If your organization wishes to withdraw from the Privacy Shield, it must contact the Privacy Shield Team at the Department of Commerce’s International Trade Administration (ITA).  Your organization must complete and return to the Privacy Shield Team a withdrawal questionnaire to verify what your organization will do with the personal information that it received while participating in the Privacy Shield, and if personal information will be retained who within your organization will serve as an ongoing point of contact for Privacy Shield-related questions.  Your organization must verify which of the following it will do with respect to the personal data received in reliance upon the Privacy Shield:
  • Retain such data, continue to apply the Privacy Shield Principles to such data, and affirm to the Department on an annual basis its commitment to apply the Principles to such data;
  • Retain such data and provide “adequate” protection for such data by another authorized means; or
  • Return or delete all such data by a specified date.
Your organization must also cease making any claims (explicit or implicit), whether on its website or in other materials (e.g., any privacy policy or marketing materials), that it participates in or complies with Privacy Shield and may receive personal data pursuant to the Privacy Shield.

Upon confirming your organization's withdrawal, the Privacy Shield Team will remove your organization from the Privacy Shield List and add your organization to the authoritative record of U.S. organizations that had previously self-certified to the Department, but have been removed from the Privacy Shield List with an indication that your organization had requested to withdraw.  This record will be accessible from the Privacy Shield website.  Upon your organization’s removal from the Privacy Shield List, your organization may no longer avail itself of Privacy Shield benefits.

If your organization elects at the time of its withdrawal to retain the personal data received in reliance upon the Privacy Shield, continue to apply the Privacy Shield Principles to such data, and affirm to the Department on an annual basis that it continues to apply the Principles to such data, your organization must do the following once a year after its withdrawal unless it subsequently provides “adequate” protection for such data by another authorized means or returns or deletes all such data, and notifies the Department of this action:
  • Complete and return to the Privacy Shield Team a post-withdrawal questionnaire to verify what was done with respect to the personal data received in reliance upon the Privacy Shield that your organization had indicated at the time of its withdrawal would be retained and what it will do with respect to any such data retained by your organization, as well as who within your organization will serve as an ongoing point of contact for Privacy Shield-related questions. 
  • Pay a $200 fee for each applicable Privacy Shield framework to the ITA.

Change in Corporate Status:
If your organization wishes to withdraw from the Privacy Shield due to a change in corporate status, it must nevertheless contact the Privacy Shield Team and follow applicable withdrawal procedures.  An organization that participates in the Privacy Shield generally must notify the Department in advance if there will be a change in the organization’s corporate status, such as a result of a merger, takeover, bankruptcy or dissolution.  The notification should indicate whether the organization will:
  • Continue to participate in the Privacy Shield through the existing self-certification or through an existing self-certification of another entity (e.g., as a subsidiary of the acquiring entity that already participates in the Privacy Shield);
  • Elect to self-certify as a new participant in the Privacy Shield (e.g., self-certify in the name of the new entity created by the merger); or
  • Withdraw from the Privacy Shield.