Commerce Seeks Feedback on EU Data Privacy Self-Certs
Published Date: 2/23/2026
Notice
Summary
The Department of Commerce is asking for public feedback on a form that U.S. companies use to prove they protect personal data when sharing it with the EU, UK, and Switzerland. This helps keep data safe and supports international business. Comments are open until April 24, 2026, and this process aims to keep paperwork easy and efficient for everyone involved.
Analyzed Economic Effects
4 provisions identified: 1 benefits, 3 costs, 0 mixed.
Paperwork burden and cost estimates
If you are a U.S. business that would self-certify under the Data Privacy Framework, the Department of Commerce estimates 4,575 respondents will each spend about 40 minutes per submission, totaling 2,977 annual burden hours and an estimated total annual cost to the public of $7,783,710. The information collection is voluntary but DOC is seeking public comment on these estimates by April 24, 2026.
Allows U.S. firms to receive EU/UK/Swiss data
If your U.S. organization self-certifies and is placed on the DOC's Data Privacy Framework List, you may receive personal data transfers from the European Union, the United Kingdom (including Gibraltar as applicable), and Switzerland under the EU‑U.S., UK Extension, and Swiss‑U.S. Data Privacy Frameworks. Participation requires a public commitment and publicly disclosed privacy policies as described in the Framework Principles.
Self-certify but face enforceable obligations
If your organization self-certifies, compliance with the Framework Principles is compulsory and enforceable: failures may be enforced by the Federal Trade Commission under Section 5 (15 U.S.C. 45), by the Department of Transportation under 49 U.S.C. 41712, or under other laws. An organization that fails to comply may be removed from the Data Privacy Framework List and must stop claiming it participates in the Framework.
Annual recertification and post-removal duties
To remain on the Data Privacy Framework List, organizations must submit annual re-certifications via the DOC website; the DOC will remove organizations that withdraw or fail to complete annual re-certification. If certification lapses or an organization withdraws, the DOC requires verification of whether the firm will re-certify or will (a) retain the data and continue to apply the Principles and affirm annually, (b) retain the data with another authorized means of adequate protection, or (c) return or delete the data by a specified date. The DOC also may require organizations to complete detailed questionnaires during compliance reviews.
Your PRIA Score
Personalized for You
How does this regulation affect your finances?
Sign up for a PRIA Policy Scan to see your personalized alignment score for this federal register document and every other regulation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.
Key Dates
Department and Agencies
Take It Personal
Get Your Personalized Policy View
Start a Free Government Policy Watch to see how policy affects your household, then upgrade to PRIA Full Coverage for year-round monitoring.
Already have an account? Sign in