Privacy Evolution: Europe v. Israel
A July decision by the Court of Justice of the European Union has established that in light of the fact the United States does not respect the privacy of its citizens in accordance with EU standards, the Privacy Shield mechanism allowing for personal data transfers between Europe and the US can no longer be relied upon. At the same time, in Israel, the Ministry of Justice has published a memorandum that constitutes the first step in adjusting existing law to the digital age.
These two developments in the privacy protection field are intertwined and require attention and preparation by companies operating in Israel.
Stricter European Position – Distancing from the US
The surprising decision by the Court of Justice of the European Union in the Schrems II case may have a large impact on the ability of Israeli companies to collect data about residents of the EU.
For the past several years, the EU has been making it harder to transfer personal data about EU residents to the US. Non-EU companies, including American companies that wish to provide services involving personal data about EU residents (such as cloud services), are required to adopt mechanisms recognized by the EU as being able to protect such data in accordance with the strict European standards.
The original mechanism for EU-US data transfers was titled the “Safe-Harbor Framework.” It was repealed in a decision of the European Court in 2015 (known as the Schrems I decision), and replaced with the “Privacy Shield” mechanism, whereby the American service provider voluntarily subjects itself to the principles of protecting information on par with those of the EU in order to be permitted to receive the information.
The Schrems II judgment by the Court of Justice of the European Union repealed the Privacy Shield mechanism, finding that it does not provide sufficient protection for the personal data of EU citizens.
Repeal of the Privacy Shield mechanism leaves the “Standard Contractual Clauses” as the only legal avenue for the transfer of personal information about EU residents to the US. This is a set of contractual provisions adopted by the EU in the course of implementing the GDPR, which are to be incorporated into a contract between the EU and the American entities. Meeting these provisions is considered adequate safeguards of the personal data and enables their transfer beyond the borders of the EU. Furthermore, the Court of Justice of the European Union has created an even greater challenge in using the Standard Contractual Clauses mechanism for the purposes of transferring information to the US, in that it has imposed upon the parties the duty to ensure this mechanism does indeed, in the specific circumstances of the transfer, protect the information despite its transfer to the US.
Various regulators in EU member states have already began responding to this ruling and have set their positions in regard to transferring data to the US. The lack of a uniform regulatory position across the EU may thus create further challenges for different companies.
Put simply, anyone availing themselves of the services of American companies in order to process the personal information of EU residents will be required to ensure there is a valid legal mechanism for continued use of such services. This, of course, applies to Israeli companies that use American service providers in the course of their operations in the EU as well. It seems updating data processing agreements with such service providers is necessary, and it is possible it will even be beneficial to transition to information processing in the EU.
Further, the Israeli privacy protection regulations that govern the transfer of information about Israelis to outside of Israel include several mechanisms for the transfer of the information, some of which reference those mechanisms established by the EU. Accordingly, once the Privacy Shield mechanism is repealed in regard to transfer of information about EU citizens, this also applies directly to the transfer of information about residents of Israel to the US.
Therefore, Israeli companies who transfer information to the US, inter alia, by use of cloud services from international companies or by virtue of their existence as subsidiaries of American companies, must examine whether they meet the requirements of the developing regulation.
New Legislative Initiative in Israel – Updates to the Protection of Privacy Law
Alongside the developments in Europe, which are expected to impact many companies in Israel as well, the Privacy Protection Authority has published a memorandum designed to reduce the scope of the duty to register databases, in order to focus the regulatory activity on databases that pose significant threats to privacy and on supervisory and enforcement activity, thus easing the regulatory burden in terms of registering databases.
At the same time, this amendment will lead to the adjustment of definitions in the law concerning protection of computerized personal information to technological, social, and economic developments that have occurred since it was enacted, as well as align the Israeli legislation with modern mechanisms for personal data protection in leading countries around the world and on the international level, primarily the EU’s information protection regulation. Completing the legislative process will also advance the alignment and unification of the Privacy Protection Law with the Privacy Protection (Data Security) Regulations published in 2017, including enshrining into law the interpretation given by courts to key terms such as “owner of a database” and “holder of a database,” and the distinction between “holder of a database” and “permitted accessor.”
In the memorandum published, it is also noted that Israel intends to resume the advancement of amendment 13 to the Privacy Protection Law, which concerns the powers of criminal and administrative enforcement for violations of the right to privacy. Additionally, it is noted that the Ministry of Justice intends to publish another memorandum to complete the required substantive amendment to the Privacy Protection Law. This memorandum will address significant issues, such as the expansion of the legal bases for processing personal data information, expansion and update of the list of data subjects’ rights, and arrangements reflecting the liability of the owners and holders of databases.
The need for a comprehensive amendment to the Privacy Protection Law is highlighted in light of the EU’s decision regarding the Privacy Shield, as well as in light of the issues related to privacy protection that have arisen and become more acute during COVID-19, including the use of the Israeli Security Agency’s cellular location technology for purposes of curbing the virus.
In this regard, we note that Israel has enjoyed recognition as a country with adequate privacy protection by the EU (“adequacy finding”) since 2011. This recognition contributes immensely to the trade relations between Israeli companies and Europe. Without it, Israeli companies interested in doing business with Europe would be required to make massive adjustments to their activity in order to meet the strict standard in Europe for privacy protection. Preserving this recognition is another driving force for the advancement of legislative amendments in the area of privacy protection, which has largely remained unchanged since 1981.
Even before the Israeli legislative amendment processes are completed, companies operating in Israel who have trade relations with the United States and with Europe should examine the extent to which they comply with Israeli law and the adjustments required in light of the recent EU decision.