supporting statement for PS self-cert form & questionnaires_01-13-2017

1. Explain the circumstances that make the collection of information necessary.

The purpose of this request of Paperwork Reduction Act (PRA) clearance is to allow the Department of Commerce (DOC), as represented by the International Trade Administration (ITA), to collect information from organizations in the United States to enable such organizations’ self-certification to the EU-U.S. Privacy Shield Framework (Privacy Shield) and monitor organizations’ compliance with the Privacy Shield Principles. The DOC previously requested and obtained emergency approval of this information collection (OMB Control No. 0625-0276), which expires on 1/31/2017, and now requests standard approval of this information collection.

The United States and the European Union (EU) share the goal of enhancing privacy protection for their citizens, but take different approaches to protecting personal data. Given those differences, the DOC developed Privacy Shield in consultation with the European Commission, as well as with industry and other stakeholders, to provide organizations in the United States with a reliable mechanism for personal data transfers to the United States from the EU while ensuring the protection of the data as required by EU law.

On July 12, 2016, the European Commission deemed the Privacy Shield Framework adequate to enable data transfers under EU law, and the DOC began accepting self-certification submissions from organizations on August 1, 2016.

The DOC has issued the Privacy Shield Principles under its statutory authority to foster, promote, and develop international commerce (15 U.S.C. § 1512). The ITA administers and supervises the Privacy Shield, including by maintaining and making publicly available an authoritative list of U.S. organizations that have self-certified to the DOC. In order to rely on the Privacy Shield for transfers of personal data from the EU, an organization must submit information to ITA to self-certify its compliance with Privacy Shield. Participating organizations are required to respond to inquiries and requests by the ITA for information relating to the Privacy Shield.

More information on the Privacy Shield is available at: https://www.privacyshield.gov/welcome.

2. Explain how, by whom, how frequently, and for what purpose the information will be used. If the information collected will be disseminated to the public or used to support information that will be disseminated to the public, then explain how the collection complies with all applicable Information Quality Guidelines.

In order to enter the Privacy Shield, an organization must (a) be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC), the Department of Transportation, or another statutory body that will effectively ensure compliance with the Privacy Shield Principles; (b) publicly declare its commitment to comply with the Privacy Shield Principles; (c) publicly disclose its privacy policies in line with the Privacy Shield Principles; and (d) fully implement them.

Self-certification to the DOC is voluntary; however, an organization’s failure to comply with the Principles after its self-certification is enforceable under Section 5 of the Federal Trade Commission Act prohibiting unfair and deceptive acts in or affecting commerce (15 U.S.C. § 45(a)) or other laws or regulations prohibiting such acts.

In order to rely on the Privacy Shield for transfers of personal data from the EU, an organization must self-certify its adherence to the Privacy Shield Principles to the DOC, be placed by the ITA on the Privacy Shield List, and remain on the Privacy Shield List.

To self-certify for the Privacy Shield, an organization must provide to the DOC a self-certification submission, which contains the information specified in the Privacy Shield Principles and is signed by a corporate officer on behalf of the organization that is seeking to join the Privacy Shield. The self-certification submission must contain at least the following information:

• name of organization, mailing address, e-mail address, telephone, and fax numbers;

• description of the activities of the organization with respect to personal information received from the EU, including: a list of all entities or subsidiaries of the organization that are also adhering to the Privacy Shield Principles and are covered under the organization’s self-certification, types of personal data covered by the organization’s self-certification, and the purposes for which the organization processes personal data in reliance on the Privacy Shield, and

• description of the organization's privacy policy for such personal information, including:

  • if the organization has a public website, the relevant web address where the privacy policy is available, or if the organization does not have a public website, where the privacy policy is available for viewing by the public;

  • its effective date of implementation;

  • a contact office for the handling of complaints, access requests, and any other issues arising under the Privacy Shield;

  • the specific statutory body that has jurisdiction to hear any claims against the organization regarding possible unfair or deceptive practices and violations of laws or regulations governing privacy (and that is listed in the Principles or a future annex to the Principles);

  • name of any privacy program in which the organization is a member;

  • method of verification (e.g., in-house, third party); and

  • the independent recourse mechanism that is available to investigate unresolved complaints.

The DOC will maintain and make available to the public an authoritative list of U.S. organizations that have self-certified to the DOC and declared their commitment to adhere to the Privacy Shield Principles ("the Privacy Shield List"), as well as an authoritative record of U.S. organizations that had previously self-certified to the DOC, but that have been removed from the Privacy Shield List. The DOC will maintain the list of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of re-certification submissions, which must be provided not less than annually, and notifications received of non-compliance. The DOC will remove an organization from the Privacy Shield List if it fails to complete its annual re-certification to the DOC, withdraws from the Privacy Shield, or has persistently failed to comply with the Privacy Shield Principles.

The Privacy Shield List will be used not only by individuals and organizations in the EU and organizations in the United States to confirm whether a given organization is entitled to the benefits of the Privacy Shield, but also by U.S. and European authorities in the context of alleged non-compliance with the Privacy Shield Principles.

The DOC has committed to follow up with organizations that have been removed from the Privacy Shield List. The DOC will send questionnaires to organizations that fail to complete the annual certification or that have withdrawn from the Privacy Shield to verify whether the organization will return, delete, or continue to apply the Principles to the personal information that they received while they participated in the Privacy Shield, and if personal information will be retained, verify who within the organization will serve as an ongoing point of contact for Privacy Shield-related questions.

In addition, the DOC has committed to conduct compliance reviews on an ongoing basis, including by sending detailed questionnaires to participating organizations. In particular, such compliance reviews shall take place when: (a) the DOC has received specific non-frivolous complaints about an organization’s compliance with the Principles, (b) an organization does not respond satisfactorily to inquiries by the DOC for information relating to the Privacy Shield, or (c) there is credible evidence that an organization does not comply with its commitments under the Privacy Shield.

3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological techniques or other forms of information technology.

The DOC offers U.S. organizations the opportunity to provide the self-certification described above via the DOC’s Privacy Shield website: https://www.privacyshield.gov/. Organizations interested in participating in the Privacy Shield will make their initial self-certification, as well as annual re-certification submissions, including payment of the relevant processing fee, online via the Privacy Shield website. The Privacy Shield website also provides organizations already in the program with direct access to their record, thereby enabling them to update the information provided therein throughout the year. This electronic method will be employed, as it is expressly designed to process submissions in a timely and accurate manner. An organization cannot make an initial self-certification, annual re-certification submissions, or other updates to an existing submission via the DOC’s Privacy Shield website unless it has registered a username and password.

It is anticipated that the Privacy Shield questionnaires and the corresponding responses provided by organizations would be conveyed electronically via e-mail or through the DOC Privacy Shield website.

4. Describe efforts to identify duplication.

There is no duplication. The EU-U.S. Privacy Shield Framework is a unique method for handling personal data flows between the EU and the United States. Under the terms of the DOC’s agreement with the European Commission, the DOC has the sole responsibility for collecting and making publicly available the list of organizations that self-certify their adherence to the Privacy Shield Principles.

5. If the collection of information involves small businesses or other small entities, describe the methods used to minimize burden.

There are small businesses amongst the organizations seeking to self-certify under the Privacy Shield. The burden associated with the information collection is not considered to be significant, because the estimated time to complete the self-certification form is 40 minutes. The estimated completion time for three of the questionnaires is under 40 minutes per questionnaire, and the estimated completion time for the remaining questionnaire is 75 minutes. The burden is being minimized by keeping the information request as simple as possible and limiting areas of inquiry to those essential to meeting the requirements set forth in the Privacy Shield Framework.

The EU-U.S. Privacy Shield Framework provides a number of important benefits, especially predictability and continuity, to U.S. organizations of all sizes that receive personal data for processing from the EU. All 28 EU Member States are bound by the European Commission's finding of “adequacy”. The Privacy Shield offers a simpler and more cost-effective means of complying with the relevant requirements of the EU Directive, which particularly benefit small and medium enterprises.

6. Describe the consequences to the Federal program or policy activities if the collection is not conducted or is conducted less frequently.

Preventing or limiting the collection of information associated with self-certification and the questionnaires under the Privacy Shield would prevent the U.S. Government from implementing the EU-U.S. Privacy Shield Framework as agreed between the European Commission and the DOC. As a result, the flow of personal data from the EU and to the United States could be disrupted, negatively impacting trade and investment. Alternatives to the EU-U.S. Privacy Shield Framework that exist under the EU Directive are more time-consuming, costly, and particularly burdensome to small and medium sized enterprises.

7. Explain any special circumstances that require the collection to be conducted in a manner inconsistent with OMB guidelines.

Collection of information will be made in a manner consistent with OMB guidelines.

8. Provide information on the PRA Federal Register Notice that solicited public comments on the information collection prior to this submission. Summarize the public comments received in response to that notice and describe the actions taken by the agency in response to those comments. Describe the efforts to consult with persons outside the agency to obtain their views on the availability of data, frequency of collection, the clarity of instructions and recordkeeping, disclosure, or reporting format (if any), and on the data elements to be recorded, disclosed, or reported.

The OMB waived the requirement that the DOC submit a PRA Federal Register Notice for the emergency approval of this information collection (OMB Control No. 0625-0276), which expires on 1/31/2017.

A Federal Register Notice requesting public comments concerning this information collection (OMB Control No. 0625-0276) was published on November 9, 2016 (Volume 81, Number 2016-27053, pages 78775-78776). No comments from the public have been generated from this announcement.

9. Explain any decisions to provide payments or gifts to respondents, other than remuneration of contractors or grantees.

Not Applicable.

10. Describe any assurance of confidentiality provided to respondents and the basis for assurance in statute, regulation, or agency policy.

The DOC will maintain and make available to the public an authoritative list of U.S. organizations that have self-certified to the DOC and declared their commitment to adhere to the Privacy Shield Principles ("the Privacy Shield List"), as well as an authoritative record of U.S. organizations that had previously self-certified to the DOC, but that have been removed from the Privacy Shield List. Through the DOC Privacy Shield website, the information submitted by organizations to the ITA to self-certify their compliance with Privacy Shield is made publicly available, with the exception of the information concerning annual revenue and number of employees. The exception is indicated in the self-certification form itself, as well as in guidance provided elsewhere on the website. The respondents who volunteer the information in their self-certification submissions know in advance that, with the exception noted, the information will be made publicly available on the DOC’s Privacy Shield website consistent with DOC guidelines and program instructions.

11. Provide additional justification for any questions of a sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private.

No questions of a sensitive nature are included in this information collection.

12. Provide an estimate in hours of the burden of the collection of information.

The estimated annual burden in hours is 2,954 (rounded up from 2,953.92).

Self-Certification Form

The total expected number of Privacy Shield submissions that would be received within the first year of the program is 3,600, with each submission representing a separate respondent. DOC estimates an average burden of 40 minutes per submission, including the time it would take to complete the self-certification form and submit it online via the Privacy Shield website. 3,600 responses/submissions x 0.67 hours (i.e., 40 minutes) = 2,412 hours total burden. Self-certification must be renewed annually using the same form.

Type of Response	Response Time	No. of Respondents	No. of Responses	Total Hours
Completion and submission of initial self-certification or recertification applications (electronically via DOC’s Privacy Shield website)	0.67 hours (i.e., 40 minutes)	3,600 per year	3,600 per year	2,412 per year

Failure to Recertify Questionnaire

360 responses/submissions x 0.5 hours (i.e., 30 minutes) = 180 hours total burden.

Type of Response	Response Time	No. of Respondents	No. of Responses	Total Hours
Completion and submission of Failure to Recertify Questionnaire	0.5 hours (i.e., 30 minutes)	360 per year	360 per year	180 per year

Withdrawal Questionnaire

96 responses/submissions x 0.33 hours (i.e., 20 minutes) = 31.68 hours total burden.

Type of Response	Response Time	No. of Respondents	No. of Responses	Total Hours
Completion and submission of Voluntary Withdrawal Questionnaire	0.33 hours (i.e., 20 minutes)	96 per year	96 per year	31.68 per year

Annual Questionnaire for Organizations that Indicated upon Withdrawal that They Would Retain Personal Data Received under the Privacy Shield

72 responses/submissions x 0.42 hours (i.e., 25 minutes) = 30.24 hours total burden.

Type of Response	Response Time	No. of Respondents	No. of Responses	Total Hours
Completion and submission of Annual Questionnaire for Organizations that Indicated upon Withdrawal that They Would Retain Personal Data Received under the Privacy Shield	0.42 hours (i.e., 25 minutes)	72 per year	72 per year	30.24 per year

Compliance Review Questionnaire

240 responses/submissions x 1.25 hours (i.e., 75 minutes) = 300 hours total burden.

Type of Response	Response Time	No. of Respondents	No. of Responses	Total Hours
Completion and submission of Compliance Review Questionnaire	1.25 hours (i.e., 75 minutes)	240 per year	240 per year	300 per year

13. Provide an estimate of the total annual cost burden to the respondents or record-keepers resulting from the collection (excluding the value of the burden hours in Question 12 above).

The estimated annual cost burden to respondents, excluding the value of the burden hours in Question 12, is $2,824,200.

Note:

• The DOC’s ITA is implementing a cost recovery program to support the operation of the EU-U.S. Privacy Shield Framework, which will require that U.S. organizations pay an annual fee to the DOC in order to self-certify under the Privacy Shield. The cost recovery program will support the administration and supervision of the Privacy Shield program and support the provision of Privacy Shield-related services, including education and outreach. The annual fee a given organization will be charged will be determined according to a sliding scale based on the organization’s annual revenue.

• The follow-up questionnaires sent by the DOC to U.S. organizations regarding their compliance with the Privacy Shield do not themselves require payment of a fee to the DOC. Organizations that withdraw from Privacy Shield, which choose to retain personal information received in reliance upon the Privacy Shield by continuing to apply the Privacy Shield Principles to such data, must affirm to the DOC, on an annual basis, their commitment to apply the Principles to such data. It is anticipated that such organizations will be charged a fee to support the additional administrative burden associated with this option.

EU-U.S. Privacy Shield Framework Cost Recovery Program Fee Schedule:

Organization’s Annual Revenue
Under $5,000,000	$250
Over $5,000,000 - $25,000,000	$650
Over $25,000,000 - $500,000,000	$1,000
Over $500 million to $5 billion	$2,500
Over $5 billion	$3,250

As was noted in the answer to Question 12, 3,600 is the estimated number of Privacy Shield responses/submissions that would be received within the first year of the program.

Organization’s Annual Revenue	Annual Fee	Estimated number of Privacy Shield submissions received the first year of the program	Cost Burden to Respondents
Under $5,000,000	$250	1,116 (i.e., 31% of 3,600)	$279,000
Over $5,000,000 - $25,000,000	$650	828 (i.e., 23% of 3,600)	$538,200
Over $25,000,000 - $500,000,000	$1,000	1,440 (i.e., 40% of 3,600)	$1,440,000
Over $500,000,000 to $5 billion	$2,500	180 (i.e., 5% of 3,600)	$450,000
Over $5 billion	$3,250	36 (i.e., 1% of 3,600)	$117,000
			Total = $2,824,200

14. Provide estimates of annualized cost to the Federal government.

$334,535.02 is the total estimated annualized cost to the Federal government according to the methodology described below; however, this figure does not reflect significant website development costs associated with the DOC’s Privacy Shield website. The DOC’s Privacy Shield website, which performs multiple functions essential to Privacy Shield, has required and continues to require significant investment in terms of time and resources.

Note: This estimate is calculated by first determining the hourly rate, and the estimated time that it takes to process the form or questionnaire. The hourly rate is calculated by taking the approximate GS rating/step for the type of employee performing the relevant tasks and adding 30% to that rate to account for overhead and other basic costs. For purposes of this calculation $36.14/hour is assumed to be the approximate GS rating/step; therefore, the rate used is $46.98 ($36.14 + $10.84).

Self-Certification Form

Type of Response	Response Time	No. of Respondents	No. of Responses	Total Hours
Review and processing of initial self-certification or recertification applications	1.67 hours (i.e., 100 minutes)	3,600 per year	3,600 per year	6,012 per year

Cost to Federal government per response: Response Time (1.67 hours) x Hourly Rate ($46.98/hour) = $78.46

Total cost: Total Hours (6,012 hours) x Hourly Rate ($46.98/hour) = $282,443.76

Failure to Recertify Questionnaire

Type of Response	Response Time	No. of Respondents	No. of Responses	Total Hours
Review and processing of Failure to Recertify Questionnaire	1.33 hours (i.e., 80 minutes)	360 per year	360 per year	478.8 per year

Cost to Federal government per response: Response Time (1.33 hours) x Hourly Rate ($46.98/hour) = $62.48

Total cost: Total Hours (478.8 hours) x Hourly Rate ($46.98/hour) = $22,494.02

Voluntary Withdrawal Questionnaire

Type of Response	Response Time	No. of Respondents	No. of Responses	Total Hours
Review and processing of Voluntary Withdrawal Questionnaire	1 hour (i.e., 60 minutes)	96 per year	96 per year	96 per year

Cost to Federal government per response: Response Time (1 hour) x Hourly Rate ($46.98/hour) = $46.98

Total cost: Total Hours (96 hours) x Hourly Rate ($46.98/hour) = $4,510.08

Annual Questionnaire for Organizations that Indicated upon Withdrawal that They Would Retain Personal Data Received under the Privacy Shield

Type of Response	Response Time	No. of Respondents	No. of Responses	Total Hours
Review and processing of Annual Questionnaire for Organizations that Indicated upon Withdrawal that They Would Retain Personal Data Received under the Privacy Shield	0.75 hours (i.e., 45 minutes)	72 per year	72 per year	54 per year

Cost to Federal government per response: Response Time (0.75 hours) x Hourly Rate ($46.98/hour) = $35.24

Total cost: Total Hours (54 hours) x Hourly Rate ($46.98/hour) = $2,536.92

Compliance Review Questionnaire

Type of Response	Response Time	No. of Respondents	No. of Responses	Total Hours
Review and processing of Compliance Review Questionnaire	2 hours (i.e., 120 minutes)	240 per year	240 per year	480 per year

Cost to Federal government per response: Response Time (2 hours) x Hourly Rate ($46.98/hour) = $93.96

Total cost: Total Hours (480 hours) x Hourly Rate ($46.98/hour) = $22,550.40

(Self-Certification Form total: $282,443.76) + (Failure to Recertify Questionnaire total: $22,494.02) + (Voluntary Withdrawal Questionnaire total: $4,510.08) + (Annual Questionnaire for Organizations that Indicated upon Withdrawal that They Would Retain Personal Data Received under the Privacy Shield total: $2,536.92) + (Compliance Review Questionnaire total: $22,550.40) = $334,535.02

15. Explain the reasons for any program changes or adjustments.

This is a new information collection. This will replace the similar information collection for the U.S.-EU Safe Harbor program.

16. For collections whose results will be published, outline the plans for tabulation and publication.

Much of the information collected from respondents will ultimately be made public in relevant records that appear on the public Privacy Shield List, which the DOC maintains on its Privacy Shield website.

17. If seeking approval to not display the expiration date for OMB approval of the information collection, explain the reasons why display would be inappropriate.

Not Applicable.

18. Explain each exception to the certification statement.

Not Applicable.

B. COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL METHODS

This collection does not employ statistical methods.

14