111-148 & 111-152]? No

Is this ICR related to the Dodd-Frank Wall Street Reform and Consumer Protection Act, [Pub. L. 111-203]? No

Is this ICR related to the American Recovery and Reinvestment Act of 2009 (ARRA)? No

Is this ICR related to the Pandemic Response? No

Agency Contact: Leo Kim 202 989-5979 leo.kim@trade.gov

View ICR - OIRA Conclusion