News & Publications

On January 15, 2024 the EU Commission has issued a “REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL on the first review of the functioning of the adequacy decisions adopted pursuant to Article 25(6) of Directive 95/46/EC” (the “Report”). The Report includes the EU Commission’s decision to reconfirm Israel’s adequacy in relation to data protection. Based on its overall findings, the Commission has concluded that Israel continues to provide an adequate level of protection for personal data transferred from the EU.

By way of background, the adequacy status can be granted to a non-EU member state, following a review process conducted by the European Commission. Israel was first granted the adequacy status by the EU Commission back in 2011, and this status was also granted in the past to several other non-EU countries. According to the Report, the recognition that certain non-EU countries maintain a privacy framework and level of data protection that is essentially equivalent to the level of protection required under EU regulatory framework, promotes convergence between privacy systems based on high standards of protection. Moreover, adequacy decisions promote closer cooperation and further regulatory convergence between the EU and like-minded partners.

Following the entry into force of the GDPR in 2018, the EU Commission has conducted a re-examination of its adequacy decisions, and after a thorough professional examination procedure, the Commission has given its decision to maintain the adequacy status of Israel (together with other countries). 

According to the Report, the decision was based on the developments in the Israeli legal framework since the adoption of the 2011 adequacy decision, including legislative amendments, case law and activities of oversight bodies, which have contributed to an increased level of data protection. The Commission noted in particular, that Israel introduced specific safeguards to reinforce the protection of personal data transferred from the European Economic Area by adopting the Privacy Protection Regulations (Instructions for Data that was Transferred to Israel from the European Economic Area), 5783-2023. Israel has also strengthened the requirements for data security by adopting the Privacy Protection (Data Security) Regulations, 5777-2017.  In addition, Israel consolidated the independence of its Data Protection Supervisory Authority (the Privacy Protection Authority) in a binding government resolution. 

The Commission also recommended enshrining in legislation the protections that have been developed at a sub-legislative level and by case law, referring to the Privacy Protection Bill (Amendment No. 14), 5722-2022 that has recently been introduced in the Israeli Parliament, as an important step to further strengthen the Israeli privacy framework. The Report notes that the Commission will closely monitor future developments in this area. 

This renewed acknowledgment of Israel’s adequacy status is of great importance to Israel economy, especially in relation to trade and research relations with the EU. This means that businesses and companies (as well as hospitals, research institutions, and public authorities) can continue to freely transfer personal data from European countries to Israel, without additional requirements imposed on the European entity that transmits the data or on the entity that receives the data in Israel, beyond the obligations stipulated under Israeli law. The adequacy status therefore allows for simple and convenient data transfers from the EU to Israel, without the need for incremental and resource-intensive mechanisms. 

It should be noted that the Commission’s decision abovementioned is expected to be brought before the EU Parliament and other EU institutions. 

For the Report of the EU Commission >> Click here

As always, we will be glad to provide any legal assistance and guidance regarding this matter, and all related legal aspects thereof, as may be required.