Self-Certifications under the Data Privacy Framework Program

OMB Control No: 0625-0280	ICR Reference No: 202605-0625-004
Status: Received in OIRA	Previous ICR Reference No: 202306-0625-002
Agency/Subagency: DOC/ITA	Agency Tracking No:
Title: Self-Certifications under the Data Privacy Framework Program
Type of Information Collection: Extension without change of a currently approved collection	Common Form ICR:  No
Type of Review Request: Regular	Date Submitted to OIRA: 06/01/2026

	Requested	Previously Approved
Expiration Date	36 Months From Approved	07/31/2026
Responses	4,575	4,775
Time Burden (Hours)	2,977	3,062
Cost Burden (Dollars)	232,234	217,091

---

Abstract: The United States, the European Union (EU), the United Kingdom (UK), and Switzerland share a commitment to enhancing privacy protection, the rule of law, and a recognition of the importance of transatlantic data flows to our respective citizens, economies, and societies, but take different approaches to doing so. Given those differences, the DOC developed the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF in consultation with the European Commission, the UK Government, the Swiss Federal Administration, industry, and other stakeholders. These arrangements were respectively developed to provide U.S. organizations reliable mechanisms for personal data transfers to the United States from the European Union, the United Kingdom (and, as applicable, Gibraltar), and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss law. The DOC issued the EU-U.S. DPF Principles and the Swiss-U.S. DPF Principles, including the respective sets of Supplemental Principles (collectively the Principles) and Annex I of the Principles, as well as the UK Extension to the EU-U.S. DPF under its statutory authority to foster, promote, and develop international commerce (15 U.S.C. § 1512). ITA administers and supervises the Data Privacy Framework program, including by maintaining and making publicly available the Data Privacy Framework List, an authoritative list of U.S. organizations that have self-certified to the DOC and declared their commitment to adhere to the Principles pursuant to the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF. Such organizations must respond promptly to inquiries and requests from ITA for information relating to their adherence to the Principles. On the basis of the Principles, Executive Order 14086, 28 CFR part 201, and accompanying letters and materials, including ITA’s commitments regarding the administration and supervision of the Data Privacy Framework program, the European Commission, the UK Government, and the Swiss Federal Administration have respectively recognized the adequacy of the protection provided by the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF , and the Swiss-U.S. DPF thereby enabling personal data transfers from each respective jurisdiction to U.S. organizations participating in the relevant part of the Data Privacy Framework program. To initially self-certify or subsequently re-certify for the EU-U.S. DPF and, as applicable, UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF, an organization must on each occasion provide to the DOC a submission that contains the relevant information specified in the Principles. The submission must be made via the DOC's Data Privacy Framework program website by an individual within the organization who is authorized to make representations on behalf of the organization and any of its covered U.S. entities regarding its adherence to the Principles. Such an organization must respond promptly to inquiries and other requests for information from the DOC.

---

Authorizing Statute(s): US Code: 15 USC 1512

Citations for New Statutory Requirements: None

---

Associated Rulemaking Information
RIN:	Stage of Rulemaking:	Federal Register Citation:	Date:
	Not associated with rulemaking

---

Federal Register Notices & Comments
60-day Notice:	Federal Register Citation:	Citation Date:
	91 FR 8438	02/23/2026
30-day Notice:	Federal Register Citation:	Citation Date:
	91 FR 32375	06/01/2026
Did the Agency receive public comments on this ICR? No

---

Number of Information Collection (IC) in this ICR: 5

IC Title Form No. Form Name Compliance Review Questionnaire Data Privacy Framework (DPF) Program Self-Certification / Re-Certification Application Form Failure to Re-certify Questionnaire Post-withdrawal, Annual Affirmation Questionnaire Withdrawal Questionnaire

---

ICR Summary of Burden

	Total Request	Previously Approved	Change Due to New Statute	Change Due to Agency Discretion	Change Due to Adjustment in Estimate	Change Due to Potential Violation of the PRA
Annual Number of Responses	4,575	4,775	0	-200	0	0
Annual Time Burden (Hours)	2,977	3,062	0	-85	0	0
Annual Cost Burden (Dollars)	232,234	217,091	0	15,143	0	0

Burden increases because of Program Change due to Agency Discretion: Yes

Burden Increase Due to: Miscellaneous Actions

Burden decreases because of Program Change due to Agency Discretion: Yes

Burden Reduction Due to: Miscellaneous Actions

Short Statement: The adjusted figures and by extension the estimates provided are projections that take into account (1) the number of “responses” (i.e., the self-certification form-based initial self-certification and re-certification applications, and the four different types of questionnaires) that were received, reviewed, and processed in the preceding twelve-month period or calendar year, (2) the revisions to the applicable fee schedule that entered into effect on October 1, 2024, and amended the respective amounts of the applicable fees, and (3) increases in the respective, average hourly rates of the relevant types of individuals (i.e., lawyer and manager respondents with regard to Question 12, and DOC employees and contractors with regard to Question 14) performing the tasks directly associated with the “responses” that were received, reviewed, and processed in the preceding twelve-month period or calendar year.

---

Annual Cost to Federal Government: $615,645

Does this IC contain surveys, censuses, or employ statistical methods? No

Does this ICR request any personally identifiable information (see OMB Circular No. A-130 for an explanation of this term)? Please consult with your agency's privacy program when making this determination.     Yes

Does this ICR include a form that requires a Privacy Act Statement (see 5 U.S.C. §552a(e)(3))? Please consult with your agency's privacy program when making this determination.     Yes

Is this ICR related to the Affordable Care Act [Pub. L. 111-148 & 111-152]? No

Is this ICR related to the Dodd-Frank Wall Street Reform and Consumer Protection Act, [Pub. L. 111-203]? No

Is this ICR related to the American Recovery and Reinvestment Act of 2009 (ARRA)? No

Is this ICR related to the Pandemic Response? No

Agency Contact: Katelynn Byers 317 550-6120 [email protected]

---

Common Form ICR:  No

---

On behalf of this Federal agency, I certify that the collection of information encompassed by this request complies with 5 CFR 1320.9 and the related provisions of 5 CFR 1320.8(b)(3).
The following is a summary of the topics, regarding the proposed collection of information, that the certification covers:
		(a) It is necessary for the proper performance of agency functions;
		(b) It avoids unnecessary duplication;
		(c) It reduces burden on small entities;
		(d) It uses plain, coherent, and unambiguous language that is understandable to respondents;
		(e) Its implementation will be consistent and compatible with current reporting and recordkeeping practices;
		(f) It indicates the retention periods for recordkeeping requirements;
		(g) It informs respondents of the information called for under 5 CFR 1320.8 (b)(3) about:
			(i) Why the information is being collected;
			(ii) Use of information;
			(iii) Burden estimate;
			(iv) Nature of response (voluntary, required for a benefit, or mandatory);
			(v) Nature and extent of confidentiality; and
			(vi) Need to display currently valid OMB control number;
		(h) It was developed by an office that has planned and allocated resources for the efficient and effective management and use of the information to be collected.
		(i) It uses effective and efficient statistical survey methodology (if applicable); and
		(j) It makes appropriate use of information technology.
If you are unable to certify compliance with any of these provisions, identify the item by leaving the box unchecked and explain the reason in the Supporting Statement.
Certification Date: 06/01/2026

---