a.    Internet Service Providers (“ISPs”), telecommunications carriers, and other organizations are not liable under the Privacy Shield Principles when on behalf of another organization they merely transmit, route, switch, or cache information.  As is the case with the Directive itself, the Privacy Shield does not create secondary liability.  To the extent that an organization is acting as a mere conduit for data transmitted by third parties and does not determine the purposes and means of processing those personal data, it would not be liable.