The Israeli Ministry of Justice has recently published for public comments a new draft of privacy protection regulations, aimed at regulating the retention and use of personal data transferred from the European Economic Area (EEA) to Israel (the “Draft Regulations”). The Draft Regulations are proposed in connection with the ongoing review process that the European Commission is currently conducting with regard to the recognition of Israel as a country which provides an adequate level of protection of personal data (Israel has been granted such recognition in 2011).
To this day, only 12 countries outside of Europe (including Israel) were recognized by the European Commission as providing such adequate level of protection.
The Israeli Protection of Privacy Law, 5741-1981 (the “Privacy Law”) governs the protection of personal data. During the 40 years that have elapsed since its enactment (prior to the digital era) the Privacy Law has been amended on several occasions. Yet, it is viewed by many as somewhat outdated, especially given the substantial global legal developments with regard to privacy and data protection in the digital era.
As a part of its ongoing efforts to improve the level of protection of personal data and to keep up with the ever-increasing international standards, the Israeli Protection of Privacy Authority has published the Draft Regulations. The proposed Draft Regulations will apply only to data concerning individuals/citizens in the EEA/of the EEA, transferred to Israel from the EEA (except for information provided directly by the data subjects). Yet, one may assume that, eventually, the same standards shall apply to all personal data held and/or processed in Israel (irrespective of the origin thereof).
The main provisions of the Draft Regulations
(1)Data Deletion Obligation: Subject to certain common exceptions (e.g., compliance with applicable law, exercise of the freedom of expression and/or of the public’s right to know, protection of a public interest, conduct of legal proceedings, prevention of fraud, etc.), database owners must erase data in response to a request from the respective data subject, where the data was obtained illegally (or where the retention of such data has become illegal) and/or when such data is no longer required for the purposes for which it was originally obtained. This regulation establishes the “Right to Erasure” and corresponds with the provisions of Section 17 of the GDPR.
(2)Limitation on the Retention of Excess Data: A database owner is required to maintain a mechanism that will ensure the removal of data the retention of which is no longer required for the purposes for which it was originally collected (or for any other legal purpose). Yet, the retention of anonymized aggregated data is permissible. This regulation is inspired by the “Data Reduction Principle” and corresponds with the provisions of Section 5(e) of the GDPR.
(3)Data Accuracy Obligation: A database owner must operate a mechanism (organizational or technological) to ensure that the data in the database is accurate, updated, and complete, and where necessary, take reasonable measures required to modify the data or erase it.
(4)Notification Obligation: Subject to certain exceptions (related to confidentiality, legality, protection of third parties’ rights, etc.), an owner/possessor of a database is required to notify (whether directly or through the entity who provided such data to the database) any data subject whose information was imported into such database, that his or her data is now included in such database. Such notification shall be made within one month from the receipt of such data and shall include information and contact details of the owner/possessor of the database, information about the data which was provided, the use thereof and the data subject’s rights in connection thereof.
Moreover, the database owner/possessor must also inform data subjects in advance about any transfer of such data to a third party (and inform such data subjects of the identity and contact details of such third party).
In addition, the proposed regulations determine that data regarding a person’s origin or national affiliation, and data regarding membership in a labor union will be classified as “Sensitive Data”, as per the definition of the said term under Section 7 of the Privacy Law (and thus any database containing such information should be duly registered in accordance with the provisions of the Privacy Law).
Yet, the fundamental criticism of such Draft Regulations has been, and still is, that data protection standards ought to be uniform and non-discriminatory: the expectation of privacy of Israeli (or other non-EEC) residents is no different from the expectations of EEC residents, and differential treatment of personal data appears to be morally, constitutionally and practically flawed.
Currently, as the new government has been just sworn in, it is yet to be seen how the new regime will address privacy matters in general and the Draft Regulations in particular.