Transfer of Personal Data Abroad: Israeli PPA Sharpens Requirements for Organizations
Summary
- The Israeli Privacy Protection Authority (PPA) has published a position paper clarifying its interpretation of Regulation 2(4) regarding the transfer of personal data abroad. In this context, it emphasizes the requirements applicable to organizations transferring data outside of Israel, including to the United States.
- The position paper states that it is not possible to rely on a broad interpretation of the phrase “with necessary modifications” and requires substantive alignment with the requirements of Israeli law, including with respect to data use, data subject rights, confidentiality, and data security.
- Alongside the contractual route under Regulation 2(4), alternative mechanisms for transferring data abroad include transfers to countries with an adequate level of protection, obtaining the informed consent of the data subject, or transfers within a corporate group.
- In practice, organizations must map their data transfer mechanisms, review existing agreements, and align them with the PPA’s requirements, while mitigating compliance risks, particularly in light of the expansion of enforcement powers and administrative sanctions.
This week, the Israeli Privacy Protection Authority (PPA) published a position paper clarifying its interpretation of Regulation 2(4) of the Privacy Protection (Transfer of Data to Databases Abroad) Regulations, 2001. Although issued as interpretive guidance rather than binding regulation, the position paper is likely to carry meaningful practical weight and have a significant impact on organizations transferring personal data from Israel to jurisdictions such as the United States. It is particularly significant in light of the enhanced enforcement powers and substantially increased administrative fines introduced under Amendment 13 to the Privacy Protection Law.
Current Situation
Under Israeli law, transferring personal data outside Israel is generally restricted unless the recipient country ensures a level of protection no less than that afforded under Israeli law. Regulation 2(4) provides one exception: a data controller may transfer data abroad if the recipient contractually undertakes to comply, mutatis mutandis, with Israeli requirements regarding the holding and use of the data.
The Position Paper’s Main Innovation
The PPA’s position paper clarifies that the mutatis mutandis qualifier is not an open-ended standard: a recipient may not rely on its own organizational or legal constraints to justify non-compliance.
According to the position paper, agreements relying on this mechanism must include commitments that are substantively equivalent to the obligations imposed under Israeli law, including:
- A prohibition on using personal data beyond the purpose for which it was originally transferred.
- Data subject rights of access, rectification, and erasure.
- Confidentiality obligations.
- Information security standards consistent with Israeli regulations or, alternatively, ISO/IEC 27001 certification together with compliance with the specific provisions listed in PPA Directive 3/2018.
Where the transferred dataset also contains data originating from the European Economic Area, the recipient must additionally undertake to comply with the obligations set out in Regulations 3-7 of the Privacy Protection Regulations (Instructions for Data that was Transferred to Israel from the European Economic Area), 2023.
Alternative Methods for Transferring Data Abroad
While this position paper reflects the PPA’s official position, organizations are not required to rely exclusively on Regulation 2(4) to transfer data lawfully from Israel. Several well-established alternatives remain available and, in practice, may be significantly easier to implement when dealing with global technology vendors:
- Transfers to adequate jurisdictions: Data may be transferred to countries whose laws ensure a comparable level of protection, including EU member states.
- Data subject consent: Transfers to any destination, including the United States, may be permitted where the data subject has provided explicit, informed, and freely given consent, provided the data subject was notified in advance of the transfer.
- Intra-group transfers: Data may be transferred to an affiliate or subsidiary under the same controlling entity as the Israeli database owner.
Practical Takeaways
For organizations transferring data to US-based cloud or service providers, the contractual route under Regulation 2(4) may be difficult to operationalize in full, as major vendors are unlikely to tailor their data processing agreements to Israeli statutory requirements. That said, organizations should not assume that their existing agreements are necessarily deficient. Many of the substantive obligations highlighted in the position paper, including purpose limitation, data subject rights, confidentiality, and security standards, are also reflected in frameworks such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and similar privacy regimes.
Where an existing agreement already reflects these requirements, it may provide a meaningful, though not necessarily complete, basis for alignment with the position paper. As a practical next step, organizations should map the transfer mechanism on which they currently rely, assess whether existing contractual terms address the core obligations identified by the PPA, and consider targeted amendments where gaps are identified. Even if full alignment with the PPA’s position is not achievable in every case, a legal assessment and structured remediation process can help reduce compliance risk.
****
Dr. Avishay Klein is a partner and head of the firm’s Privacy, Cyber & AI Department.
Adv. Eviatar Rich is an associate in the firm’s Privacy, Cyber & AI Department.
The firm’s Privacy, Cyber & AI Department is available to assist in examining existing data transfer mechanisms, identifying gaps against the PPA’s requirements, and reducing compliance risks.