In order to receive Privacy Shield benefits, an organization must self-certify annually to the Department of Commerce that it agrees to adhere to the Privacy Shield Principles, a detailed set of requirements based on privacy principles such as notice, choice, access, and accountability for onward transfer.
- The Privacy Principles apply immediately upon certification. Recognizing that the Principles will impact commercial relationships with third parties, the Framework allows organizations that submit their self-certification to the Department of Commerce within the first two months (between August 1 and September 30, 2016) up to nine months from the date upon which they certify to bring existing commercial relationships with third parties into conformity with the Accountability for Onward Transfer Principle.
- During that interim period, where organizations transfer data to a third party, they must (i) apply the Notice and Choice Principles, and (ii) where personal data is transferred to a third party acting as an agent, ascertain that the agent is obligated to provide at least the same level of protection as is required by the Principles. https://www.privacyshield.gov/Program-Overview