Israel: Information Transferred from European Economic Area
In light of the European Union Commission’s examination to renew the adequacy status granted to Israel in 2011, the Israeli Ministry of Justice has promulgated new privacy protection regulations, called “Provisions Regarding Information Transferred to Israel from the European Economic Area.”
As stated, the European Union is examining if Israel’s privacy protection regulations afford it the status of a country whose level of data protection is on par with the level of protection of personal information customary in EEA countries (the EU countries, Iceland, Norway, and Liechtenstein).
The Ministry of Justice promulgated these new regulations for the purpose of maintaining Israel’s adequacy status. The new regulations prescribe specific obligations applying to organizations that transfer personal information from the EEA to Israel. The main innovation is that these regulations also grant rights to Israeli data subjects, if the database in which the information is stored also contains information transferred from the EEA and relates to Europeans.
Applicability
In practice, the regulations apply to any Israeli company that holds a “database” (as defined in the Privacy Protection Law) and processes and stores personal information, provided to it by a company and originating in the European Union, as part of their database in Israel. On the other hand, the regulations do not apply in situations whereby the personal information is transferred directly from a European citizen to a company in Israel.
In addition, the regulations grant several new rights to the relevant data subjects, when the database contains information transferred from the EEA to Israel:
- The data subject’s right to delete information and a broader right of review.
- Obligations pertaining to the duration of information retention and the deletion of unnecessary information.
- Obligations pertaining to the accuracy of the information and to updating it.
- Obligations pertaining to informing data subjects, directly or indirectly, about details relevant to the information within about one month of receiving it. (This will apparently also require companies to amend the privacy policies they publish in order to duly process and retain personal information.)
Inception
- August 7, 2023, for information transferred from the EEA to a database in Israel as of May 7, 2023.
- May 7, 2024, for information transferred from the EEA to a database in Israel prior to May 7, 2023.
- January 1, 2025, for additional information not subject to the regulations, which is contained in a database that also includes information transferred from the EEA to a database in Israel.
Implications
Israeli companies that hold and manage databases containing EU citizens’ information should prepare as soon as possible for the new regulations, including mapping the relevant databases, updating their privacy policy (to include the new rights granted to data subjects pursuant to the regulations), and formulating an internal policy for handling data subjects’ requests.
The regulations are also likely to trigger internal discussions in all companies about whether or not to adopt a unified practice for all databases and information processing in line with the GDPR.
***
Our firm’s privacy and data protection practice is available to answer questions or provide clarifications in this regard and in relation to other privacy protection and data security issues.
Dr. Avishay Klein heads the Privacy and Cyber practice at Barnea Jaffa Lande.
Adv. Ben Norman is an associate in the practice.