Clients Update – Transfer of Data to Israel from the European Economic Area
8 December 2022
Dear Clients and Colleagues,
We would like to draw your attention to that on 29 November, 2022, the Israeli Ministry of Justice has published for the public’s comments the Draft Protection of Privacy Regulations (Instructions Regarding Data Transferred to Israel from the European Economic Area), 5782 – 2022 (the “Regulations“), which set specific instructions regarding personal data transferred to Israel from the European Economic Area, that includes the Member States of the EU, and Iceland, Norway and Lichtenstein (the “EEA“), with the exception of data transferred directly by a person about themselves.
The background for the proposed Regulations is the review process the European Commission currently conducts with respect to Israel in order to renew the adequacy status accorded to Israel by the EU in 2011, which recognized Israel as a country that provides an adequate level of data protection as that in the EEA. Israel’s adequate status of the EU is of significant economic importance for the Israeli economy, as it permits organizations in the EEA to transfer personal data to organizations in Israel without the need for additional regulatory obligations by either the transferring party or the receiving party. Without an adequate status, Israeli organizations would have been required, in accordance with the terms of the GDPR, to individually undertake to comply with certain obligations in relation to the personal data transferred to them from the EEA.
To this end, the proposed Regulations seek to regulate the following:
- Data Deletion Obligation – An Israeli controller will be required to enable a European data subject to exercise its “right to be forgotten” (that Israeli law has yet to recognize) and to delete data if it was created, received, accumulated or gathered contrary to the provisions of the law, if continuing the usage of such data violates any law, or if the data is no longer needed for its original purposes (unless the controller implemented reasonable measures to anonymize the data so that it can no longer identify the data subject). The controller will be entitled to refuse a deletion request if one of certain exceptions provided under the Regulations is satisfied, which include, inter alia, maintaining the data for exercising the right of freedom of expression or the people’s “right to know”, fulfilling a legal obligation, protecting a public interest, managing a legal process, etc., to the necessary and proportionate extent for that purpose.
- Retention Limitation of Data that is Not Required – The controller will be required to implement organizational, technological or another mechanism in order to ensure that the database will not include data which is no longer required for the primary purpose for which it was collected or maintained or for another purpose that legally permits its retention (unless the controller implemented reasonable measures to anonymize the data so that it can no longer identify the data subject). If the data is no longer required – the controller shall delete it as soon as possible given the circumstances (unless one of the exceptions provided under the Regulations that permit the controller to refuse to a deletion request (as aforesaid) is satisfied).
Data Accuracy Obligation – The controller will be required to implement organizational, technological or another mechanism in order to ensure that the data in the database is correct, complete, clear and up-to-date. If the controller finds that the database contains incorrect, incomplete, unclear or outdated data (based on, inter alia, such mechanism), the controller must implement reasonable measures given the circumstances to rectify or delete the data. - Notification Obligation – The controller will be required to inform a European data subject (directly or indirectly through the party transferring the data), soon as possible after receiving the data and no later than one month thereof, regarding: (a) the controller’s and the database’s manager identity, their addresses and their contact details; (b) the purpose for which the data was transferred; (c) the type of data that was transferred; and (d) the data subject’s data deletion right under the Regulations as well as its review and correction rights under Sections 13 and 14 of the Israeli Protection of Privacy Law. The notification obligation will not apply if one of certain exceptions under the Regulations is satisfied, that include, inter alia, if the controller has a reasonable ground to assume that the data subject is aware of the aforesaid details regarding the data transfer, the controller does not know the data subject’s contact details, the implementation of the notification obligation involves an unreasonable burden on the controller’s behalf (taking into consideration the possibility of using the assistance of the party transferring the data), there is a legal confidentiality obligation or prohibition on disclosing the data, the implementation of the notification obligation may harm a person’s life or well-being, etc., to the necessary and proportionate extent for that purpose given the circumstances. Insofar as the controller intends to transfer the data to another third party, the controller shall inform the data subject (directly or indirectly through the party transferring the data) as soon as possible and to the latest extent with the data transfer, of the same details (which the controller needs to inform the data subject upon the data’s receipt).
- Definition of “Sensitive Data” – The Regulations determine that data about a person’s origin (including its national affiliation) and data about membership in a labor union which is transferred to a database in Israel will be classified “sensitive data” in accordance with the definition of such term under Section 7 to the Israeli Protection of Privacy Law, when the implication of such classification under the current legal framework is with respect to the database’s registration obligation in accordance with Section 8(c)(2) to the Israeli Protection of Privacy Law.
- Application – The obligations set under the Regulations will not apply with respect to: (a) data transferred from an agency responsible for security or law enforcement in the EEA to the security agencies in Israel that include the Israel Police, the Intelligence Branch of the General Staff and the Military Police of the Israel Defense Forces, the General Security Service, the Institute for Intelligence and Special Operations (the Mossad) and the Witness Protection Authority; and (b) the use of the data is necessary for national security or law enforcement purposes, and to the necessary and proportionate extent required for ensuring such purposes.
We note that, despite the clear and obvious need for free transfer of data from the EEA states to Israel and the preservation of Israel’s adequacy status, the proposed framework seems to create, in practice, a hierarchy between European and Israeli data subjects, according to which European data subjects will be invested with broader legal rights than those currently accorded to Israeli data subjects under the current Israeli legal regime. Notwithstanding the question of whether it is right and reasonable to regulate a set of regulations that effectively grants European data subjects with legal rights in relation to personal data to which Israeli citizens will not be entitled to, we are of the view that it would be only appropriate to introduce such material change through the enactment of primary legislation of the Knesset (the Israeli Parliament) and not through regulations enacted by the Israeli Minister of Justice.
The public’s comments to the Draft Regulations may be submitted until 20 December, 2022.
For the full Draft Regulations (available only in Hebrew) >> click here
We will be happy to be at your service for any questions or required clarifications.
Herzog Fox & Neeman
Nurit Dagan | Partner
Tel: 03 692 7424
dagan@herzoglaw.co.il
coheng@herzoglaw.co.il