Reporting and Recordkeeping Requirements Under Executive Order 14117
OMB Control Number 1124-AA01
OMB Expiration Date: XX/XX/XXXX
SUPPORTING STATEMENT A FOR
PROVISIONS PERTAINING TO PREVENTING ACCESS TO U.S. SENSITIVE PERSONAL DATA BY COUNTRIES OF CONCERN OR COVERED PERSONS
JUSTIFICATION
1. Explain the circumstances that make the collection of information necessary. Identify any legal or administrative requirements that necessitate the collection. Attach a copy of the appropriate section of each statute and regulation mandating or authorizing the collection of information.
On February 28, 2024, the President issued Executive Order 14117 (Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern) (the Order) pursuant to his authority under the Constitution and laws of the United States, including the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) (IEEPA), the National Emergencies Act (50 U.S.C. 1601 et seq.) (NEA), and 301 of title 3, United States Code). The Order directs the Attorney General to issue regulations that prohibit or otherwise restrict United States persons from engaging in any acquisition, holding, use, transfer, transportation, or exportation of, or dealing in, any property in which a foreign country or national thereof has any interest (transaction), where the transaction: involves bulk U.S. sensitive personal data (SPD) or U.S. Government related data, as defined by final rules implementing the Order; falls within a class of transactions that has been determined by the Attorney General to pose an unacceptable risk to the national security of the United States because it may enable access by countries of concern or covered persons to Americans’ bulk SPD or U.S. government-related data; and meets other criteria specified by the Order. On March 5, 2025, the Department of Justice (Department or DOJ), through the National Security Division, issued an Advance Notice of Proposed Rulemaking (ANPRM) setting forth contemplated regulations to implement the Order and seeking public comment.
The Department is now issuing a notice of proposed rulemaking (NPRM) that incorporates and responds to the public comments received on the ANPRM, proposes regulations to implement the Order, and again seeks public comment on various topics related to the implementation of the Order. Generally, the proposed rule would prohibit U.S. persons from engaging in two categories of covered data transactions (involving either data brokerage or genomic-data transfers) with countries of concern or covered persons. The proposed rule would also restrict U.S. persons from engaging in three categories of covered data transactions (vendor agreements, employment agreements, and investment agreements) with countries of concern or covered persons by authorizing those transactions only if certain security requirements and other conditions are satisfied. In addition to categories of covered persons defined by the proposed rule, the proposed rule would create a process for the Department to supplement those categories by designating covered persons that meet certain criteria. The proposed rule would create several mechanisms for affected persons to apply for specific licenses, request advisory opinions, and petition for removal from the list of designated covered persons. Finally, for compliance and enforcement purposes, the proposed rule also creates certain recordkeeping and reporting obligations for certain categories of U.S. persons and certain categories of transactions.
The proposed rule includes seven related new collections of information as detailed below.
Annual reports. Section 202.1103 requires that certain categories of U.S. persons engaged in certain subsets of restricted transactions (i.e., those involving certain cloud computing services and certain covered data transactions involving data brokerage) file annual reports with the Department because of the significant risk to U.S. national security and the priority for compliance and enforcement that these categories present. This information is necessary to enable DOJ to effectively monitor compliance with the regulatory requirements and to undertake enforcement actions for lack of compliance with these requirements.
Applications for specific licenses. Section 202.802 sets out the procedure and information to be provided as part of an application for a specific license. This information is necessary for DOJ to evaluate a request for a specific license authorizing an otherwise-prohibited transaction, determine whether to grant or deny the license, and determine any conditions that may be imposed.
Reports on rejected transactions. Section 202.1104 requires that U.S. persons report information to DOJ on certain types of rejected prohibited data transactions. This information will help DOJ identify potential countries of concern or covered persons seeking to enter into prohibited transactions with U.S. persons in contravention of the E.O. and regulations, including through circumvention and evasion. This information is necessary for DOJ to monitor compliance with the regulatory requirements, to undertake enforcement actions for lack of compliance with these requirements, and to identify ways in which to refine and amend the proposed regulations in the future.
Requests for advisory opinion. Section 202.901 sets out the procedure for requesting an advisory opinion on a transaction. An advisory opinion would allow an affected party to seek clarity on the treatment of a transaction under the proposed rule, such as whether a transaction is prohibited, restricted, or exempt, or whether a party to a transaction is considered a covered person. The information requested is necessary for DOJ to provide a relevant and effective Advisory Opinion to the requesting person or entity.
Petitions for removal from designated covered persons list. Section 202.702 sets out procedures for filing a petition to remove a person from the list of designated covered persons. This information is necessary to enable DOJ to consider and make potential corrections to the list, to evaluate new information to consider removing a person from the covered persons’ list, and to provide designated covered persons with an opportunity to seek redress.
Reports on suspected violations of onward transfers prohibition. Section 202.302 sets out procedures for reporting known or suspected violations of the onward transfers prohibition described in § 202.302. This information is necessary to enable DOJ to monitor whether U.S. parties engaging in covered data transactions involving data brokerage with foreign persons are taking reasonable steps to monitor their contractual provisions regarding this prohibition.
Recordkeeping requirements. Section 202.1101 requires U.S. persons to maintain records on restricted transactions and includes the types of records that they must maintain. This information is required to enable DOJ to effectively monitor compliance with regulatory requirements and to undertake enforcement actions for lack of compliance with these requirements. This information will also ensure that parties to restricted transactions adequately certify the completeness and accuracy of the records documenting the due diligence they have undertaken in engaging in transactions.
2. Indicate how, by whom, and for what purpose the information is to be used. Except for a new collection, indicate the actual use the agency has made of the information received from the current collection.
This is a new collection.
The information collected will used by attorneys and non-attorneys in the Foreign Investment Review Section (FIRS) in the Department’s National Security Division to implement the Order and proposed rule. Some of the information collected may also be used by attorneys and non-attorneys at other agencies as part of interagency consideration of specific matters (such as the information submitted in applications for specific licenses).
Information submitted in applications for specific licenses will be used by FIRS to determine whether to authorize a particular transaction that would otherwise be prohibited under the final rule. It would be impossible to authorize such exceptions without requiring the parties requesting them to submit the relevant information and basic facts supporting such requests. Similarly, information submitted as part of a request for an advisory opinion request is necessary for FIRS to understand the relevant transaction and other facts about which guidance is sought and to form and provide relevant guidance to the requesting parties. Likewise, information submitted as part of a petition to delist a person from the list of designated covered persons is necessary for DOJ to understand, consider, and evaluate the proposed removal of the covered person.
3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses, and the basis for the decision for adopting this means of collection. Also, describe any consideration of using information technology to reduce burden.
The collections of information will involve the use of electronic submissions of responses. The proposed rule will require parties to submit these collections of information electronically using an on-line system that is currently being planned and developed (when available) or, until that system becomes available or if the system is temporarily unavailable after being deployed, through a dedicated email address using approved forms. Copies of the form templates are attached to this supporting statement.
To the extent that other agencies review the information submitted as part of interagency consideration of specific matters (such as applications for specific licenses), the Department will disseminate the information electronically to other agencies, thereby saving the submitting parties from having to supply multiple paper or electronic copies.
4. Describe efforts to identify duplication. Show specifically why any similar information already available cannot be used or modified for use for the purposes described in Item A.2 above.
The information collected as proposed in the NPRM will not be duplicative. The information being collected is for a new regulatory program implementing the Order, generally pertains to individual transactions, and is not available other than through a specific application, report, or other filing by the parties. The individual responses to each collection of information is of a limited nature, separate, and unique. The Department will also minimize duplication by accepting relevant documents that parties have already prepared for other purposes, such as corporate annual reports and copies of filings made to other agencies, if relevant. Thus, there is no duplication of records.
All U.S. persons, however, are required to make individual reports on U.S. persons report information to DOJ on rejected prohibited data transactions and are also required to report on an annual basis any restricted transactions involving certain cloud computing services and certain covered data transactions involving data brokerage. The annual report is not merely a duplicate of the information previously reported. Because various authorized or otherwise legal transactions can occur throughout a 12-month period affecting whether a bulk threshold of data is reached, only through the annual reporting requirement can DOJ be apprised of whether the aggregate volume of data was reached in a 12-month period as prescribed by the regulations.
5. If the collection of information impacts small businesses or other small entities, describe any methods used to minimize burden.
The information collection may affect a limited number of small businesses or other small entities that engaged in restricted or prohibited data transactions, unless otherwise authorized, by the regulations. Regarding licensing, the application procedures are simple, and the average time required to complete a license application is 10 hours. The recordkeeping requirement imposed by § 202.1101 is minimal, because the records required to be maintained should already be maintained under standard business practices.
6. Describe the consequence to federal program or policy activities if the collection is not conducted or is conducted less frequently, as well as any technical or legal obstacles to reducing burden.
The information collected is used primarily by DOJ for licensing, compliance, and enforcement purposes. This information is used to authorize certain transactions consistent with policy and to prevent the unauthorized transfer of bulk SPD to countries of concern or covered persons. Without these collections of information, the Order and implementing regulations at issue, including provisions for authorizing certain otherwise prohibited transactions, cannot be implemented and enforced.
Generally, the information could not be collected less frequently. For example, the need for information required to request a specific license arises only at the time an applicant determines to engage in a transaction for which such a license is necessary. Persons availing themselves of certain general licenses may be required to file reports and statements in accordance with the instructions specified in those licenses. With regard to the individual and annual reports, if the information were not collected or were collected less frequently, DOJ would have no means of tracking the compliance of U.S. persons with the relevant regulations under this Order.
7. Explain any special circumstances that would cause an information collection to be conducted in a manner:
requiring respondents to report information to the agency more often than quarterly;
Under Section 202.1104 of the rule, respondents are required to report rejection of a prohibited transaction within 14 days of such rejection. This may cause an information collection to DOJ more frequently than once a quarter. Prompt reporting of rejected prohibited transactions is necessary for DOJ to identify countries of concern or covered persons seeking to enter into prohibited transactions with U.S. persons in contravention of the Order and its regulations, and to promptly take any action appropriate to protect national security and prevent circumvention of the regulations. The information will ensure DOJ can effectively monitor compliance with and undertake enforcement of the Order and regulations.
Respondents may choose to submit requests for Advisory Opinions and special licenses more frequently than once a quarter, and consequently, the information required for such submission may cause an information collection to DOJ more often than quarterly.
requiring respondents to prepare a written response to a collection of information in fewer than 30 days after receipt of it;
Section 202.1102 provides that reports with respect to covered data transactions may be required either before, during, or after such covered data transactions.
requiring respondents to submit more than an original and two copies of any document;
There are no such requirements.
requiring respondents to retain records, other than health, medical, government contract, grant-in-aid, or tax records for more than three years;
The rule requires respondents to retain records for ten years because the statute of limitations for violations of the Order’s underlying legal authority, the International Emergency Economic Powers Act, is ten years. See Pub. L. No. 118-50, div. E, § 3111(a), 118th Cong. (2024).
in connection with a statistical survey, that is not designed to produce valid and reliable results that can be generalized to the universe of study;
N/A.
requiring the use of statistical data classification that has not been reviewed and approved by OMB;
N/A.
that includes a pledge of confidentially that is not supported by authority established in statute or regulation, that is not supported by disclosure and data security policies that are consistent with the pledge, or which unnecessarily impedes sharing of data with other agencies for compatible confidential use; or
N/A.
requiring respondents to submit proprietary trade secret, or other confidential information unless the agency can demonstrate that it has instituted procedures to protect the information's confidentially to the extent permitted by law.
N/A.
8. If applicable, provide a copy and identify the date and page number of publication in the Federal Register of the agency's notice, required by 5 CFR 1320.8(d), soliciting comments on the information collection prior to submission to OMB. Summarize public comments received in response to that notice and describe actions taken by the agency in response to these comments. Specifically address comments received on cost and hour burden.
Describe efforts to consult with persons outside the agency to obtain their views on the availability of data, frequency of collection, the clarity of instructions and recordkeeping, disclosure, or reporting format (if any), and on the data elements to be recorded, disclosed, or reported.
Consultation with representatives of those from whom information is to be obtained or those who must compile records should occur at least once every 3 years -- even if the collection-of-information activity is the same as in prior periods. There may be circumstances that may preclude consultation in a specific situation. These circumstances should be explained.
An ANPRM was published in the Federal Register on March 5, 2024 (89 FR 15780). The comment period ended on April 19, 2024. Some comments related to the respondents’ inability to calculate the bulk data thresholds and thus potentially overreport transactions that may not be in scope of the proposed rule.
The Department has engaged extensively with various entities including individual companies as well as research institutions that will need to comply with the proposed regulations. The information collections expected under these proposed regulations are narrowly tailored to minimize the administrative process burden while achieving the regulatory goals.
9. Explain any decision to provide any payments or gifts to respondents, other than remuneration of contractors or grantees.
No government funds will be used as payment or for gifts to respondents.
10. Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulation, or agency policy.
Confidentiality is not required in the processing of this information collection.
11. Provide additional justification for any questions of a sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private. This justification should include the reasons why the agency considers the questions necessary, the specific uses to be made of the information, the explanation to be given to persons from whom the information is requested, and any steps to be taken to obtain their consent.
N/A.
12. Provide estimates of the hour burden of the collection of information. The statement should:
Indicate the number of respondents, frequency of response, annual hour burden, and an explanation of how the burden was estimated. Unless directed to do so, agencies should not conduct special surveys to obtain information on which to base hour burden estimates. Consultation with a sample (fewer than 10) of potential respondents is desirable. If the hour burden on respondents is expected to vary widely because of differences in activity, size, or complexity, show the range of estimated hour burden, and explain the reasons for the variance. General, estimates should not include burden hours for customary and usual business practices.
If this request for approval covers more than one form, provide separate hour burden estimates for each form.
Provide estimates of annualized cost to respondents for the hour burdens for collections of information, identifying and using appropriate wage rate categories. The cost of contracting out or paying outside parties for information collection activities should not be included here. Instead, this cost should be included in Item 14.
Tables 1 and 2 below summarize the lower and upper bounds of the annual burden estimates, including the number of respondents, expected responses, burden hours, and monetized burden estimates. Lower and upper bound estimates are provided because this is a new program and there is uncertainty in the estimated number of potential respondents for each of the forms.
Except for the recordkeeping and auditing costs, the same hourly wage rate was used for all the burden estimates listed in Tables 1 and 2, which is loaded for employer costs for fringe benefits. The Bureau of Labor Statistics (BLS) estimate of the mean hourly wage rate was used for Compliance Officers (13-1041), which was $38.55 in May 20231 and this was further adjusted to add fringe benefits. The fringe amount on the BLS estimate for average benefits for private industry workers was 42% of the hourly wage rate.2 Thus, the loaded hourly wage rate was $54.74 ($38.55 × 1.42 = $54.74).
A different methodology was used to estimate recordkeeping and auditing costs.
Table 1 – Estimated Annualized Respondent Cost and Hour Burden (Lower Bound)
Activity |
Number of Respondents |
Annual Frequency |
Total Annual Responses (B) × (C) |
Hours per Response |
Total Annual Burden (Hours) (D) × (E)
|
Hourly Wage Rate |
Monetized Value of Respondent Time (F) × (G) |
(A) |
(B) |
(C) |
(D) |
(E) |
(F) |
(G) |
(H) |
Annual Reports |
375 |
1 |
375 |
40 |
15,000 |
$54.74 |
$821,100 |
Application for Specific Licenses |
15 |
1 |
15 |
10 |
150 |
$54.74 |
$8,211 |
Report of Rejected Prohibited Transactions |
15 |
1 |
15 |
2 |
30 |
$54.74 |
|
Request for Advisory Opinions |
50 |
1 |
50 |
2 |
100 |
$5,474 |
|
15 |
1 |
15 |
5 |
75 |
$54.74 |
||
Reports of Prohibited Transactions |
300 |
1 |
300 |
2 |
600 |
$54.74 |
$32,844 |
Recordkeeping |
1,500 |
|
|
|
|
|
$84,844,000 |
Total |
1,500 |
|
770 |
|
15,955 |
|
$85,717,377 |
Table 2 – Estimated Annualized Respondent Cost and Hour Burden (Upper Bound)
Activity |
Number of Respondents |
Annual Frequency |
Total Annual Responses (B) × (C) |
Hours per Response |
Total Annual Burden (Hours) (D) × (E)
|
Hourly Wage Rate |
Monetized Value of Respondent Time (F) × (G) |
(A) |
(B) |
(C) |
(D) |
(E) |
(F) |
(G) |
(H) |
Annual Reports |
750 |
1 |
750 |
40 |
30,000 |
$54.74 |
$1,642,200 |
Application for Specific Licenses |
25 |
1 |
25 |
10 |
250 |
$54.74 |
|
Report of Rejected Prohibited Transactions |
25 |
1 |
25 |
2 |
50 |
$54.74 |
$2,737 |
Request for Advisory Opinions |
100 |
1 |
100 |
2 |
200 |
||
Petitions for Removal from Covered List |
25 |
1 |
25 |
5 |
125 |
$54.74 |
|
Reports of Prohibited Transactions |
450 |
1 |
450 |
2 |
900 |
$54.74 |
$49,266 |
Recordkeeping |
1,500 |
|
|
|
|
|
$84,844,000 |
Total |
1,500 |
|
1,375 |
|
31,525 |
|
$86,569,679 |
Annual Reports
The proposed rule requires an Annual Report for a priority subset of U.S. persons that meet two conditions: (1) they have 25% or more ownership by a country of concern or covered person, and (2) they are engaged in restricted transactions involving cloud-computing services.
The annual reports for each calendar year are required by March 1 of the following year.
There is limited data available to inform the estimate of the number of U.S. persons who would be required to complete the annual reporting forms. For purposes of this estimate, and based on various experts’ informal input, the Department assumes that 1,500 entities are currently involved in transactions involving restricted data transactions, such as entities who may transfer data to cloud-service vendors or IT vendors, and foreign entities who may transfer data to their foreign subsidiaries.
Of those 1,500 entities, the lower bound estimate is that 375 (1,500 U.S. entities × 25%) would have 25% or more ownership by a country of concern or covered person. The upper bound estimate is that 750 (1,500 × 50%) would have 25% or more ownership by a country of concern.
The Department estimates that the annual reporting form would require up to 40 hours per respondent to complete, including the submission of any supporting documentation. The estimate of 40 hours is based upon the Securities and Exchange Commission (SEC) estimate of the time required to complete a similar but slightly more detailed reporting requirement, which was 49 hours. The SEC burden estimate was for registered investment companies and business development companies conducting annual reviews and preparing annual reports. The burden of supporting documentation may be limited if some respondents already maintain documentation of transactions as part of best business practices and/or those respondents may be subject to other legislation such as the European Union General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) that requires similar documentation.
The burden estimate calculations are shown in Tables 1 and 2, above, and as follows:
The Department estimates that 375 to 750 filers will send an average of 1 Annual Report per year for restricted transactions.
375 to 750 entities × 1 Annual Report = 375 to 750 Annual Reports per year.
The Department estimates that the average burden on a filer to prepare and submit each annual report will be approximately 40 hours.
375 to 750 applications × 40 hours = 15,000 to 30,000 hours annually.
The Department assumes that respondents use in-house personnel whose pay is comparable to that of a Compliance Officer as described above; therefore, the Department estimates filers’ costs to be about $54.74 per hour.
15,000 to 30,000 hours × $54.74/hour for in-house staff = $821,100 to $1,642,200 annually.
Applications for Specific Licenses
Under the proposed regulation, the Department is considering a license regime that would include specific licenses. U.S. persons voluntarily applying for a specific license would use the Applications for Specific Licenses form to request approval for specific covered data transactions that are prohibited or restricted under the proposed rule. If the specific license is approved by the Department, it could impose conditions on the data transactions covered under the specific license.
It is difficult to estimate the number of U.S persons that would apply for a specific license under the new regulatory program that would be established by the proposed rule, given the lack of sufficient data about the number of U.S. persons whose transactions would be subject to the regulations and that would seek an exception. For purposes of this estimate, and based on various experts’ informal input, the Department assumes that between 15 and 25 firms would annually apply for a specific license. The Department estimates that 10 hours would be required to complete the form, which was informed by the Bureau of Industry and Security (BIS) estimates for a similar license application. BIS estimated a burden of about 43 minutes for license applications (“Simplified Network Application Processing + System (SNAP+) and the Multi-Purpose Application”) and 40 hours for special comprehensive license applications, the latter of which does not appear to be in current use.3 The burden to filers for Applications for Specific Licenses will be near the lower end of this range because it would go beyond a simplified application but is much less burdensome than the special comprehensive license application.
The burden estimate calculations are shown in Tables 1 and 2 above and as follows:
The Department estimates that filers will send an average of 15 to 25 Applications for Specific Licenses per year for prohibited transactions.
15 to 25 entities × 1 Application for Specific Licenses = 15 to 25 Specific License Applications sent annually.
The Department estimates that the average burden on a filer to prepare and send each Application for Specific License may be approximately 10 hours.
15 to 25 applications × 10 hours = 150 to 250 hours annually.
The Department assumes that respondents use in-house personnel whose pay is comparable to that of a Compliance Officer; therefore, the Department estimates respondents’ costs to be about $54.74 per hour.
150 to 250 hours × $54.74/hour for in-house staff = $8,211 to $13,685 annually.
Reports of Rejected Prohibited Transactions
The proposed regulation requires a report of rejected prohibited transaction for any U.S. person who has received and affirmatively rejected an offer from another person to engage in a prohibited data brokerage transaction. It is difficult to estimate the number of U.S persons that would reject (and thus have to report) an offer to engage in a prohibited data brokerage transaction. For purposes of this estimate, and based on various experts’ informal input, the Department assumes that between 15 and 25 firms would submit an average of one report of a rejected prohibited transaction per year. The Department assumes a burden of approximately 2 hours for completion of the form, informed by the burden estimate for a proposed Treasury Department information collection with a similar purpose and level of complexity. This burden estimate is based on Treasury’s Financial Crimes Enforcement Network (FinCEN) suspicious activity report (SAR), which has been an electronic filing since 2013. The estimate for completion of the SAR is 1.98 hours.4
The burden estimate calculations are shown in Tables 1 and 2 above and as follows:
The Department estimates that 15 to 25 filers will send an average of 1 Report of Rejected Prohibited Transaction per year for rejected transactions.
15 to 25 entities × 1 Report of Rejected Prohibited Transaction = 15 to 25 Report of Rejected Transaction forms annually.
The Department estimates that the average burden on a filer to prepare and send each Report of Rejected Prohibited Transaction form is approximately 2 hours.
15 to 25 Report of Rejected Prohibited Transaction forms × 2 hours = 30 to 50 hours.
The Department assumes that respondents use in-house personnel whose pay is comparable to that of a Compliance Officer; therefore, the Department estimates respondents’ costs to be about $54.74 per hour.
30 to 50 hours × $54.74/hour for in-house staff = $1,642 to $2,737.
Requests for Advisory Opinions
The proposed regulation would allow any U.S. person engaging in covered data transactions regulated by the program to voluntarily request an interpretation of any part of these regulations from the Attorney General. Such voluntary requests for an Advisory Opinion can be made electronically using the Request for Advisory Opinion form. It is difficult to estimate the number of U.S persons that would request an advisory opinion. For purposes of this estimate, and based on various experts’ informal input, the Department assumes that 50 to 100 filers would submit an average of one Request for Advisory Opinion per year.
The Department estimates an hourly burden of 2 hours, informed by the burden estimate for a similar information collection request form from the U.S. Department of State (DOS). In 2023, the DOS Directorate of Defense Trade Controls (DDTC) located in the Political-Military Affairs Bureau estimated a burden of 2 hours for an advisory opinion request form. Like the DHS advisory request form, the DOS advisory request form permits U.S. persons to voluntarily request an interpretation of regulations related to foreign trade and national security. The DOS 30-day notice of the proposal and supporting statement estimated 2 hours per request for an advisory opinion.5,6 The Department assumed this same hourly burden.
Our burden estimate calculations are shown in Tables 1 and 2 above and as follows:
The Department estimates that 50 to 100 filers will send an average of 1 Request for Advisory Opinion per year.
50 to 100 entities × 1 Request for Advisory Opinion = 50 to 100 Request for Advisory Opinion forms annually.
The Department estimates that the average burden on a filer to prepare and send each Request for Advisory Opinion form may be approximately 2 hours.
50 to 100 requests for Advisory Opinions forms × 2 hours = 100 to 200 hours.
The Department assumes that respondents use in-house personnel whose pay is comparable to that of a Compliance Officer; therefore, DOJ estimates respondents’ costs to be about $54.74 per hour.
100 to 200 hours × $54.74/hour for in-house staff = $5,475 to $10,948.
Petitions for Removal from Covered List
The proposed regulation provides for a mechanism for impacted individuals or entities to file a petition to be removed from the covered list. The Department estimates that between 15 to 25 individuals or entities would send an average of one (1) Petition for Removal from Covered List per year. However, DOJ anticipates that fewer firms may file petitions after the first year, resulting in a potentially lower burden estimate.
The Department assumes each petition would require an average of 5 hours to prepare and submit. The Department’s burden estimate was informed by the Federal Communications Commission's (FCC) burden estimate for entities to prepare and submit petitions for exemption from the closed captioning requirements due to economic burden.7 This included the filing of any reply comments by those same entities. The comparative hourly basis is reasonable given inherent subjectivity in the amount of documentation provided to support any given exemption request.
The Department’s burden estimate calculations are shown in Tables 1 and 2 above and as follows:
DOJ estimated that 15 to 25 filers will send an average of 1 Petition for Removal from Covered List per year.
15 to 25 entities x 1 Petition for Removal from Covered List = 15 to 25 Petitions for Removal from Covered List annually.
DOJ estimates that the average burden on a filer to prepare and send each Petition for Removal from Covered List may require approximately 5 hours.
15 to 25 applications x 5 hours = 75 to 125 hours.
DOJ assumes that respondents use in-house personnel whose pay is comparable to that of a Compliance Officer; therefore, DOJ estimates respondents’ costs to be about $54.74 per hour.
75 to 125 hours x $54.74/hour for in-house staff = $4,106 to $6,843 annually.
Reports on Known or Suspected Violations of the Onward Transfers Prohibition
Under the proposed rule, the Department is proposing to require U.S. parties engaging in covered data transactions involving data brokerage with foreign persons to report to DOJ any known or suspected violations of the required contractual provision prohibiting resale of sensitive data to covered persons. U.S. parties engaged in data brokerage with foreign persons would be required to file a Report of Prohibited Transaction if they suspect or have knowledge of a foreign person reselling sensitive data to a country of concern. The Department estimates (based on various experts’ input) that there are approximately 3,000 data brokers in the United States, and 300 (3,000 data brokers x 10%) to 450 (3,000 data brokers x 15%) data brokers would submit an average of one report of known or suspected violations of onward transfers per year. DOJ estimates that each respondent would require an average of 2 hours to complete the form, informed by the burden estimate for a proposed Treasury Department information collection with a similar purpose and level of complexity. The Department’s burden estimate is based on Treasury’s Financial Crimes Enforcement Network (FinCEN) suspicious activity report (SAR), which has been an electronic filing since 2013. The estimate for completion of the SAR is 1.98 hours.8
DOJ’s burden estimate calculations are shown in Tables 1 and 2 above and as follows:
DOJ estimates that 300 to 450 data brokers will send an average of 1 Report of Known or Suspected Violation of Onward Transfers per year for prohibited transactions.
300 to 450 filers × 1 Report of Known or Suspected Violation of Onward Transfers = 300 to 450 Reports of Known or Suspected Violation of Onward Transfers forms annually.
DOJ estimates that the average burden on a data broker to prepare and send each Report of Known or Suspected Violation of Onward Transfers form is approximately 2 hours.
300 to 450 Reports of Known or Suspected Violation of Onward Transfers forms × 2 hours = 600 to 900 hours.
DOJ assumes that filers use in-house personnel whose pay is comparable to that of a Compliance Officer; therefore, DOJ estimates filers’ costs to be about $54.74 per hour.
600 to 900 hours × $54.74/hour for in-house staff = $32,844 to $49,266.
Recordkeeping requirements
The proposed rule’s recordkeeping requirements would include generating or maintaining documents pertinent to various data transactions details, verifications of transaction partners, transactions agreements, licenses, exemptions, advisory opinions, annual due diligence certifications, and supporting documentation, as applicable. The annual per-firm recordkeeping costs together are estimated at $89,344,000. All U.S. persons engaged in restricted transactions would be required to meet the recordkeeping and auditing requirements, along with U.S. persons engaged in transactions with foreign entities.
For purposes of this estimate, and based on various experts’ informal input, the Department assumes that 1,500 entities are currently conducting restricted data transactions, such as entities who may transfer data to cloud service vendors or IT vendors that are covered persons or that have employees that are covered persons in a country of concern that have access to their data.
The Department estimates the incremental recordkeeping costs of the proposed rule for large firms to be approximately $835,000 per year. The Department’s estimate of $835,000 per large firm is informed by Ponemon’s (2019) estimate of the annual compliance costs of GDPR $16,700,000 per firm. The Department assumes that the incremental recordkeeping costs of the proposed rule would be about 5% of Ponemon’s estimate of the GDPR. This 5% assumption is supported by the fact that GDPR includes more extensive recordkeeping requirements than the proposed rule and that many of the proposed rule’s recordkeeping requirements mandate the retention of documents that companies are already obligated to keep or that are normally kept under standard business practices. Furthermore, the Ponemon’s study includes compliance costs, such as necessary IT upgrades, beyond recordkeeping costs.
Using a similar approach, the Department estimates the incremental recordkeeping costs of the proposed rule for small and medium-sized firms to be approximately $960. The estimate of $960 per firm is informed by prior research on the incremental compliance costs and administrative burdens of GPDR for small and medium-sized businesses. The Department assumes that the incremental recordkeeping costs of the proposed rule would be about 10% of the estimated incremental costs of GDPR. The 10% assumption is supported by the fact that GDPR includes more extensive recordkeeping requirements than the proposed rule, and that many of the proposed rule’s recordkeeping requirements mandate the retention of documents that companies are already obligated to keep or that are normally kept under standard business practices. Furthermore, the prior research includes costs of compliance beyond recordkeeping costs.
According to the EU’s impact assessment of GDPR, average annual incremental compliance costs/administrative burdens for small and medium-sized enterprises (SMEs)9 were estimated at about $9,624.10 These presumably would align with the GDPR accountability elements identified by Wolford (2024), which are generally consistent with those of the proposed rule. Firms in the E.U. are subject to GDPR, which since 2018 has required all organizations that target or collect data relative to persons in the E.U. to abide by privacy and security standards outlined in that regulation. One of the seven data protection principles in GDPR is accountability or due diligence. Accordingly, data controllers (i.e., holders of data) must be able to demonstrate compliance relative to accountability by (1) designating data protection responsibilities as appropriate; (2) maintaining comprehensive records of collected data, its use, and those responsible for it; (3) training staff and executing technical and organizational security measures; (4) implementing contracts with third parties that process data on their behalf; and (5) appointment of a data protection officer (if a public authority or regularly processing personal data on a large scale).11
The Department assumes that among the 1,500 firms affected by the proposed rule’s recordkeeping requirements, the largest 100 will incur the high costs and the remainder (1,400) will incur the low costs.
For recordkeeping, the Department estimates a single burden shown in both Tables 1 and 2.
The burden estimate calculations are shown in Tables 1 and 2 and as follows:
The Department estimates that 1,400 small to medium-sized firms will incur the lower recordkeeping costs of $960 per firm. Therefore, the Department estimates a total of $1,344,000 in recordkeeping costs for small to medium-sized firms (1,400 x $960).
The Department estimates that 100 firms will incur the higher recordkeeping costs of $835,000 per firm. Therefore, the Department estimates a total of $83,500,000 in annual recordkeeping costs for larger firms (100 x $835,000).
The Department estimates a total of $84,844,000 in recordkeeping costs per year.
13. Provide an estimate of the total annual cost burden to respondents or recordkeepers resulting from the collection of information. (Do not include the cost of any hour burden shown in Items 12 and 14).
The cost estimate should be split into two components: (a) a total capital
and start-up cost component (annualized over its expected useful life); and (b) a
total operation and maintenance and purchase of service component.
The estimates should take into account costs associated with generating,
maintaining, and disclosing or providing the information. Include descriptions of
methods used to estimate major cost factors including system and technology acquisition, expected useful life of capital equipment, the discount rate(s), and the time period over which costs will be incurred. Capital and start-up costs include, among other items, preparations for collecting information such as purchasing computers and software; monitoring, sampling, drilling and testing equipment; and record storage facilities.
If cost estimates are expected to vary widely, agencies should present ranges of cost burdens and explain the reasons for the variance. The cost of purchasing or contracting out information collection services should be a part of this cost burden estimate. In developing cost burden estimates, agencies may consult with a sample of respondents (fewer than 10), utilize the 60-day pre-OMB submission public comment process and use existing economic or regulatory impact analysis associated with the rulemaking containing the information collection, as appropriate.
Generally, estimates should not include purchases of equipment or services, or portions thereof, made: (1) prior to October 1, 1995, (2) to achieve regulatory compliance with requirements not associated with the information collection, (3) for reasons other than to provide information or keep records for the government, or (4) as part of customary and usual business or private practices.
Use existing economic or regulatory impact analysis associated with the rulemaking containing the information collection, as appropriate.
The Department assumes no capital or startup costs associated with any of the information collections. We assume respondents, per usual and customary practice, would already own information technology equipment sufficient to generate, maintain, and disclose the data included in these forms. All other cost burdens to respondents and recordkeepers are addressed in response to question 12 above.
14. Provide estimates of the annualized cost to the Federal Government. Also, provide a description of the method used to estimate cost, which should include quantification of hours, operational expenses (such as equipment, overhead, printing, and support staff), any other expense that would not have been incurred without this collection of information. Agencies also may aggregate cost estimates from Items 12, 13, and 14 into a single table.
The annual costs to the Federal Government for collecting, analyzing, and storing the information to be collected under the proposed rules are unknown at this time, given the difficulty of estimating the number and categories of transactions for which licenses and advisory opinions will be sought, the number of transactions that will be rejected for which reports will be required, the number of designated covered persons that will petition for removal from the list, and the number of restricted and other transactions that will be subject to the recordkeeping and reporting requirements under the proposed rule. Therefore, this cost estimate is based on the number of full-time employees (FTEs) anticipated to be added to implement this program and the percentage of their responsibilities related to these information collections. This number is expected to increase over time after the final rule becomes effective.
The table below outlines the estimated annual costs to the Federal Government for collecting, analyzing, and storing information required by the proposed rules. For purposes of this estimate, the Department currently anticipates that there will be approximately 42 FTEs across various attorney and non-attorney positions involved in implementing the program that will have responsibilities for undertaking, assessing, and supporting the collections identified in this PRA request. This estimate does not include other FTEs involved in implementing the program that are not anticipated to have meaningful responsibilities related to these information collections. Using these figures, the cost estimate first categorizes these FTEs by workstream and position. It then estimates the total annualized cost to the Federal Government for each FTE based on that position’s General Schedule (GS) pay scale for FY2025, incorporating overhead costs like fringe benefits, equipment, IT support, security, human resources, facilities, and other administrative expenses. Finally, using the percentage of total time that each FTE is anticipated to dedicate to PRA-related tasks, the cost estimate determines the total cost for each FTE that is attributable to PRA-related tasks. As shown in the table below, the total estimated annualized cost to the Federal Government for processing PRA-related applications and reports is approximately $3.081 million.
Table 3 – Estimated Annualized Cost to the Federal Government
Position & Role |
Average GS Level |
Approx. Number of FTEs |
Salary & Benefits Per FTE |
Overhead, Equipment, and Other Costs Per FTE |
Subtotal Cost Per FTE (D) + (E) |
Subtotal Cost for All FTEs in Role (C) × (F)
|
Anticipated Percentage of PRA-Attributable Duties |
Total PRA-Attributable Cost for All FTEs in Role (G) × (H) |
(A) |
(B) |
(C) |
(D) |
(E) |
(F) |
(G) |
(H) |
(I) |
Attorneys: licensing and advisory opinions |
15 |
6 |
$ 112,975 |
$ 355,597 |
$ 2,133,582 |
90% |
$ 1,920,223 |
|
Attorneys: targeting and designation |
15 |
8 |
$ 242,622 |
$ 112,975 |
$ 355,597 |
$ 2,844,775 |
10% |
$ 284,478 |
Non-attorneys: targeting and designation |
14 |
6 |
$ 215,687 |
$ 90,238 |
$ 305,925 |
$ 1,835,551 |
10% |
$ 183,555 |
Attorneys: supervision |
15 |
2 |
$ 242,622 |
$ 112,975 |
$ 355,597 |
$ 711,194 |
10% |
$ 71,119 |
Attorneys:
compliance/ |
15 |
7 |
$ 242,622 |
$ 112,975 |
$ 355,957 |
$ 2,489,179 |
10% |
$ 248,918 |
Non-attorney support for filing/case-management system |
12 |
3 |
$ 153,638 |
$ 243,876 |
$ 731,627 |
10% |
$ 73,163 |
|
Non-attorney support for filing/case-management system |
14 |
1 |
$ 215,687 |
$ 90,238 |
$ 305,925 |
$ 305,925 |
10% |
$ 30,593 |
Subject-matter experts |
14 |
3 |
$ 215,687 |
$ 90,238 |
$ 305,925 |
$ 917,776 |
10% |
$ 91,778 |
Administrative support |
11 |
1 |
$ 128,268 |
$ 90,238 |
$ 218,506 |
$ 218,506 |
2% |
$ 4,370 |
Paralegal support |
11 |
3 |
$ 128,268 |
$ 90,238 |
$ 218,506 |
$ 655,518 |
20% |
$ 131,104 |
Research support |
11 |
2 |
$ 128,268 |
$ 90,238 |
$ 218,506 |
$ 437,012 |
10% |
$ 43,701 |
|
|
|
|
|
|
Total Estimated Cost: |
$ 3,083,001 |
|
This estimate does not include expenses for renovating or acquiring new physical space, or other similar costs, potentially leading to an underestimation of the total annual expenses due to the proposed rules. The precise extent of this underestimation is currently unknown and difficult to quantify.
15. Explain the reasons for any program changes or adjustments.
This is a new program.
16. For collections of information whose results will be published, outline plans for tabulations, and publication. Address any complex analytical techniques that will be used. Provide the time schedule for the entire project, including beginning and ending dates of the collection of information, completion of report, publication dates, and other actions.
The Department does not currently anticipate that the information to be collected will be published.
17. If seeking approval to not display the expiration date for OMB approval of the information collection, explain the reasons that display would be inappropriate.
No exemption is sought.
18. Explain each exception to the certification statement.
There are no exceptions to the certification statement.
B. COLLECTIONS OF INFORMATON EMPLOYING STATISTICAL METHODS.
This collection does not contain statistical data.
1 May 2023 National Occupational Employment and Wage Estimates, Bureau of Lab. Stat. (May 2023), https://www.bls.gov/oes/current/oes_nat.htm#13-0000 [https://perma.cc/ZC8E-JW5N].
2 U.S. Dept. of Labor, Bureau of Lab. Stat., USDL-24-0485, Employer costs for Employee Compensation Summary (2024), https://www.bls.gov/news.release/ecec.nr0.htm [https://perma.cc/CP4A-QBWA] (1 + ($12.77 benefits costs / $30.33 average private industry wage) = 1.42 load or fringe rate).
3 Export Administration Regulations: Removal of Special Comprehensive License Provisions, 80 FR 51725 (Aug. 26, 2015).
4 Agency Information Collection Activities; Proposed Renewal; Comment Request; Renewal Without Change of Reports by Financial Institutions of Suspicious Transactions and FinCEN Form 111— Suspicious Activity Report, 89 FR 9913, 9914 (Feb. 12, 2024).
5 U.S. Dep’t of State, OMB No. 1405-0174, Supporting Statement for Paperwork Reduction Act Submission (2023).
6 30-Day Notice of Proposed Information Collection: Request for Advisory Opinion, 88 FR 77397, 77397 (Nov. 9, 2023).
7 FCC, OMB 3060-1162, Supporting Statement for Paperwork Reduction Act Submission 12–13 (2012), https://www.reginfo.gov/public/do/DownloadDocument?objectID=32627601 [https://perma.cc/HVD6-2F8H].