The draft Privacy Protection Regulations (instructions regarding data transferred to Israel from the European Economic Area)

Newsletter

Background

The Israeli Ministry of Justice has recently published for public comments a new draft of privacy protection regulations, aimed at regulating the retention and use of personal data transferred from the European Economic Area (EEA) to Israel (the “Draft Regulations”). The Draft Regulations are proposed in connection with the ongoing review process that the European Commission is currently conducting with regard to the recognition of Israel as a country which provides an adequate level of protection of personal data (Israel has been granted such recognition in 2011).

To this day, only 12 countries outside of Europe (including Israel) were recognized by the European Commission as providing such adequate level of protection.
The adequacy review process is conducted, among other things, in view of the entry into force of the GDPR (Europe Union’s General Data Protection Regulations) in 2018.

The Israeli Protection of Privacy Law, 5741-1981 (the “Privacy Law”) governs the protection of personal data. During the 40 years that have elapsed since its enactment (prior to the digital era) the Privacy Law has been amended on several occasions. Yet, it is viewed by many as somewhat outdated, especially given the substantial global legal developments with regard to privacy and data protection in the digital era.

As a part of its ongoing efforts to improve the level of protection of personal data and to keep up with the ever-increasing international standards, the Israeli Protection of Privacy Authority has published the Draft Regulations. The proposed Draft Regulations will apply only to data concerning individuals/citizens in the EEA/of the EEA, transferred to Israel from the EEA (except for information provided directly by the data subjects). Yet, one may assume that, eventually, the same standards shall apply to all personal data held and/or processed in Israel (irrespective of the origin thereof).

The main provisions of the Draft Regulations
The Draft Regulations impose four new primary obligations on owners/possessors of databases in Israel in connection with their retention and use of personal data transferred from the EEA (other than data which was directly provided by the respective data subjects):

(1)Data Deletion Obligation: Subject to certain common exceptions (e.g., compliance with applicable law, exercise of the freedom of expression and/or of the public’s right to know, protection of a public interest, conduct of legal proceedings, prevention of fraud, etc.), database owners must erase data in response to a request from the respective data subject, where the data was obtained illegally (or where the retention of such data has become illegal) and/or when such data is no longer required for the purposes for which it was originally obtained. This regulation establishes the “Right to Erasure” and corresponds with the provisions of Section 17 of the GDPR.

(2)Limitation on the Retention of Excess Data: A database owner is required to maintain a mechanism that will ensure the removal of data the retention of which is no longer required for the purposes for which it was originally collected (or for any other legal purpose). Yet, the retention of anonymized aggregated data is permissible. This regulation is inspired by the “Data Reduction Principle” and corresponds with the provisions of Section 5(e) of the GDPR.

(3)Data Accuracy Obligation: A database owner must operate a mechanism (organizational or technological) to ensure that the data in the database is accurate, updated, and complete, and where necessary, take reasonable measures required to modify the data or erase it.

(4)Notification Obligation: Subject to certain exceptions (related to confidentiality, legality, protection of third parties’ rights, etc.), an owner/possessor of a database is required to notify (whether directly or through the entity who provided such data to the database) any data subject whose information was imported into such database, that his or her data is now included in such database. Such notification shall be made within one month from the receipt of such data and shall include information and contact details of the owner/possessor of the database, information about the data which was provided, the use thereof and the data subject’s rights in connection thereof.

Moreover, the database owner/possessor must also inform data subjects in advance about any transfer of such data to a third party (and inform such data subjects of the identity and contact details of such third party).

In addition, the proposed regulations determine that data regarding a person’s origin or national affiliation, and data regarding membership in a labor union will be classified as “Sensitive Data”, as per the definition of the said term under Section 7 of the Privacy Law (and thus any database containing such information should be duly registered in accordance with the provisions of the Privacy Law).

Commentary
The current Draft Regulations are a modified (and less strict) version of a former draft (which was harshly criticized, among others, based on the assertion that such matters should be addressed by legislation – and not by regulation).

Yet, the fundamental criticism of such Draft Regulations has been, and still is, that data protection standards ought to be uniform and non-discriminatory: the expectation of privacy of Israeli (or other non-EEC) residents is no different from the expectations of EEC residents, and differential treatment of personal data appears to be morally, constitutionally and practically flawed.

Currently, as the new government has been just sworn in, it is yet to be seen how the new regime will address privacy matters in general and the Draft Regulations in particular.

 

*The review was written by Amir Zolty, Partner and Head of Hi-Tech Practice and Adv. Mary Lipnitsky, Technology. Corporate. M&A Department, with the assistance of  Roni Wohl.