Revisions to the Fee Schedule for the Data Privacy Framework Program, 70597-70600 [2024-19541]
Download as PDF
<![CDATA[
ddrumheller on DSK120RN23PROD with NOTICES1
Federal Register / Vol. 89, No. 169 / Friday, August 30, 2024 / Notices
or portions thereof, if the head of the
agency to which the advisory committee
reports determines such meetings may
be closed to the public in accordance
with subsection (c) of the Government
in the Sunshine Act (5 U.S.C. 552b(c)).
In this case, the applicable provisions of
5 U.S.C. 552b(c) are subsection
552b(c)(4), which permits closure to
protect trade secrets and commercial or
financial information that is privileged
or confidential, and subsection
552b(c)(9)(B), which permits closure to
protect information that would be likely
to significantly frustrate implementation
of a proposed agency action were it to
be disclosed prematurely. The closed
session of the meeting will involve
committee discussions and guidance
regarding U.S. Government strategies
and policies.
The open session will be accessible
via teleconference. To join the
conference, submit inquiries to Ms.
Yvette Springer at Yvette.Springer@
bis.doc.gov (email) or (202) 482–2813
(voice). A limited number of seats will
be available for members of the public
to attend the open session in person.
Reservations are not accepted.
Special Accommodations: Individuals
requiring special accommodations to
access the public meeting should
contact Ms. Yvette Springer no later
than Wednesday, September 11, 2024,
so that appropriate arrangements can be
made.
To the extent that time permits,
members of the public may present oral
statements to the Committee. The public
may submit written statements at any
time before or after the meeting.
However, to facilitate distribution of
materials to the Committee members,
the Committee suggests that members of
the public forward their materials prior
to the meeting to Ms. Springer via email.
Material submitted by the public will be
made public and therefore should not
contain confidential information.
Meeting materials from the public
session will be accessible via the
Technical Advisory Committee (TAC)
site at https://tac.bis.gov, within 30-days
after the meeting.
The Deputy Assistant Secretary for
Administration, performing the nonexclusive functions and duties of the
Chief Financial Officer and Assistant
Secretary for Administration, with the
concurrence of the delegate of the
General Counsel, formally determined
on August 23, 2024, pursuant to 5
U.S.C. 1009(d)), that the portion of the
meeting dealing with pre-decisional
changes to the Commerce Control List
and the U.S. export control policies
shall be exempt from the provisions
relating to public meetings found in 5
VerDate Sep<11>2014
20:35 Aug 29, 2024
Jkt 262001
U.S.C. 1009(a)(1) and 1009(a)(3). The
remaining portions of the meeting will
be open to the public.
Meeting cancellation: If the meeting is
cancelled, a cancellation notice will be
posted on the TAC website at https://
tac.bis.doc.gov.
For more information, contact Ms.
Springer.
Yvette Springer,
Committee Liaison Officer.
[FR Doc. 2024–19550 Filed 8–29–24; 8:45 am]
BILLING CODE 3510–JT–P
DEPARTMENT OF COMMERCE
[Docket No.: 240826–0227]
Revisions to the Fee Schedule for the
Data Privacy Framework Program
International Trade
Administration, U.S. Department of
Commerce.
ACTION: Final notice of implementation
of revisions to the fee schedule for the
Data Privacy Framework Program.
AGENCY:
The U.S. Department of
Commerce (DOC) published the
Revisions to the Fee Schedule for the
Data Privacy Framework Program on
July 9, 2024. We gave interested parties
an opportunity to comment on the
revisions to the fee schedule. No
comments were received; therefore, the
revised fee schedule is considered the
final fee schedule subject to future
review in accordance with OMB
Circular A–25 and will become effective
October 1st, 2024.
DATES: This fee schedule will become
effective October 1, 2024.
FOR FURTHER INFORMATION CONTACT:
Requests for additional information
regarding the DPF program should be
directed to Isabella Carlton, Department
of Commerce, International Trade
Administration, Room 11018, 1401
Constitution Avenue NW, Washington,
DC, tel. (202) 482–1512 or via email at
dpf.program@trade.gov. Additional
information on ITA fees is available at
trade.gov/fees.
SUPPLEMENTARY INFORMATION:
SUMMARY:
Background
Consistent with the guidelines in
OMB Circular A–25, Federal agencies
are responsible for implementing cost
recovery program fees. The role of ITA
is to strengthen the competitiveness of
U.S. industry, promote trade and
investment, and ensure fair trade
through the rigorous enforcement of
U.S. trade laws and agreements. ITA
works to promote privacy policy
frameworks to facilitate the trusted flow
PO 00000
Frm 00007
Fmt 4703
Sfmt 4703
70597
of data across borders with strong
privacy protections, which in turn
supports international trade.
The U.S., EU, UK, and Switzerland
share a commitment to enhancing
privacy protection, the rule of law, and
a recognition of the importance of
transatlantic data flows to our respective
citizens, economies, and societies, but
have different legal systems and take
different approaches to doing so. Given
those differences, the DOC developed
the EU-U.S. DPF, the UK Extension to
the EU-U.S. DPF, and the Swiss-U.S.
DPF in consultation with the European
Commission, the UK Government, the
Swiss Federal Administration, industry,
and other stakeholders. These
arrangements were respectively
developed to provide U.S. organizations
reliable mechanisms for personal data
transfers to the U.S. from the EU, UK,
and Switzerland that are consistent with
EU, UK, and Swiss law.
The DOC has issued the EU-U.S. DPF
Principles and the Swiss-U.S. DPF
Principles, including the respective sets
of Supplemental Principles
(collectively, the Principles) and Annex
I to the Principles, as well as the UK
Extension to the EU-U.S. DPF under its
statutory authority to foster, promote,
and develop international commerce (15
U.S.C. 1512).
To participate in the EU-U.S. DPF
and, as applicable, the UK Extension to
the EU-U.S. DPF, and/or the Swiss-U.S.
DPF an organization must: (1) be subject
to the investigatory and enforcement
powers of the Federal Trade
Commission (FTC), the Department of
Transportation (DOT), or another
statutory body that will effectively
ensure compliance with the Principles;
(2) publicly declare its commitment to
comply with the Principles; (3) publicly
disclose its privacy policies in line with
the Principles; and (4) fully implement
the Principles.
While the decision by an organization
to self-certify its compliance and to
participate in the DPF is voluntary;
effective compliance is compulsory:
organizations that self-certify to the
DOC and publicly declare their
commitment to adhere to the Principles
must comply fully with the Principles.
Organizations that only wish to selfcertify their compliance pursuant to the
EU-U.S. DPF and/or the Swiss-U.S. DPF
may do so; however, organizations that
wish to participate in the UK Extension
to the EU-U.S. DPF must participate in
the EU-U.S. DPF. Such organizations’
commitment to comply with the
Principles with regard to transfers of
personal data from the EU and, as
applicable, the UK, and/or Switzerland
must be reflected in their self-
E:\FR\FM\30AUN1.SGM
30AUN1
70598
Federal Register / Vol. 89, No. 169 / Friday, August 30, 2024 / Notices
certification submissions to the DOC,
and in their privacy policies. An
organization’s failure to comply with
the Principles after its self-certification
is enforceable: (1) by the FTC under
Section 5 of the Federal Trade
Commission (FTC) Act prohibiting
unfair or deceptive acts in or affecting
commerce (15 U.S.C. 45); (2) by the DOT
under 49 U.S.C. 41712 prohibiting a
carrier or ticket agent from engaging in
an unfair or deceptive practice in air
transportation or the sale of air
transportation; or (3) under other laws
or regulations prohibiting such acts.
U.S. organizations considering selfcertifying their compliance pursuant to
the EU-U.S. DPF and, as applicable, the
UK Extension to the EU-U.S. DPF, and/
or the Swiss-U.S. DPF should review the
requirements in their entirety, including
the Principles and associated
documents available in full at
www.dataprivacyframework.gov.
Revisions to the Fee Schedule
ITA initially implemented a cost
recovery program to support the
operation of the EU-U.S. Privacy Shield
Framework and the Swiss-U.S. Privacy
Shield Frameworks (collectively, the
Privacy Shield program) and is revising
that fee schedule to support the
operation of the DPF program. The cost
recovery program will support the
administration and supervision of the
DPF program and support services
related to the DPF program, including
education and outreach. The revisions
to the fee schedule will become effective
October 1st, 2024, which is 30 days after
this final fee schedule was published.
The Cost Recovery Fee Schedule for
the EU-U.S. Privacy Shield Framework,
published September 30, 2016 (81 FR
67293), describes the fees implemented
by ITA to cover the administration and
supervision of the EU-U.S. Privacy
Shield Framework. The first amendment
to the Cost Recovery Fee Schedule for
the EU-U.S. Privacy Shield Framework,
published April 4, 2017 (82 FR 16375),
describes the additional fees
implemented by ITA to cover the
administration and supervision of the
Swiss-U.S. Privacy Shield Framework.
Under this revision to the fee schedule,
organizations that opt to self-certify only
for the EU-U.S. DPF, only the EU-U.S.
DPF and the UK Extension to the EUU.S. DPF, or only the Swiss-U.S. DPF
will pay a single fee when initially selfcertifying or re-certifying. Organizations
that opt to self-certify for an additional
framework will pay an additional 50
percent of that single fee when selfcertifying or re-certifying for the
additional framework, reflecting the
efficiency savings in administering the
DPF program for organizations that
participate in multiple parts of the DPF
program. As organizations that wish to
participate in the UK Extension to the
EU-U.S. DPF must participate in the EUU.S. DPF, the annual fee that such
organizations are required to pay to ITA
to participate in the EU-U.S. DPF
currently covers both the EU-U.S. DPF
and the UK Extension to the EU-U.S.
DPF.
These efficiency savings are
maximized if organizations self-certify
to multiple parts of the DPF program
simultaneously, reducing the required
staff time and resources for reviewing
materials. In addition, organizations that
participate in the EU-U.S. DPF and, as
applicable, the UK Extension to the EUU.S. DPF and/or the Swiss-U.S. DPF
may adjust their annual re-certification
due date by re-certifying early (i.e.,
before the applicable due date) to the
relevant part(s) of the DPF program.
Although an organization may adjust
its annual re-certification due date by
re-certifying early, the re-certification
due date would apply to all parts of the
DPF program in which it participates
(i.e., re-certification to the relevant
part(s) of the DPF program is
synchronized). For example, if an
organization initially self-certified
exclusively to and was placed on the
Data Privacy Framework List with
regard to the EU-U.S. DPF, and then
several months later self-certified to and
was placed on the Data Privacy
Framework List with regard to the
Swiss-U.S. DPF, the organization’s next
re-certification to both of those parts of
the DPF program would be due by the
same date.
Additionally, a fixed annual fee of
$260 will be charged per applicable
framework for organizations that
withdraw from the relevant part(s) of
the DPF program, retain personal data
that they received in reliance on their
participation in the relevant part(s) of
the DPF program, continue to apply the
Principles to such data, and affirm to
ITA on an annual basis their
commitment to apply the Principles to
such data. This fee has been set to cover
staff costs for reviewing the ‘‘PostWithdrawal, Annual Affirmation
Questionnaire’’, which must be
submitted by organizations that have
chosen the aforementioned option when
withdrawing from the relevant part(s) of
the program, as well as the necessary
website infrastructure to facilitate
submission of the proper documents.
Additionally, this fee is set to be less
than any organization would be
required to pay for re-certification. The
fee schedule is set forth below:
REVISED ANNUAL FEE SCHEDULE FOR THE DPF PROGRAM
A single
framework
Organization’s annual revenue
ddrumheller on DSK120RN23PROD with NOTICES1
$0 to $5 million ........................................................................................................................................................
Over $5 million to $25 million ..................................................................................................................................
Over $25 million to $500 million ..............................................................................................................................
Over $500 million to $5 billion .................................................................................................................................
Over $5 billion ..........................................................................................................................................................
Post-withdrawal, annual affirmation fee ..................................................................................................................
For purposes of the annual fee
schedule described above:
• ‘‘A single framework’’ could refer to
any of the following: only the EU-U.S.
DPF; only the EU-U.S. DPF and the UK
VerDate Sep<11>2014
20:35 Aug 29, 2024
Jkt 262001
Extension to the EU-U.S. DPF; or only
the Swiss-U.S. DPF
• ‘‘Both frameworks’’ could refer to
any of the following: the EU-U.S. DPF,
the UK Extension to the EU-U.S. DPF,
PO 00000
Frm 00008
Fmt 4703
Sfmt 4703
$260
750
1,600
4,130
5,530
Both
frameworks
$390
1,125
2,400
6,195
8,295
A single
framework
Both
frameworks
$260
$520
and the Swiss-U.S. DPF; or only the EUU.S. DPF and the Swiss-U.S. DPF.
Organizations will have additional
direct costs associated with
participating in the DPF program. For
E:\FR\FM\30AUN1.SGM
30AUN1
Federal Register / Vol. 89, No. 169 / Friday, August 30, 2024 / Notices
example, organizations must provide a
readily available independent recourse
mechanism to hear individual
complaints at no cost to the individual.
Furthermore, organizations are required
to make contributions in connection
with the arbitral model, as described in
Annex I to the Principles.
ddrumheller on DSK120RN23PROD with NOTICES1
Method for Determining Fees
ITA collects, retains, and expends
user fees pursuant to delegated
authority under the Mutual Educational
and Cultural Exchange Act as
authorized in its annual appropriations
acts. The EU-U.S. DPF, the UK
Extension to the EU-U.S. DPF, and the
Swiss-U.S. DPF were developed to
facilitate transatlantic commerce by
providing U.S. organizations with
reliable mechanisms for personal data
transfers to the United States from the
EU/European Economic Area, UK, and
Switzerland. The Data Privacy
Framework program operates in a way
that provides strong privacy protection
as well as a more effective and efficient
service to participants at a lower cost
than other options, including standard
contractual clauses or binding corporate
rules.
Fees are set by taking into account the
operational costs borne by ITA to
administer and supervise the Data
Privacy Framework program. The DPF
program requires a significant
commitment of resources and staff.
These costs include broad programmatic
costs to run the program as well as costs
specific to EU-U.S. DPF, the UK
Extension to the EU-U.S. DPF, and the
Swiss-U.S. DPF. The DPF program
includes commitments from ITA to:
• Maintain, upgrade, and update a
DPF program website, including
maintaining the Data Privacy
Framework List (i.e., the authoritative
list of U.S. organizations that have selfcertified to the DOC, as represented by
ITA, and declared their commitment to
adhere to the Principles);
• Verify self-certification
requirements submitted by
organizations to participate in the DPF
program;
• Follow up with organizations that
have been removed from the Data
Privacy Framework List and ensure,
where applicable, that questionnaires
are correctly filed and processed;
• Search for and address false claims
of participation;
• Conduct periodic compliance
reviews and assessments of the program;
• Provide information regarding the
program to targeted audiences;
• Increase cooperation with European
data protection authorities;
VerDate Sep<11>2014
20:35 Aug 29, 2024
Jkt 262001
• Facilitate resolution of complaints
about non-compliance;
• Hold periodic meetings with the
European Commission, the UK
government, the Swiss government, and
other authorities to review the program;
and
• Provide the EU, UK, and
Switzerland with updates on laws
relevant to the DPF program.
In setting these revised DPF program
fees, ITA determined that the services
provided offer special benefits to an
identifiable recipient beyond those that
accrue to the general public. ITA
calculated the actual cost of providing
its services in order to provide a basis
for setting each fee. This actual cost
incorporates direct and indirect costs,
including operations and maintenance,
overhead, and charges for the use of
capital facilities. ITA also took into
account additional factors, including
inflation, adequacy of cost recovery,
affordability, and costs associated with
alternative options available to U.S.
organizations for the receipt of personal
data from the EU, the UK, and
Switzerland. Furthermore, ITA
considered the cost-savings and
efficiencies gained in staff hours
through simultaneous review of selfcertifications for the EU-U.S. DPF, the
UK Extension to the EU-U.S. DPF, and
the Swiss-U.S. DPF. This analysis
balanced these cost savings with
projected expenses, including, but not
limited to, website development, further
negotiations with the EU, the UK, and
Switzerland, periodic reviews,
certification reviews, and facilitating
complaint resolutions.
ITA will continue to use the
established five-tiered fee schedule (see
82 FR 16375) that promoted
participation of small organizations in
the Privacy Shield program, while
amending the fees at each tier to
account for increased program
administration costs. A multiple-tiered
fee schedule allows ITA to offer
organizations with lower revenue a
lower fee. In setting the five tiers, ITA
considered, in conjunction with the
factors mentioned above: (1) the Small
Business Administration’s guidance on
identifying small and medium
enterprises (SMEs) in various industries
most likely to participate in the DPF
program, such as computer services,
software and information services; (2)
the likelihood that small companies
would be expected to receive less
personal data and thereby use fewer
government resources; and (3) the
likelihood that companies with higher
revenue would have more customers
whose data they process, which would
use more government resources
PO 00000
Frm 00009
Fmt 4703
Sfmt 4703
70599
dedicated to administering and
overseeing the DPF program. For
example, if a company holds more data,
it could reasonably produce more
questions and complaints from
consumers and European data
protection authorities (DPAs). ITA has
committed to facilitating the resolution
of individual complaints and to
communicating with the FTC and the
DPAs regarding consumer complaints.
Lastly, the fee increases between the
tiers are based in part on projected
program costs and estimated
participation levels among companies
within each tier.
As noted above, the revisions to the
fee schedule recoups the costs to ITA for
operating and maintaining the DPF
program. ITA has taken into account the
efficiencies and economies of scale
experienced when organizations
participate in multiple Frameworks by
providing a 50 percent discount off
adding another framework program and
requiring organizations to synchronize
their re-certifications. The added cost of
joining an additional framework
program reflects the additional expenses
incurred, including, but not limited to,
for communications with DPAs and
website infrastructure and development,
as well as the additional costs of
cooperating and communicating
separately with the EU, UK, and Swiss
representatives and governments. The
fee applied to organizations that
withdraw from relevant part(s) of the
DPF program, but that maintain data, is
meant to cover the programmatic costs
associated with ITA’s processing of such
organizations’ annual affirmation of
commitment to continue to apply the
Principles to the personal data they
received while participating in the
relevant part(s) of the DPF program. The
flat fee is based on the expectation that
government resources required to
process this annual affirmation will be
similar for all companies, regardless of
size.
Based on the information provided
above, ITA believes that the revised DPF
program cost recovery fee schedule is
consistent with the objective of OMB
Circular A–25 to ‘‘promote efficient
allocation of the nation’s resources by
establishing charges for special benefits
provided to the recipient that are at least
as great as the cost to the U.S.
Government of providing the special
benefits . . .’’ (OMB Circular A–
25(5)(b)). ITA has provided the public
with the opportunity to comment on the
revisions to the fee schedule (89 FR
56289, July 9, 2024). ITA did not receive
any comments and is publishing the
final fee schedule 30 days before the
final fee schedule becomes effective.
E:\FR\FM\30AUN1.SGM
30AUN1
70600
Federal Register / Vol. 89, No. 169 / Friday, August 30, 2024 / Notices
ITA administers and supervises the DPF
program, including maintaining and
making publicly available the Data
Privacy Framework List, an
authoritative list of U.S. organizations
that have self-certified to the DOC and
declared their commitment to adhere to
the Principles pursuant to the EU-U.S.
DPF and, as applicable, the UK
Extension to the EU-U.S. DPF, and/or
the Swiss-U.S. DPF.
Dated: August 26, 2024.
Lesley Elouaradia,
Acting Deputy Assistant Secretary for
Services, Industry & Analysis, International
Trade Administration, U.S. Department of
Commerce.
[FR Doc. 2024–19541 Filed 8–29–24; 8:45 am]
BILLING CODE 3510–DR–P
DEPARTMENT OF COMMERCE
National Oceanic and Atmospheric
Administration
[RTID 0648–XE238]
New England Fishery Management
Council; Public Meeting
National Marine Fisheries
Service (NMFS), National Oceanic and
Atmospheric Administration (NOAA),
Commerce.
ACTION: Notice of public meeting.
AGENCY:
The New England Fishery
Management Council (Council) is
scheduling a joint hybrid meeting of its
Scallop Advisory Panel and Plan
Development Team to consider actions
affecting New England fisheries in the
exclusive economic zone (EEZ).
Recommendations from this group will
be brought to the full Council for formal
consideration and action, if appropriate.
DATES: This meeting will be held on
Tuesday, September 17, 2024 at 9 a.m.
ADDRESSES:
Meeting address: This meeting will be
held at Hilton Garden Inn Logan
Airport, 100 Boardman St., Boston, MA
02128; telephone: (617) 567–5678.
Webinar registration URL
information: https://nefmc-org.zoom.us/
meeting/register/tJwscitqjIqHtatA2PQbe_vEwWOAySUZA47.
Council address: New England
Fishery Management Council, 50 Water
Street, Mill 2, Newburyport, MA 01950.
FOR FURTHER INFORMATION CONTACT: Cate
O’Keefe, Executive Director, New
England Fishery Management Council;
telephone: (978) 465–0492.
SUPPLEMENTARY INFORMATION:
ddrumheller on DSK120RN23PROD with NOTICES1
SUMMARY:
Agenda
The Scallop Plan Development Team
(PDT) and Advisory Panel will meet to
VerDate Sep<11>2014
20:35 Aug 29, 2024
Jkt 262001
discuss: Framework 39—Review results
of 2024 scallop surveys, and
preliminary projections. The primary
focus of this meeting will be to develop
input on the range of potential
specification alternatives for FY 2025
and FY 2026. The action will set
Acceptable Biological Catch (ABC)/
Annual Catch Limits (ACLs), days-atsea, access area allocations, total
allowable landings for the Northern Gulf
of Maine (NGOM) management area,
targets for General Category incidental
catch, General Category access area trips
and trip accounting, and set-asides for
the observer and research programs for
fishing year 2025 and default
specifications for fishing year 2026. The
groups will also discuss the PDT’s
review of accountability measures for
yellowtail flounder and windowpane
flounder and consider the development
of measures in this action. They also
plan to discuss the Scallop Strategic
Plan—Consider progress and develop
input on the process and timeline for
this project. Other business will be
discussed, if necessary.
Although non-emergency issues not
contained on the agenda may come
before this Council for discussion, those
issues may not be the subject of formal
action during this meeting. Council
action will be restricted to those issues
specifically listed in this notice and any
issues arising after publication of this
notice that require emergency action
under section 305(c) of the MagnusonStevens Act, provided the public has
been notified of the Council’s intent to
take final action to address the
emergency. The public also should be
aware that the meeting will be recorded.
Consistent with 16 U.S.C. 1852, a copy
of the recording is available upon
request.
Special Accommodations
This meeting is physically accessible
to people with disabilities. Requests for
sign language interpretation or other
auxiliary aids should be directed to Cate
O’Keefe, Executive Director, at (978)
465–0492, at least 5 days prior to the
meeting date.
Authority: 16 U.S.C. 1801 et seq.
Dated: August 27, 2024.
Alyssa Weigers,
Acting Deputy Director, Office of Sustainable
Fisheries, National Marine Fisheries Service.
[FR Doc. 2024–19565 Filed 8–29–24; 8:45 am]
BILLING CODE 3510–22–P
PO 00000
DEPARTMENT OF COMMERCE
National Oceanic and Atmospheric
Administration
[RTID 0648–XE245]
Mid-Atlantic Fishery Management
Council (MAFMC); Public Meeting
National Marine Fisheries
Service (NMFS), National Oceanic and
Atmospheric Administration (NOAA),
Commerce.
AGENCY:
ACTION:
Notice; public meeting.
The MAFMC’s Spiny Dogfish
Monitoring Committee will meet via
webinar to develop recommendations
for future Spiny Dogfish specifications
and/or management measures.
SUMMARY:
The meeting will be held on
Tuesday, September 17, 2024, from 1
p.m. to 2:30 p.m.
DATES:
The meeting will be held
via webinar. Connection information
and any related materials will be posted
to the MAFMC’s website calendar prior
to the meeting at https://
www.mafmc.org.
Council address: Mid-Atlantic Fishery
Management Council, 800 N State
Street, Suite 201, Dover, DE 19901;
telephone: (302) 674–2331; https://
www.mafmc.org.
ADDRESSES:
FOR FURTHER INFORMATION CONTACT:
Christopher M. Moore, Ph.D., Executive
Director, Mid-Atlantic Fishery
Management Council, telephone: (302)
526–5255.
The Spiny
Dogfish Monitoring Committee will
meet to review previously-adopted 2025
spiny dogfish fishing year specifications
(see summary at https://
www.mafmc.org/s/2023-12_MAFMCReport.pdf), and make any appropriate
recommendations. Public comments
will also be taken.
SUPPLEMENTARY INFORMATION:
Special Accommodations
The meeting is physically accessible
to people with disabilities. Requests for
sign language interpretation or other
auxiliary aid should be directed to
Shelley Spedden, (302) 526–5251, at
least 5 days prior to the meeting date.
Authority: 16 U.S.C. 1801 et seq.
Dated: August 27, 2024.
Alyssa Weigers,
Acting Deputy Director, Office of Sustainable
Fisheries, National Marine Fisheries Service.
[FR Doc. 2024–19567 Filed 8–29–24; 8:45 am]
BILLING CODE 3510–22–P
Frm 00010
Fmt 4703
Sfmt 9990
E:\FR\FM\30AUN1.SGM
30AUN1
]]>Agencies
[Federal Register Volume 89, Number 169 (Friday, August 30, 2024)]
[Notices]
[Pages 70597-70600]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-19541]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
[Docket No.: 240826-0227]
Revisions to the Fee Schedule for the Data Privacy Framework
Program
AGENCY: International Trade Administration, U.S. Department of
Commerce.
ACTION: Final notice of implementation of revisions to the fee schedule
for the Data Privacy Framework Program.
-----------------------------------------------------------------------
SUMMARY: The U.S. Department of Commerce (DOC) published the Revisions
to the Fee Schedule for the Data Privacy Framework Program on July 9,
2024. We gave interested parties an opportunity to comment on the
revisions to the fee schedule. No comments were received; therefore,
the revised fee schedule is considered the final fee schedule subject
to future review in accordance with OMB Circular A-25 and will become
effective October 1st, 2024.
DATES: This fee schedule will become effective October 1, 2024.
FOR FURTHER INFORMATION CONTACT: Requests for additional information
regarding the DPF program should be directed to Isabella Carlton,
Department of Commerce, International Trade Administration, Room 11018,
1401 Constitution Avenue NW, Washington, DC, tel. (202) 482-1512 or via
email at [email protected]. Additional information on ITA fees is
available at trade.gov/fees.
SUPPLEMENTARY INFORMATION:
Background
Consistent with the guidelines in OMB Circular A-25, Federal
agencies are responsible for implementing cost recovery program fees.
The role of ITA is to strengthen the competitiveness of U.S. industry,
promote trade and investment, and ensure fair trade through the
rigorous enforcement of U.S. trade laws and agreements. ITA works to
promote privacy policy frameworks to facilitate the trusted flow of
data across borders with strong privacy protections, which in turn
supports international trade.
The U.S., EU, UK, and Switzerland share a commitment to enhancing
privacy protection, the rule of law, and a recognition of the
importance of transatlantic data flows to our respective citizens,
economies, and societies, but have different legal systems and take
different approaches to doing so. Given those differences, the DOC
developed the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the
Swiss-U.S. DPF in consultation with the European Commission, the UK
Government, the Swiss Federal Administration, industry, and other
stakeholders. These arrangements were respectively developed to provide
U.S. organizations reliable mechanisms for personal data transfers to
the U.S. from the EU, UK, and Switzerland that are consistent with EU,
UK, and Swiss law.
The DOC has issued the EU-U.S. DPF Principles and the Swiss-U.S.
DPF Principles, including the respective sets of Supplemental
Principles (collectively, the Principles) and Annex I to the
Principles, as well as the UK Extension to the EU-U.S. DPF under its
statutory authority to foster, promote, and develop international
commerce (15 U.S.C. 1512).
To participate in the EU-U.S. DPF and, as applicable, the UK
Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF an organization
must: (1) be subject to the investigatory and enforcement powers of the
Federal Trade Commission (FTC), the Department of Transportation (DOT),
or another statutory body that will effectively ensure compliance with
the Principles; (2) publicly declare its commitment to comply with the
Principles; (3) publicly disclose its privacy policies in line with the
Principles; and (4) fully implement the Principles.
While the decision by an organization to self-certify its
compliance and to participate in the DPF is voluntary; effective
compliance is compulsory: organizations that self-certify to the DOC
and publicly declare their commitment to adhere to the Principles must
comply fully with the Principles. Organizations that only wish to self-
certify their compliance pursuant to the EU-U.S. DPF and/or the Swiss-
U.S. DPF may do so; however, organizations that wish to participate in
the UK Extension to the EU-U.S. DPF must participate in the EU-U.S.
DPF. Such organizations' commitment to comply with the Principles with
regard to transfers of personal data from the EU and, as applicable,
the UK, and/or Switzerland must be reflected in their self-
[[Page 70598]]
certification submissions to the DOC, and in their privacy policies. An
organization's failure to comply with the Principles after its self-
certification is enforceable: (1) by the FTC under Section 5 of the
Federal Trade Commission (FTC) Act prohibiting unfair or deceptive acts
in or affecting commerce (15 U.S.C. 45); (2) by the DOT under 49 U.S.C.
41712 prohibiting a carrier or ticket agent from engaging in an unfair
or deceptive practice in air transportation or the sale of air
transportation; or (3) under other laws or regulations prohibiting such
acts.
U.S. organizations considering self-certifying their compliance
pursuant to the EU-U.S. DPF and, as applicable, the UK Extension to the
EU-U.S. DPF, and/or the Swiss-U.S. DPF should review the requirements
in their entirety, including the Principles and associated documents
available in full at www.dataprivacyframework.gov.
Revisions to the Fee Schedule
ITA initially implemented a cost recovery program to support the
operation of the EU-U.S. Privacy Shield Framework and the Swiss-U.S.
Privacy Shield Frameworks (collectively, the Privacy Shield program)
and is revising that fee schedule to support the operation of the DPF
program. The cost recovery program will support the administration and
supervision of the DPF program and support services related to the DPF
program, including education and outreach. The revisions to the fee
schedule will become effective October 1st, 2024, which is 30 days
after this final fee schedule was published.
The Cost Recovery Fee Schedule for the EU-U.S. Privacy Shield
Framework, published September 30, 2016 (81 FR 67293), describes the
fees implemented by ITA to cover the administration and supervision of
the EU-U.S. Privacy Shield Framework. The first amendment to the Cost
Recovery Fee Schedule for the EU-U.S. Privacy Shield Framework,
published April 4, 2017 (82 FR 16375), describes the additional fees
implemented by ITA to cover the administration and supervision of the
Swiss-U.S. Privacy Shield Framework. Under this revision to the fee
schedule, organizations that opt to self-certify only for the EU-U.S.
DPF, only the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, or
only the Swiss-U.S. DPF will pay a single fee when initially self-
certifying or re-certifying. Organizations that opt to self-certify for
an additional framework will pay an additional 50 percent of that
single fee when self-certifying or re-certifying for the additional
framework, reflecting the efficiency savings in administering the DPF
program for organizations that participate in multiple parts of the DPF
program. As organizations that wish to participate in the UK Extension
to the EU-U.S. DPF must participate in the EU-U.S. DPF, the annual fee
that such organizations are required to pay to ITA to participate in
the EU-U.S. DPF currently covers both the EU-U.S. DPF and the UK
Extension to the EU-U.S. DPF.
These efficiency savings are maximized if organizations self-
certify to multiple parts of the DPF program simultaneously, reducing
the required staff time and resources for reviewing materials. In
addition, organizations that participate in the EU-U.S. DPF and, as
applicable, the UK Extension to the EU-U.S. DPF and/or the Swiss-U.S.
DPF may adjust their annual re-certification due date by re-certifying
early (i.e., before the applicable due date) to the relevant part(s) of
the DPF program.
Although an organization may adjust its annual re-certification due
date by re-certifying early, the re-certification due date would apply
to all parts of the DPF program in which it participates (i.e., re-
certification to the relevant part(s) of the DPF program is
synchronized). For example, if an organization initially self-certified
exclusively to and was placed on the Data Privacy Framework List with
regard to the EU-U.S. DPF, and then several months later self-certified
to and was placed on the Data Privacy Framework List with regard to the
Swiss-U.S. DPF, the organization's next re-certification to both of
those parts of the DPF program would be due by the same date.
Additionally, a fixed annual fee of $260 will be charged per
applicable framework for organizations that withdraw from the relevant
part(s) of the DPF program, retain personal data that they received in
reliance on their participation in the relevant part(s) of the DPF
program, continue to apply the Principles to such data, and affirm to
ITA on an annual basis their commitment to apply the Principles to such
data. This fee has been set to cover staff costs for reviewing the
``Post-Withdrawal, Annual Affirmation Questionnaire'', which must be
submitted by organizations that have chosen the aforementioned option
when withdrawing from the relevant part(s) of the program, as well as
the necessary website infrastructure to facilitate submission of the
proper documents. Additionally, this fee is set to be less than any
organization would be required to pay for re-certification. The fee
schedule is set forth below:
Revised Annual Fee Schedule for the DPF Program
------------------------------------------------------------------------
A single Both
Organization's annual revenue framework frameworks
------------------------------------------------------------------------
$0 to $5 million........................ $260 $390
Over $5 million to $25 million.......... 750 1,125
Over $25 million to $500 million........ 1,600 2,400
Over $500 million to $5 billion......... 4,130 6,195
Over $5 billion......................... 5,530 8,295
------------------------------------------------------------------------
------------------------------------------------------------------------
A single
framework Both frameworks
------------------------------------------------------------------------
Post-withdrawal, annual affirmation $260 $520
fee..................................
------------------------------------------------------------------------
For purposes of the annual fee schedule described above:
``A single framework'' could refer to any of the
following: only the EU-U.S. DPF; only the EU-U.S. DPF and the UK
Extension to the EU-U.S. DPF; or only the Swiss-U.S. DPF
``Both frameworks'' could refer to any of the following:
the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-
U.S. DPF; or only the EU-U.S. DPF and the Swiss-U.S. DPF.
Organizations will have additional direct costs associated with
participating in the DPF program. For
[[Page 70599]]
example, organizations must provide a readily available independent
recourse mechanism to hear individual complaints at no cost to the
individual. Furthermore, organizations are required to make
contributions in connection with the arbitral model, as described in
Annex I to the Principles.
Method for Determining Fees
ITA collects, retains, and expends user fees pursuant to delegated
authority under the Mutual Educational and Cultural Exchange Act as
authorized in its annual appropriations acts. The EU-U.S. DPF, the UK
Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF were developed to
facilitate transatlantic commerce by providing U.S. organizations with
reliable mechanisms for personal data transfers to the United States
from the EU/European Economic Area, UK, and Switzerland. The Data
Privacy Framework program operates in a way that provides strong
privacy protection as well as a more effective and efficient service to
participants at a lower cost than other options, including standard
contractual clauses or binding corporate rules.
Fees are set by taking into account the operational costs borne by
ITA to administer and supervise the Data Privacy Framework program. The
DPF program requires a significant commitment of resources and staff.
These costs include broad programmatic costs to run the program as well
as costs specific to EU-U.S. DPF, the UK Extension to the EU-U.S. DPF,
and the Swiss-U.S. DPF. The DPF program includes commitments from ITA
to:
Maintain, upgrade, and update a DPF program website,
including maintaining the Data Privacy Framework List (i.e., the
authoritative list of U.S. organizations that have self-certified to
the DOC, as represented by ITA, and declared their commitment to adhere
to the Principles);
Verify self-certification requirements submitted by
organizations to participate in the DPF program;
Follow up with organizations that have been removed from
the Data Privacy Framework List and ensure, where applicable, that
questionnaires are correctly filed and processed;
Search for and address false claims of participation;
Conduct periodic compliance reviews and assessments of the
program;
Provide information regarding the program to targeted
audiences;
Increase cooperation with European data protection
authorities;
Facilitate resolution of complaints about non-compliance;
Hold periodic meetings with the European Commission, the
UK government, the Swiss government, and other authorities to review
the program; and
Provide the EU, UK, and Switzerland with updates on laws
relevant to the DPF program.
In setting these revised DPF program fees, ITA determined that the
services provided offer special benefits to an identifiable recipient
beyond those that accrue to the general public. ITA calculated the
actual cost of providing its services in order to provide a basis for
setting each fee. This actual cost incorporates direct and indirect
costs, including operations and maintenance, overhead, and charges for
the use of capital facilities. ITA also took into account additional
factors, including inflation, adequacy of cost recovery, affordability,
and costs associated with alternative options available to U.S.
organizations for the receipt of personal data from the EU, the UK, and
Switzerland. Furthermore, ITA considered the cost-savings and
efficiencies gained in staff hours through simultaneous review of self-
certifications for the EU-U.S. DPF, the UK Extension to the EU-U.S.
DPF, and the Swiss-U.S. DPF. This analysis balanced these cost savings
with projected expenses, including, but not limited to, website
development, further negotiations with the EU, the UK, and Switzerland,
periodic reviews, certification reviews, and facilitating complaint
resolutions.
ITA will continue to use the established five-tiered fee schedule
(see 82 FR 16375) that promoted participation of small organizations in
the Privacy Shield program, while amending the fees at each tier to
account for increased program administration costs. A multiple-tiered
fee schedule allows ITA to offer organizations with lower revenue a
lower fee. In setting the five tiers, ITA considered, in conjunction
with the factors mentioned above: (1) the Small Business
Administration's guidance on identifying small and medium enterprises
(SMEs) in various industries most likely to participate in the DPF
program, such as computer services, software and information services;
(2) the likelihood that small companies would be expected to receive
less personal data and thereby use fewer government resources; and (3)
the likelihood that companies with higher revenue would have more
customers whose data they process, which would use more government
resources dedicated to administering and overseeing the DPF program.
For example, if a company holds more data, it could reasonably produce
more questions and complaints from consumers and European data
protection authorities (DPAs). ITA has committed to facilitating the
resolution of individual complaints and to communicating with the FTC
and the DPAs regarding consumer complaints. Lastly, the fee increases
between the tiers are based in part on projected program costs and
estimated participation levels among companies within each tier.
As noted above, the revisions to the fee schedule recoups the costs
to ITA for operating and maintaining the DPF program. ITA has taken
into account the efficiencies and economies of scale experienced when
organizations participate in multiple Frameworks by providing a 50
percent discount off adding another framework program and requiring
organizations to synchronize their re-certifications. The added cost of
joining an additional framework program reflects the additional
expenses incurred, including, but not limited to, for communications
with DPAs and website infrastructure and development, as well as the
additional costs of cooperating and communicating separately with the
EU, UK, and Swiss representatives and governments. The fee applied to
organizations that withdraw from relevant part(s) of the DPF program,
but that maintain data, is meant to cover the programmatic costs
associated with ITA's processing of such organizations' annual
affirmation of commitment to continue to apply the Principles to the
personal data they received while participating in the relevant part(s)
of the DPF program. The flat fee is based on the expectation that
government resources required to process this annual affirmation will
be similar for all companies, regardless of size.
Based on the information provided above, ITA believes that the
revised DPF program cost recovery fee schedule is consistent with the
objective of OMB Circular A-25 to ``promote efficient allocation of the
nation's resources by establishing charges for special benefits
provided to the recipient that are at least as great as the cost to the
U.S. Government of providing the special benefits . . .'' (OMB Circular
A-25(5)(b)). ITA has provided the public with the opportunity to
comment on the revisions to the fee schedule (89 FR 56289, July 9,
2024). ITA did not receive any comments and is publishing the final fee
schedule 30 days before the final fee schedule becomes effective.
[[Page 70600]]
ITA administers and supervises the DPF program, including maintaining
and making publicly available the Data Privacy Framework List, an
authoritative list of U.S. organizations that have self-certified to
the DOC and declared their commitment to adhere to the Principles
pursuant to the EU-U.S. DPF and, as applicable, the UK Extension to the
EU-U.S. DPF, and/or the Swiss-U.S. DPF.
Dated: August 26, 2024.
Lesley Elouaradia,
Acting Deputy Assistant Secretary for Services, Industry & Analysis,
International Trade Administration, U.S. Department of Commerce.
[FR Doc. 2024-19541 Filed 8-29-24; 8:45 am]
BILLING CODE 3510-DR-P
