The Office of Digital Services Industries (ODSI) within the Department of Commerce’s International Trade Administration (ITA) requests Office of Management and Budget (OMB) approval to make a non-substantive change in order to address an apparent inconsistency between the versions of two of the five information collection instruments (i.e., the “Withdrawal Questionnaire” and the “Failure to Recertify Questionnaire”) that are presently authorized by OMB CONTROL NO. 0625-02761. ODSI seeks to address this apparent inconsistency by removing certain text that appears in the “Failure to Recertify Questionnaire”, but not in the “Withdrawal Questionnaire”, as those questionnaires should be consistent in the options that they offer to organizations choosing to withdraw from participation in the Privacy Shield frameworks2.
The inconsistency that ODSI seeks to remedy is described below.
The version of the “Withdrawal Questionnaire” that was previously submitted and for which authorization was received provides in part that (highlighting added below for ease of reference):
3) With respect to personal data received in reliance upon Privacy Shield, please verify that the organization will:
a. Retain such data, continue to apply the Privacy Shield Principles to such data, and affirm to the Department of Commerce on an annual basis its commitment to apply the Principles to such data;
b. Retain such data and provide “adequate” protection for such data by another authorized means; or
c. Return or delete such data. If so, specify the date by which all such data was returned or deleted.
In contrast, the version of the “Failure to Recertify Questionnaire” that was previously submitted and for which authorization was received provides in part that (highlighting added below for ease of reference):
If the organization wishes to withdraw from Privacy Shield:
4) With respect to personal data received in reliance upon Privacy Shield, please verify that the organization will:
a. Retain such data, continue to apply the Privacy Shield Principles to such data, and affirm to the Department of Commerce on an annual basis its commitment to apply the Principles to such data;
b. Retain such data and provide “adequate” protection for such data by another authorized means;
c. Return or delete such data. If so, specify the date by which all such data was returned or deleted; or
d. A combination of the above options (please describe).
As is indicated above, the version of the “Failure to Recertify Questionnaire” that was previously submitted presents an option (d), “A combination of the above options (please describe)” to respondent organizations whereas the version of the “Withdrawal Questionnaire” that was previously submitted does not present that option. Those questionnaires should be consistent in the options that they offer to organizations choosing to withdraw from participation in the Privacy Shield frameworks, and therefore ODSI seeks the removal of that option (d) from the “Failure to Recertify Questionnaire” in order to accomplish that consistency.
It is ODSI’s understanding that the modification of that information collection instrument (i.e., the “Failure to Recertify Questionnaire”) would not involve any material change in the use to which the information is to be put or the frequency of collection (e.g., it would not impact the previously provided Estimated Number of Respondents, Estimated Total Annual Burden Hours, etc.). We note that this modification does not involve any material change to that information collection instrument (i.e., this should be treated as a “no material/non-substantive change”), as respondent organizations would continue to be presented with the same basic three options, options a-c. We therefore ask that OMB approve this non-substantive change in order to address the noted inconsistency. If OMB has any questions about our request to make this non-substantive change, they should contact.
David Ritchie
Senior Policy Advisor & Lead Administrator
Office of Digital Services Industries | Privacy Shield Team
Industry & Analysis
U.S. Department of Commerce | International Trade Administration
Direct line: (202) 482-4936 | E-mail: [email protected]
1 OMB CONTROL NO. 0625-0276 authorizes the Department, as represented by ITA, to collect information from organizations in the United States to enable such organizations’ self-certification to the EU-U.S. Privacy Shield Framework and/or the Swiss-U.S. Privacy Shield Framework (Privacy Shield) and monitor U.S. organizations’ compliance with the Privacy Shield Principles. The Department has committed to follow up with organizations that have been removed from the Privacy Shield List. The Department will send questionnaires to organizations that fail to complete the annual certification or that have withdrawn from the Privacy Shield.
2 The Privacy Shield Supplemental Principle on Self-Certification, section (f) provides in part that “An organization that withdraws from the Privacy Shield but wants to retain such data must affirm to the Department on an annual basis its commitment to continue to apply the Principles or provide “adequate” protection for the information by another authorized means (for example, using a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission); otherwise, the organization must return or delete the information.” (available at https://www.privacyshield.gov/article?id=6-Self-Certification) (See also Privacy Shield Principles Overview par. 3, available at https://www.privacyshield.gov/article?id=OVERVIEW)
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| Author | David Ritchie |
| File Modified | 0000-00-00 |
| File Created | 2021-01-13 |