supporting stmt._PS self-cert & qnrs._05-04-20

1. Explain the circumstances that make the collection of information necessary.

The purpose of this request of Paperwork Reduction Act (PRA) clearance is to allow the Department of Commerce (DOC), as represented by the International Trade Administration (ITA), to collect information from organizations in the United States to enable such organizations’ self-certification to the EU-U.S. Privacy Shield Framework and/or the Swiss-U.S. Privacy Shield Framework (Privacy Shield) and monitor U.S. organizations’ compliance with the Privacy Shield Principles. The DOC previously requested and obtained first emergency approval and then standard approval of this information collection (OMB Control No. 0625-0276), which expires on 3/31/2020, and now requests standard renewal of this information collection.

The United States, the European Union (EU), and Switzerland share the goal of enhancing privacy protection for their citizens, but take different approaches to doing so. Given those differences, the DOC developed Privacy Shield in consultation with the European Commission, the Swiss Administration, as well as with industry and other stakeholders. Privacy Shield provides U.S. organizations with a reliable mechanism for personal data transfers to the United States from the EU and Switzerland, while ensuring data protection that is consistent with EU and Swiss law.

The European Commission and Swiss Administration deemed the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework adequate to enable data transfers under EU and Swiss law, respectively, on July 12, 2016 and on January 12, 2017. The DOC began accepting self-certification submissions for the EU-U.S. Privacy Shield on August 1, 2016, and for the Swiss-U.S. Privacy Shield on April 12, 2017.

The DOC has issued the Privacy Shield Principles under its statutory authority to foster, promote, and develop international commerce (15 U.S.C. § 1512). The ITA administers and supervises the Privacy Shield, including by maintaining and making publicly available an authoritative list of U.S. organizations that have self-certified to the DOC. In order to rely on the Privacy Shield for transfers of personal data from the EU and/or Switzerland, an organization must submit information to ITA to self-certify its compliance with Privacy Shield. Participating organizations are required to respond to inquiries and requests by the ITA for information relating to the Privacy Shield.

More information on the Privacy Shield is available at: https://www.privacyshield.gov/welcome.

2. Explain how, by whom, how frequently, and for what purpose the information will be used. If the information collected will be disseminated to the public or used to support information that will be disseminated to the public, then explain how the collection complies with all applicable Information Quality Guidelines.

In order to enter the Privacy Shield, an organization must (a) be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC), the Department of Transportation, or another statutory body that will effectively ensure compliance with the Privacy Shield Principles; (b) publicly declare its commitment to comply with the Privacy Shield Principles; (c) publicly disclose its privacy policies in line with the Privacy Shield Principles; and (d) fully implement them.

Self-certification to the DOC is voluntary; however, an organization’s failure to comply with the Principles after its self-certification is enforceable under Section 5 of the Federal Trade Commission Act prohibiting unfair and deceptive acts in or affecting commerce (15 U.S.C. § 45(a)) or other laws or regulations prohibiting such acts.

In order to rely on the Privacy Shield for transfers of personal data from the EU and/or Switzerland, an organization must self-certify its adherence to the Privacy Shield Principles to the DOC, be placed by the ITA on the Privacy Shield List, and remain on the Privacy Shield List.

To self-certify for the Privacy Shield, an organization must provide to the DOC a self-certification submission, which contains the information specified in the Privacy Shield Principles and is signed by a corporate officer on behalf of the organization that is seeking to join the Privacy Shield. The self-certification submission must contain at least the following information:

• name of organization, mailing address, e-mail address, telephone, and fax numbers;

• description of the activities of the organization with respect to personal information received from the EU and/or Switzerland, including: a list of all entities or subsidiaries of the organization that are also adhering to the Privacy Shield Principles and are covered under the organization’s self-certification, types of personal data covered by the organization’s self-certification, and the purposes for which the organization processes personal data in reliance on the Privacy Shield, and

• description of the organization's privacy policy for such personal information, including:

  • if the organization has a public website, the relevant web address where the privacy policy is available, or if the organization does not have a public website, where the privacy policy is available for viewing by the public;

  • its effective date of implementation;

  • a contact office for the handling of complaints, access requests, and any other issues arising under the Privacy Shield;

  • the specific statutory body that has jurisdiction to hear any claims against the organization regarding possible unfair or deceptive practices and violations of laws or regulations governing privacy (and that is listed in the Principles or a future annex to the Principles);

  • name of any privacy program in which the organization is a member;

  • method of verification (e.g., in-house, third party); and

  • the independent recourse mechanism that is available to investigate unresolved complaints.

The DOC maintains and makes available to the public an authoritative list of U.S. organizations that have self-certified to the DOC and declared their commitment to adhere to the Privacy Shield Principles ("the Privacy Shield List"), as well as an authoritative record of U.S. organizations that had previously self-certified to the DOC, but that have been removed from the Privacy Shield List. The DOC maintains the list of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and updates such list on the basis of re-certification submissions, which must be provided not less than annually, and notifications received of non-compliance. The DOC will remove an organization from the Privacy Shield List if it fails to complete its annual re-certification to the DOC, withdraws from the Privacy Shield, or has persistently failed to comply with the Privacy Shield Principles.

EU and Swiss individuals and organizations, as well as U.S. organizations use the Privacy Shield List to confirm whether a given organization is entitled to the benefits of the Privacy Shield. U.S. and European authorities also use the Privacy Shield List in the context of alleged non-compliance with the Privacy Shield Principles.

The DOC has committed to follow up with organizations that have been removed from the Privacy Shield List. The DOC will send questionnaires to organizations that fail to complete the annual certification or that have withdrawn from the Privacy Shield to verify whether the organization will return, delete, or continue to apply the Principles to the personal information that they received while they participated in the Privacy Shield, and if personal information will be retained, verify who within the organization will serve as an ongoing point of contact for Privacy Shield-related questions.

In addition, the DOC has committed to conduct compliance reviews on an ongoing basis, including by sending detailed questionnaires to participating organizations. In particular, such compliance reviews shall take place when: (a) the DOC has received specific non-frivolous complaints about an organization’s compliance with the Principles, (b) an organization does not respond satisfactorily to inquiries by the DOC for information relating to the Privacy Shield, or (c) there is credible evidence that an organization does not comply with its commitments under the Privacy Shield.

3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological techniques or other forms of information technology.

The DOC offers U.S. organizations the opportunity to provide the self-certification described above via the DOC’s Privacy Shield website: https://www.privacyshield.gov/. Organizations interested in participating in the Privacy Shield will make their initial self-certification, as well as annual re-certification submissions, including payment of the relevant processing fee, online via the Privacy Shield website. The Privacy Shield website also provides organizations already in the program with direct access to their record, thereby enabling them to update the information provided therein throughout the year. This electronic method will be employed, as it is expressly designed to process submissions in a timely and accurate manner. An organization cannot make an initial self-certification, annual re-certification submissions, or other updates to an existing submission via the DOC’s Privacy Shield website unless it has registered a username and password.

The Privacy Shield questionnaires and the corresponding responses provided by organizations are conveyed electronically via e-mail or through the DOC’s Privacy Shield website.

4. Describe efforts to identify duplication.

There is no duplication. The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks provide a unique method for handling personal data flows between the EU, Switzerland, and the United States. Under the terms of the DOC’s agreements with the European Commission and Swiss Administration, the DOC has the sole responsibility for collecting and making publicly available the list of organizations that self-certify their adherence to the Privacy Shield Principles.

5. If the collection of information involves small businesses or other small entities, describe the methods used to minimize burden.

There are small businesses amongst the organizations seeking to self-certify under the Privacy Shield. The burden associated with the information collection is not considered to be significant, because the estimated time to complete the self-certification form is 40 minutes. The estimated completion time for three of the questionnaires is under 40 minutes per questionnaire, and the estimated completion time for the remaining questionnaire is 75 minutes. The burden is being minimized by keeping the information request as simple as possible and limiting areas of inquiry to those essential to meeting the requirements set forth in the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks provide a number of important benefits, especially predictability and continuity, to U.S. organizations of all sizes that receive personal data for processing from the EU and Switzerland. For example, all EU Member States are bound by the European Commission's finding of “adequacy” with regard to the EU-U.S. Privacy Shield Framework. The Privacy Shield offers a simpler and more cost-effective means of complying with the relevant requirements of EU and Swiss law, which particularly benefit small and medium-sized enterprises.

6. Describe the consequences to the Federal program or policy activities if the collection is not conducted or is conducted less frequently.

Preventing or limiting the collection of information associated with self-certification and the questionnaires under the Privacy Shield would prevent the U.S. government from implementing the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. As a result, the flow of personal data from the EU and Switzerland to the United States could be disrupted, negatively impacting trade and investment. Existing alternatives to the Privacy Shield are more time-consuming, costly, and particularly burdensome to small- and medium-sized enterprises.

7. Explain any special circumstances that require the collection to be conducted in a manner inconsistent with OMB guidelines.

Collection of information will be made in a manner consistent with OMB guidelines.

8. Provide information on the PRA Federal Register Notice that solicited public comments on the information collection prior to this submission. Summarize the public comments received in response to that notice and describe the actions taken by the agency in response to those comments. Describe the efforts to consult with persons outside the agency to obtain their views on the availability of data, frequency of collection, the clarity of instructions and recordkeeping, disclosure, or reporting format (if any), and on the data elements to be recorded, disclosed, or reported.

A Federal Register Notice requesting public comments concerning the renewal of the information collection (OMB Control No. 0625-0276) was published on December 26, 2019 (Volume 84, Number 2019-27736, pages 70942-70943). No public comments were received in response to that notice.

9. Explain any decisions to provide payments or gifts to respondents, other than remuneration of contractors or grantees.

Not Applicable.

10. Describe any assurance of confidentiality provided to respondents and the basis for assurance in statute, regulation, or agency policy.

The DOC maintains and makes available to the public an authoritative list of U.S. organizations that have self-certified to the DOC and declared their commitment to adhere to the Privacy Shield Principles ("the Privacy Shield List"), as well as an authoritative record of U.S. organizations that had previously self-certified to the DOC, but that have been removed from the Privacy Shield List. Through the DOC’s Privacy Shield website, the information submitted by organizations to the ITA to self-certify their compliance with Privacy Shield is made publicly available, with the exception of the information concerning annual revenue and number of employees. The exception is indicated in the self-certification form itself, as well as in guidance provided elsewhere on the website. The respondents who volunteer the information in their self-certification submissions know in advance that, with the exception noted, the information will be made publicly available on the DOC’s Privacy Shield website consistent with DOC guidelines and program instructions.

11. Provide additional justification for any questions of a sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private.

No questions of a sensitive nature are included in this information collection.

12. Provide an estimate in hours of the burden of the collection of information.

The estimated annual burden in hours is 3,751 (rounded down from 3,751.28).

Self-Certification Form

The total expected number of Privacy Shield submissions that would be received within the next year of the program is 5,100, with each submission representing a separate respondent. DOC estimates an average burden of 40 minutes per submission, including the time it would take to complete the self-certification form and submit it online via the Privacy Shield website. 5,100 responses/submissions x 0.67 hours (i.e., 40 minutes) = 3,417 hours total burden. Self-certification must be renewed annually using the same form.

Type of Response	Response Time	No. of Respondents	No. of Responses	Total Hours
Completion and submission of initial self-certification or re-certification applications (electronically via DOC’s Privacy Shield website)	0.67 hours (i.e., 40 minutes)	5,100 per year	5,100 per year	3,417 per year

Failure to Recertify Questionnaire

360 responses/submissions x 0.5 hours (i.e., 30 minutes) = 172.50 hours total burden.

Type of Response	Response Time	No. of Respondents	No. of Responses	Total Hours
Completion and submission of Failure to Recertify Questionnaire	0.5 hours (i.e., 30 minutes)	345 per year	345 per year	172.50 per year

Withdrawal Questionnaire

86 responses/submissions x 0.33 hours (i.e., 20 minutes) = 28.38 hours total burden.

Type of Response	Response Time	No. of Respondents	No. of Responses	Total Hours
Completion and submission of Voluntary Withdrawal Questionnaire	0.33 hours (i.e., 20 minutes)	86 per year	86 per year	28.38 per year

Annual Questionnaire for Organizations that Indicated upon Withdrawal that They Would Retain Personal Data Received under the Privacy Shield

20 responses/submissions x 0.42 hours (i.e., 25 minutes) = 8.40 hours total burden.

Type of Response	Response Time	No. of Respondents	No. of Responses	Total Hours
Completion and submission of Annual Questionnaire for Organizations that Indicated upon Withdrawal that They Would Retain Personal Data Received under the Privacy Shield	0.42 hours (i.e., 25 minutes)	20 per year	20 per year	8.40 per year

Compliance Review Questionnaire

100 responses/submissions x 1.25 hours (i.e., 75 minutes) = 125 hours total burden.

Type of Response	Response Time	No. of Respondents	No. of Responses	Total Hours
Completion and submission of Compliance Review Questionnaire	1.25 hours (i.e., 75 minutes)	100 per year	100 per year	125 per year

13. Provide an estimate of the total annual cost burden to the respondents or record-keepers resulting from the collection (excluding the value of the burden hours in Question 12 above).

The estimated annual cost burden to respondents, excluding the value of the burden hours in Question 12, is $6,923,250.

Note:

• The DOC’s ITA has implemented a cost recovery program to support the operation of the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, which requires that U.S. organizations pay an annual fee to the DOC in order to self-certify under the Privacy Shield. The cost recovery program supports the administration and supervision of the Privacy Shield program and support the provision of Privacy Shield-related services, including education and outreach. The annual fee a given organization is charged is determined according to a sliding scale based on the organization’s annual revenue.

Annual Fee Schedule for the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks:

Organization’s Annual Revenue	Single Framework	Both Frameworks
Under $5,000,000	$250	$375
Over $5,000,000 - $25,000,000	$650	$975
Over $25,000,000 - $500,000,000	$1,000	$1,500
Over $500 million to $5 billion	$2,500	$3,750
Over $5 billion	$3,250	$4,875

As was noted in the answer to Question 12, 5,100 is the estimated number of Privacy Shield responses/submissions (i.e., self-certification and re-certification applications) that would be received within the next year of the program.

Organization’s Annual Revenue	Annual Fee	Estimated Number of Privacy Shield Applications Received Per Year	Cost Burden to Respondents
Under $5,000,000	$250	714 (i.e., 14% of 5,100)	$178,500
Over $5,000,000 - $25,000,000	$650	1,020 (i.e., 20% of 5,100)	$663,000
Over $25,000,000 - $500,000,000	$1,000	1,785 (i.e., 35% of 5,100)	$1,785,000
Over $500,000,000 to $5 billion	$2,500	1,122 (i.e., 22% of 5,100)	$2,805,000
Over $5 billion	$3,250	459 (i.e., 9% of 5,100)	$1,491,750
			Total = $6,923,250

• The follow-up questionnaires sent by the DOC to U.S. organizations regarding their compliance with the Privacy Shield do not themselves require payment of a fee to the DOC; however, organizations that withdraw from Privacy Shield and choose to retain personal information received in reliance upon the Privacy Shield by continuing to apply the Privacy Shield Principles to such data must affirm to the DOC, on an annual basis, their commitment to apply the Principles to such data and are charged a $200 annual fee to support the additional administrative burden associated with this option.

14. Provide estimates of annualized cost to the Federal government.

As was noted in the answer to Question 13, the DOC’s ITA has implemented a cost recovery program to support the operation of the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, which requires that U.S. organizations pay an annual fee to the DOC in order to self-certify under the Privacy Shield. The cost recovery program supports the administration and supervision of the Privacy Shield program and support the provision of Privacy Shield-related services, including education and outreach.

$582, 668.17 is the total estimated annualized cost to the federal government according to the methodology described below; however, this figure does not reflect significant website development costs associated with the DOC’s Privacy Shield website. The DOC’s Privacy Shield website, which performs multiple functions essential to Privacy Shield, has required and continues to require significant investment in terms of time and resources. In addition, this figure does not reflect costs associated with the performance of a variety of other important administrative and oversight tasks and outreach to stakeholders, which do not involve information collection instruments. The aforementioned costs, including the ‘total estimated annualized cost to the federal government’ are paid for from funds collected through the cost recovery program to support the operation of the Privacy Shield program.

Note: This estimate is calculated by first determining the hourly rate, and the estimated time that it takes to process the form or questionnaire.

The hourly rate that is presently most relevant to the immediate review and processing of the self-certification form is calculated by taking the hourly rate for the average type of individual performing the relevant tasks and adding 30% to that rate to account for overhead and other basic costs. For purposes of this calculation $46.69/hour is assumed to be the approximate hourly rate of the program administration specialist (i.e., contractor) performing the relevant tasks; therefore, the rate used is $60.70 ($46.69 + $14.01).

Self-Certification Form

Type of Response	Response Time	No. of Respondents	No. of Responses	Total Hours
Review and processing of initial self-certification or re-certification applications	1.67 hours (i.e., 100 minutes)	5,100 per year	5,100 per year	8,517 per year

Cost to federal government per response: Response Time (1.67 hours) x Hourly Rate ($60.70/hour) = $101.34

Total cost: Total Hours (8,517 hours) x Hourly Rate ($60.70/hour) = $516,981.90

The hourly rate relevant to the review and processing of the questionnaires is calculated by taking the approximate GS rating/step for the average type of individual performing the relevant tasks and adding 30% to that rate to account for overhead and other basic costs. For purposes of this calculation $47.52/hour is assumed to be the approximate GS rating/step of the type of DOC employee performing the relevant tasks; therefore, the rate used is $61.78 ($47.52 + $14.26).

Failure to Recertify Questionnaire

Type of Response	Response Time	No. of Respondents	No. of Responses	Total Hours
Review and processing of Failure to Recertify Questionnaire	0.67 hours (i.e., 40 minutes)	345 per year	345 per year	231.15 per year

Cost to federal government per response: Response Time (0.67 hours) x Hourly Rate ($61.78/hour) = $41.39

Total cost: Total Hours (231.15 hours) x Hourly Rate ($61.78/hour) = $14,280.45

Voluntary Withdrawal Questionnaire

Type of Response	Response Time	No. of Respondents	No. of Responses	Total Hours
Review and processing of Voluntary Withdrawal Questionnaire	0.67 hours (i.e., 40 minutes)	86 per year	86 per year	57.62 per year

Cost to federal government per response: Response Time (0.67 hours) x Hourly Rate ($61.78/hour) = $41.39

Total cost: Total Hours (57.62 hours) x Hourly Rate ($61.78/hour) = $3,559.76

Annual Questionnaire for Organizations that Indicated upon Withdrawal that They Would Retain Personal Data Received under the Privacy Shield

Type of Response	Response Time	No. of Respondents	No. of Responses	Total Hours
Review and processing of Annual Questionnaire for Organizations that Indicated upon Withdrawal that They Would Retain Personal Data Received under the Privacy Shield	0.50 hours (i.e., 30 minutes)	20 per year	20 per year	10 per year

Cost to federal government per response: Response Time (0.50 hours) x Hourly Rate ($61.78/hour) = $30.89

Total cost: Total Hours (10 hours) x Hourly Rate ($61.78/hour) = $617.80

Compliance Review Questionnaire

Type of Response	Response Time	No. of Respondents	No. of Responses	Total Hours
Review and processing of Compliance Review Questionnaire	1.17 hours (i.e., 70 minutes)	100 per year	100 per year	117 per year

Cost to federal government per response: Response Time (1.17 hours) x Hourly Rate ($61.78/hour) = $72.28

Total cost: Total Hours (117 hours) x Hourly Rate ($61.78/hour) = $7,228.26

(Self-Certification Form total: $556, 981.90) + (Failure to Recertify Questionnaire total: $14,280.45) + (Voluntary Withdrawal Questionnaire total: $3,559.76) + (Annual Questionnaire for Organizations that Indicated upon Withdrawal that They Would Retain Personal Data Received under the Privacy Shield total: $617.80) + (Compliance Review Questionnaire total: $7,228.26) = $582,668.17

15. Explain the reasons for any program changes or adjustments.

The adjusted figures and by extension the estimates provided in the answers to Questions 12, 13, and 14 reflect the number of “responses” (i.e., the self-certification form-based initial self-certification and re-certification applications, and the four different types of questionnaires) received, reviewed, and processed in the preceding twelve-month period. The adjusted figures and by extension the estimates provided in the answer to Question 14 also reflects the average federal government “response times” associated with the reviewing and processing of the questionnaires in the preceding twelve-month period.

The supporting statement being submitted as part of the requested renewal of OMB CONTROL NO. 0625-0276 features references to both the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework, as well as related EU and Swiss references. Although OMB CONTROL NO. 0625-0276 is already understood to cover information collection instruments applicable to both Privacy Shield frameworks, the answers provided in the previous version of the supporting statement primarily included references to or related to the EU-U.S. Privacy Shield Framework. As was explained in the answer to Question 1 in this version of the supporting statement, the European Commission and Swiss Administration deemed the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework adequate to enable data transfers under EU and Swiss law, respectively, on July 12, 2016 and on January 12, 2017. The DOC began accepting self-certification submissions for the EU-U.S. Privacy Shield on August 1, 2016, and for the Swiss-U.S. Privacy Shield on April 12, 2017.

16. For collections whose results will be published, outline the plans for tabulation and publication.

Much of the information collected from respondents will ultimately be made public in relevant records that appear on the public Privacy Shield List, which the DOC maintains on its Privacy Shield website.

17. If seeking approval to not display the expiration date for OMB approval of the information collection, explain the reasons why display would be inappropriate.

Not Applicable.

18. Explain each exception to the certification statement.

Not Applicable.

B. COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL METHODS

This collection does not employ statistical methods.

14