Another Domino Falls on the Data Protection Table re: Israel Privacy Protection Regulations of 2001
As all of our readers know by now, as of October 6, the US-EU Safe Harbor Framework is no more. Safe Harbor was the mechanism on which thousands of US companies (and thousands of companies based in the European Union) legitimized their data transfers from the EU to the US.
The next domino outside the European Union has toppled. The Israeli Law, Information and Technology Authority (ILITA) has revoked its prior authorization for data transfers from Israel to the US that are based on Safe Harbor. Israel’s privacy law (the Israel Privacy Protection Regulations of 2001) is Euro-centric: it prohibits the transfer of data from a database in Israel to a location outside its borders unless the law of the data importer’s country ensures a level of protection that is equal to or greater than Israeli law. Like the EU DPD, the Israel law contains several “derogations,” including one that authorizes the transfer of personal data from Israel to a country to which the EU permits data transfers. Based on the CJEU decision in the Schrems case, the ILITA announced that companies can no longer rely on this derogation as a basis for transfer.
This is another imperative for companies to understand their data flows and get a Plan B in place yesterday. Once the data flow is understood, one of the other derogations of the Israeli privacy law may be available to legitimize the transfer.
The ILITA advises that it continues to assess the Schrems decision and will publish additional information and other clarifications “if necessary”.
Israel’s data protection law received what is called an “adequacy” determination under the EU Data Protection Directive, ensuring that personal data can be transferred from the EU to Israel without reliance on other methods, such as model contractual clauses. The real question for US companies now is whether other countries such as Argentina, Uruguay, Canada, Switzerland will follow Israel. We continue advise that US companies urgently evaluate their data flows, form a plan for taking remedial measures to supplant Safe Harbor, and start to execute on that plan.