The approval of these regulations is a necessary step to retain the European Commission's decision recognizing Israel as a country whose level of data protection is adequate under the GDPR to allow free flow of personal data from EU countries to Israel.
New Regulations to Improve Privacy Compliance
On April 24, 2023, new regulations under the Israeli Privacy Protection Law were approved, improving the legal protection of privacy rights of individuals, in response to an audit conducted by the European Commission to renew the adequacy status granted to Israel in 2011 in connection with Article 45 of the GDPR.
The adequacy decision of the European Commission's decision, reflected a recognition of Israel as a country having an adequate level of data protection, allowing personal data to flow from any EEA country to Israel as if it was transferred between EU states. Without the adequacy decision, many Israeli entities, businesses, or public bodies that receiving personal data from the EU would be forced to provide a specific contractual undertaking to maintain adequate protection of personal data, increasing transaction cost significantly.
The new regulations, known as the "Privacy Protection Regulations (Instructions Regarding Data Transfers from the European Economic Area (EEA) to Israel), 5783-2023", were unanimously approved by the Constitution, Law, and Justice Committee of the Knesset (the Israeli parliament) and will be in effect gradually in the coming months as detailed below.
Closing gaps of current privacy legislation
These regulations intend to bridge the statutory gaps of the Israeli Privacy Protection Law that has not been revised since 1996, and it is expected that the Israeli legislators will reload the process for such amendment soon. Although the regulations impose new burdens on Israeli businesses, they are relatively "soft" compared to full GDPR compliance requirements.
The regulations introduce new obligations on Israeli 'Database Owners' (controllers) and corresponding rights for data subjects whose personal data is transferred from the EEA to Israel. Here are some key takeaways with respect to those regulations and their effect on privacy laws in Israel:
- Validity: The regulations will apply on data originated from the EU and being processed or managed by a database in Israel.
- Right to delete personal data: Controller must delete data upon request if it was unlawfully collected or created, or if it is no longer necessary for the purposes thereof (as opposed to GDPR whereby additional grounds for deletion are available). This changes the legal status, which now allows deletion only in the case of inaccuracies. Exceptions must be based on reasonable grounds and include, among others, compliance with a legal obligation, legal proceedings, debt collection, and so forth. Anonymous data may still be used for statistical purposes even after deletion;
- Identify and delete processed data in excess: Controller must ensure that only necessary data is retained and delete data that is no longer necessary for the purposes for which the personal data is processed, requiring the controller to actively and periodically assess the processed data through technical and organizational measures;
- Maintaining personal data accuracy: Controller must adopt technical and organizational measures to keep personal data complete, accurate, clear, and up-to-date, and delete outdated data;
- Disclosure obligation: Expanding the current disclosure requirement to provide proper privacy notice to data subjects and actively enable it within no more than one month, with respect to the identity of the controller and the database administrator, purpose of processing and types of data, privacy rights, etc. Exceptions apply in cases of unreasonable burden, lack of contact details, assumed awareness, or for protecting journalism activity.
- Sensitive Information: A broadened definition of "Sensitive Information" to include information about a person's origin and trade union membership, for EEA-originated data only.
Applicability
The new regulations will apply on Israeli 'databases' who contain personal data originating from the EEA, including on data originating from Israel or other jurisdictions to the extent available in such database, provide that, the data was collected indirectly through a third party processor. If data subjects submitted their personal data directly to the controller, these regulations will not apply (in addition to other exceptions of national security and law enforcement).
Effect
With respect to any new database or processing activities, the regulations will enter into effect within three months from the date of publication (which has not yet been officially published). Current databases or processing activities will enjoy a 12-month grace period until the regulations take effect. It is possible that "mixed" databases with personal data of non-EEA data subjects will have a longer grace period.
Recommendations
- Map the personal data in your IT systems and check for transfers from the EEA and determine whether European data is associated with specific data subjects (such as users, customers, employees, etc.).
- Assess your databases and their registration with the Privacy Protection Authority, separating regulated data into different databases.
- Adopt technical and organizational measures to implement policies for deleting, limiting, retention and ensuring the accuracy of data.
- Review your privacy notices and means for its disclosure for data subjects.
- Consider adopting specific provisions in your DPA forms or service agreements in connection with processing of personal data from the EEA.
To review the draft regulations (in Hebrew) click here.
If you have any additional questions, please do not hesitate to contact the privacy protection department of our office.
The information provided in this document is not intended to replace legal advice and is only intended as general information.
Adv. Amit Davidson has participated in the preparation of this client update.
|
|
|
