Agency Information Collection Activities; Submission to the Office of Management and Budget (OMB) for Review and Approval; Comment Request; Self-Certifications Under the Data Privacy Framework Program

Issuing agencies

Abstract

The Department of Commerce, in accordance with the Paperwork Reduction Act of 1995 (PRA), invites the general public and other Federal agencies to comment on proposed and continuing information collections, which helps us assess the impact of our information collection requirements and minimize the public's reporting burden. The purpose of this notice is to allow for 60 days of public comment preceding submission of the collection to OMB.

Full Text

<html>
<head>
<title>Federal Register, Volume 91 Issue 35 (Monday, February 23, 2026)</title>
</head>
<body><pre>
[Federal Register Volume 91, Number 35 (Monday, February 23, 2026)]
[Notices]
[Pages 8438-8440]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2026-03469]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

International Trade Administration


Agency Information Collection Activities; Submission to the 
Office of Management and Budget (OMB) for Review and Approval; Comment 
Request; Self-Certifications Under the Data Privacy Framework Program

AGENCY: International Trade Administration, Commerce.

ACTION: Notice of information collection, request for comment.

-----------------------------------------------------------------------

SUMMARY: The Department of Commerce, in accordance with the Paperwork 
Reduction Act of 1995 (PRA), invites the general public and other 
Federal agencies to comment on proposed and continuing information 
collections, which helps us assess the impact of our information 
collection requirements and minimize the public's reporting burden. The 
purpose of this notice is to allow for 60 days of public comment 
preceding submission of the collection to OMB.

DATES: To ensure consideration, comments regarding this proposed 
information collection must be received on or before April 24, 2026.

ADDRESSES: Interested persons are invited to submit written comments to 
David Ritchie, Senior Policy Advisor, International Trade 
Administration, Department of Commerce by email to 
<a href="/cdn-cgi/l/email-protection#8febffe9a1fffde0e8fdeee2cffbfdeeebeaa1e8e0f9"><span class="__cf_email__" data-cfemail="c9adb9afe7b9bba6aebba8a489bdbba8adace7aea6bf">[email&#160;protected]</span></a> or <a href="/cdn-cgi/l/email-protection#8bdbd9cacbfff9eaefeea5ece4fd"><span class="__cf_email__" data-cfemail="78282a39380c0a191c1d561f170e">[email&#160;protected]</span></a>. Please reference OMB Control 
Number 0625-0280 in the subject line of your comments. Do not submit 
Confidential Business Information or otherwise sensitive or protected 
information.

FOR FURTHER INFORMATION CONTACT: Requests for additional information or 
specific questions related to collection activities should be directed 
to David Ritchie, Senior Policy Advisor, International Trade 
Administration, Department of Commerce by email to 
<a href="/cdn-cgi/l/email-protection#345044521a44465b534655597440465550511a535b42"><span class="__cf_email__" data-cfemail="5b3f2b3d752b29343c293a361b2f293a3f3e753c342d">[email&#160;protected]</span></a> or <a href="/cdn-cgi/l/email-protection#c8989a8988bcbaa9acade6afa7be"><span class="__cf_email__" data-cfemail="e1b1b3a0a19593808584cf868e97">[email&#160;protected]</span></a>, or by phone at 202-482-1512.

SUPPLEMENTARY INFORMATION:

I. Abstract

    The United States, the European Union (EU), the United Kingdom 
(UK), and Switzerland share a commitment to enhancing privacy 
protection, the rule of law, and a recognition of the

[[Page 8439]]

importance of transatlantic data flows to our respective citizens, 
economies, and societies, but take different approaches to doing so. 
Given those differences, the Department of Commerce (DOC) developed the 
EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the 
EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and 
the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) in consultation 
with the European Commission, the UK Government, the Swiss Federal 
Administration, industry, and other stakeholders. These arrangements 
were respectively developed to provide U.S. organizations reliable 
mechanisms for personal data transfers to the United States from the 
European Union/European Economic Area, the United Kingdom (and, as 
applicable, Gibraltar), and Switzerland while ensuring data protection 
that is consistent with EU, UK, and Swiss law.
    The DOC issued the EU-U.S. DPF Principles and the Swiss-U.S. DPF 
Principles, including the respective sets of Supplemental Principles 
(collectively the Principles) and Annex I of the Principles, as well as 
the UK Extension to the EU-U.S. DPF under its statutory authority to 
foster, promote, and develop international commerce (15 U.S.C. 1512). 
The International Trade Administration (ITA) administers and supervises 
the Data Privacy Framework program, including by maintaining and making 
publicly available the Data Privacy Framework List, an authoritative 
list of U.S. organizations that have self-certified to the DOC and 
declared their commitment to adhere to the Principles pursuant to the 
EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, 
and/or the Swiss-U.S. DPF. On the basis of the Principles, Executive 
Order 14086, 28 CFR part 201, and accompanying letters and materials, 
including ITA's commitments regarding the administration and 
supervision of the Data Privacy Framework program, the European 
Commission, the UK Government, and the Swiss Federal Administration 
have respectively recognized the adequacy of the protection provided by 
the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-
U.S. DPF thereby enabling personal data transfers from each respective 
jurisdiction to U.S. organizations participating in the relevant part 
of the Data Privacy Framework program.
    In order to participate in the EU-U.S. DPF and, as applicable, the 
UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF an 
organization must (a) be subject to the investigatory and enforcement 
powers of the Federal Trade Commission (FTC), the Department of 
Transportation (DOT), or another statutory body that will effectively 
ensure compliance with the Principles; (b) publicly declare its 
commitment to comply with the Principles; (c) publicly disclose its 
privacy policies in line with the Principles; and (d) fully implement 
them.
    While the decision by an organization to self-certify its 
compliance pursuant to the EU-U.S. DPF and, as applicable, the UK 
Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF and by 
extension participate in the Data Privacy Framework program is 
voluntary; effective compliance is compulsory: organizations that self-
certify to the DOC and publicly declare their commitment to adhere to 
the Principles must comply fully with the Principles. Organizations 
that only wish to self-certify their compliance pursuant to the EU-U.S. 
DPF and/or the Swiss-U.S. DPF may do so; however, organizations that 
wish to participate in the UK Extension to the EU-U.S. DPF must 
participate in the EU-U.S. DPF. Such organizations' commitment to 
comply with the Principles with regard to transfers of personal data 
from the European Union and, as applicable, the United Kingdom, and/or 
Switzerland must be reflected in their self-certification submissions 
to the DOC, and in their privacy policies. An organization's failure to 
comply with the Principles after its self-certification is enforceable 
by the FTC under Section 5 of the Federal Trade Commission (FTC) Act 
prohibiting unfair or deceptive acts in or affecting commerce (15 
U.S.C. 45); by the DOT under 49 U.S.C. 41712 prohibiting a carrier or 
ticket agent from engaging in an unfair or deceptive practice in air 
transportation or the sale of air transportation; or under other laws 
or regulations prohibiting such acts.
    To rely on the EU-U.S. DPF and, as applicable, the UK Extension to 
the EU-U.S. DPF, and/or the Swiss-U.S. DPF for transfers of personal 
data from the European Union and, as applicable, the United Kingdom, 
and/or Switzerland an organization must self-certify its adherence to 
the Principles to the DOC, and both be placed and remain on the Data 
Privacy Framework List. The DOC will update the Data Privacy Framework 
List on the basis of annual re-certification submissions made by 
participating organizations and by removing organizations when they 
voluntarily withdraw, fail to complete the annual re-certification in 
accordance with the DOC's procedures, or are found to persistently fail 
to comply. The DOC will also maintain and make available to the public 
an authoritative record of U.S. organizations that have been removed 
from the Data Privacy Framework List and will identify the reason each 
organization was removed. The aforementioned authoritative list and 
record will remain available to the public on the DOC's Data Privacy 
Framework program website. Any organization removed from the Data 
Privacy Framework List must cease making claims that it participates in 
or complies with the EU-U.S. DPF and, as applicable, the UK Extension 
to the EU-U.S. DPF, and/or the Swiss-U.S. DPF and that it may receive 
personal information pursuant to same. Such an organization must 
nevertheless continue to apply the Principles to such personal 
information that it received while it participated in the EU-U.S. DPF 
and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the 
Swiss-U.S. DPF for as long as it retains such personal information.
    To initially self-certify or subsequently re-certify for the EU-
U.S. DPF and, as applicable, UK Extension to the EU-U.S. DPF, and/or 
the Swiss-U.S. DPF, an organization must on each occasion provide to 
the DOC a submission that contains the relevant information specified 
in the Principles. The submission must be made via the DOC's Data 
Privacy Framework program website by an individual within the 
organization who is authorized to make representations on behalf of the 
organization and any of its covered U.S. entities regarding its 
adherence to the Principles. Such an organization must respond promptly 
to inquiries and other requests for information from the DOC relating 
to the organization's adherence to the Principles.
    ITA has committed to follow up with organizations that have been or 
wish to be removed from the Data Privacy Framework List. ITA will 
direct organizations that allow their self-certifications to lapse to 
verify whether they intend to re-certify or instead intend to withdraw. 
An organization that intends to re-certify will be required to further 
verify to the DOC that during the lapse of its certification status it 
applied the Principles to relevant personal data received in reliance 
on its participation in the Data Privacy Framework program and clarify 
what steps it will take to address the outstanding issues that have 
delayed its re-certification. An organization that intends to withdraw 
will be required to further verify to the DOC what it will do and/or 
has done (as applicable) with the relevant personal data that it 
received in reliance on its participation in the Data

[[Page 8440]]

Privacy Framework program (i.e., (a) retain such data, continue to 
apply the Principles to such data, and affirm to the DOC on an annual 
basis its commitment to apply the Principles to such data; (b) retain 
such data and provide ``adequate'' protection for such data by another 
authorized means; or (c) return or delete all such data by a specified 
date) and who within the organization will serve as an ongoing point of 
contact for Principles-related questions. Organizations will be 
required to provide such verification to the DOC by completing and 
submitting appropriate questionnaires to the DOC.
    ITA has also committed to conduct compliance reviews on an ongoing 
basis, including, as appropriate, through sending detailed 
questionnaires to participating organizations. The DOC will require 
that a participating organization complete and submit to the DOC such a 
questionnaire when: (a) the DOC has received any specific, nonfrivolous 
complaints about the organization's compliance with the Principles; (b) 
the organization does not respond satisfactorily to inquiries by the 
DOC for information relating to the organization's adherence to the 
Principles; or (c) there is credible evidence that the organization 
does not comply with its commitments under the EU-U.S. DPF and, as 
applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. 
DPF.

II. Method of Collection

    Organizations would make their initial self-certification, as well 
as annual re-certification submissions under the Data Privacy Framework 
program (i.e., the EU-U.S. DPF and, as applicable, the UK Extension to 
the EU--U.S. DPF, and/or the Swiss-U.S. DPF) to the DOC online via the 
DOC's Data Privacy Framework program website (<a href="https://www.dataprivacyframework.gov/">https://www.dataprivacyframework.gov/</a>). Organizations would complete and submit 
Data Privacy Framework program questionnaires to the DOC online via the 
DOC's Data Privacy Framework program website or via email at 
<a href="/cdn-cgi/l/email-protection#c5a1b5a3ebb5b7aaa2b7a4a885b1b7a4a1a0eba2aab3"><span class="__cf_email__" data-cfemail="ec889c8ac29c9e838b9e8d81ac989e8d8889c28b839a">[email&#160;protected]</span></a> (as applicable) in accordance with Data Privacy 
Framework program requirements.
    The DOC previously requested and obtained approval of this 
information collection, which has allowed the DOC, as represented by 
ITA, to collect information from organizations in the United States to 
enable them to self-certify their commitment to comply with the 
Principles (OMB Control Number 0625-0280). More information on self-
certification, including annual re-certification under the Data Privacy 
Framework program is available on the DOC's Data Privacy Framework 
program website (<a href="https://www.dataprivacyframework.gov/">https://www.dataprivacyframework.gov/</a>).

III. Data

    OMB Control Number: 0625-0280.
    Form Number(s): None.
    Type of Review: Regular submission, extension of a current 
information collection.
    Affected Public: Primarily businesses or other for-profit 
organizations.
    Estimated Number of Respondents: 4,575.
    Estimated Time per Response: 40 minutes.
    Estimated Total Annual Burden Hours: 2,977.
    Estimated Total Annual Cost to Public: $7,783,710.
    Respondent's Obligation: Voluntary.
    Legal Authority: The DOC's statutory authority to foster, promote, 
and develop the foreign and domestic commerce of the United States (15 
U.S.C. 1512).

IV. Request for Comments

    We are soliciting public comments to permit the Department/Bureau 
to: (a) Evaluate whether the proposed information collection is 
necessary for the proper functions of the Department, including whether 
the information will have practical utility; (b) Evaluate the accuracy 
of our estimate of the time and cost burden for this proposed 
collection, including the validity of the methodology and assumptions 
used; (c) Evaluate ways to enhance the quality, utility, and clarity of 
the information to be collected; and (d) Minimize the reporting burden 
on those who are to respond, including the use of automated collection 
techniques or other forms of information technology.
    Comments that you submit in response to this notice are a matter of 
public record. We will include or summarize each comment in our request 
to OMB to approve this information collection request (ICR). Before 
including your address, phone number, email address, or other personal 
identifying information in your comment, you should be aware that your 
entire comment--including your personal identifying information--may be 
made publicly available at any time. While you may ask us in your 
comment to withhold your personal identifying information from public 
review, we cannot guarantee that we will be able to do so.

Sheleen Dumas,
Departmental PRA Compliance Officer, Office of the Under Secretary for 
Economic Affairs, Commerce Department.
[FR Doc. 2026-03469 Filed 2-20-26; 8:45 am]
BILLING CODE 3510-DR-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>