Israel: New Limitations on Transfers of Personal Data
The Israeli Privacy Protection Authority recently published a draft opinion, open for public comments, addressing transfers of personal data from Israel to other countries. In this opinion, the PPA seeks to clarify the “required changes,” as per the Privacy Protection (Data Security) Regulations, that will allow transfers of data outside the country to a foreign entity.
What Do the Current Regulations Stipulate?
To date, the Privacy Protection Regulations stipulate that personal data cannot be transferred from Israel to another country unless the level of personal data protection in the receiving country meets or exceeds the data security and privacy protection standards in Israel. However, the regulations list several exceptions to this rule, which permit transfers of data abroad. One such exception allows the transfer if the data recipient undertakes to handle the data in conformity with the relevant Israeli rules, with the required changes. Accordingly, the PPA aims to clarify what these “required changes” are that would enable transfers of data outside the country, based on the exception specified in Regulation 2(4).
What is the PPA’s position?
According to the PPA, such undertaking by the entity receiving the data to comply with “the conditions applying in Israel” cannot be fully achieved in all countries. Firstly, it clarified that the exception will not apply if the data recipient in the foreign country does not undertake to comply with the data security and usage rules due to personal or organizational reasons. In other words, a “required change” is not a subjective criterion of the recipient, and personal data cannot be transferred from Israel to a foreign entity without an explicit undertaking to fulfill these obligations.
Furthermore, the undertakings must be identical in content to those stipulated in the Israeli Protection of Privacy Law. For example, the commitments should include prohibiting the use of data for purposes other than those for which it was collected, granting data subjects the right to access their information, and providing data subjects the right to request correction or deletion of their data.
Moreover, if the receiving country does not impose an obligation to register databases, as Israel imposes on databases containing personal data, the recipient’s non-compliance with the database registration obligation pursuant to the Protection of Privacy Law would indeed constitute a “required change” as mandated by Regulation 2(4).
Finally, the PPA clarified that in cases in which data is transferred from Israel based on an agreement that includes the data recipient’s undertaking, the data recipient must also ensure that any relaying of data to an additional entity in the foreign country (a data sub-processor) will comply with the data security rules similar to those applying in Israel.
Implications of the PPA’s Interpretation
The new interpretation may make it easier for Israeli businesses to transfer personal data outside the country while reducing the risk of violating the PPL. This is provided the data recipient fulfills particular obligations:
- Implementing adequate security measures.
- Allowing data subjects to exercise their rights.
- Not relaying the data to third parties without the data subjects’ consent, in accordance with the Israeli standards.
We note this is only a draft opinion, and the PPA’s final interpretation may change after receiving public comments. Therefore, it is important to keep abreast of this matter and ensure compliance with the statutory requirements. Organizations should review their personal data transfer procedures, identify gaps, and develop an action plan to ensure full compliance with the law.
***
Barnea Jaffa Lande’s Privacy, Data Security and Cyber Department at is at your service for any issues pertaining to compliance with various regulations and privacy and data security laws in Israel, Europe, the USA and other countries.
Dr. Avishay Klein is a partner at Barnea Jaffa Lande and heads the department.
Adv. Ben Norman is an associate in the department.