Israeli companies are growing at an exponential rate. As they continue to expand globally, they need to be mindful of the ever-expanding worldwide network of data privacy laws and regulations.
It is critical that Israeli companies adequately safeguard their customers’ personal information and effectively manage cross-border data flows, as well as address their legal risks and responsibilities vis-à-vis this continually expanding set of rules.
To learn about eight privacy issues Israeli companies should be thinking about, read on.
1. Privacy is a global issue (and still alive)
Privacy (or at least privacy law) has been declared dead innumerable times. But legislators worldwide are working hard to make privacy law more alive and ubiquitous than ever by adopting new laws and modernizing old ones.
The European Union has always been considered a precursor in this field, having adopted arguably some of the world's strictest data protection rules in the mid-1990s. In recent years, however, we have witnessed a significant increase in privacy and data protection laws all over the world, for instance in South Korea, Singapore and Hong Kong. Also in the United States, a push for privacy is noticeable; a current topic of debate both at the state and federal level concerns the introduction of adequate data protection laws. Another, more exotic example is the new Russian law on data localization, which requires all data operators to ensure that essentially all recording, processing and storage of personal data of Russian citizens is done using databases located in Russia.
Such privacy laws often have a very broad territorial scope and may apply to Israeli companies, even companies without an establishment in any of those countries. In other words, Israeli companies may have to comply with a patchwork of different national privacy laws. It is therefore vital that they proactively identify and assess the legal risks associated with the volume and type of data they process in order to implement the necessary operational measures and legal requirements (internal and external privacy policies, data processing agreements, data transfer agreements, etc.).
Another illustration of the rising global awareness regarding privacy issues: the recent appointment of a UN special rapporteur on the right to privacy, whose extensive mandate includes setting the standard for the digital right to privacy and who, in one of his first interviews since his appointment, has called for a Geneva Convention-style law for the internet to safeguard data and combat the threat of clandestine digital surveillance.
2. Stronger enforcement
National data protection authorities are increasingly making use of their enforcement powers as well.
Given the broad reach of data protection legislation, Israeli companies may be subject to enforcement actions by foreign regulators. Recently several data protection authorities of EU member states have taken legal actions against major US companies. For instance, in Germany, a US search engine has been sentenced to a €145,000 fine after its cars were found to be capturing traffic data related to private Wi-Fi network data and in Belgium, a major US social network has recently been sentenced to stop profiling Belgian non-users of its services when they navigate third party websites under a heavy penalty of €250.000 per day it does not comply with the judgment. In the UK, the national data protection authority has imposed a fine of £250,000 on a games console maker following a cyber-attack against its gaming network which compromised the personal data of millions of customers, including payment card details. In the US, the Federal Trade Commission has the authority to act against companies that fail to make reasonable efforts to protect consumers' personal information. Businesses were recently reminded of this power when the FTC prevailed in court recently against an international hotel chain it had sued for failing to adequately safeguard its computer network, allowing hackers to steal customer data.
3. Data breaches
Recent data breaches of high-profile businesses show that associated risks include not only regulatory fines but also major class actions lawsuits, negative press coverage, drops in stock prices and a loss in consumer trust.
It goes without saying that Israeli companies should, first of all, make sure to secure personal data by proactively implementing and maintaining appropriate technical and organizational safeguards against data breaches.
They must also be well prepared for worst-case scenarios. It is key to keep extensive internal records in order to be able to demonstrate your compliance with security requirements. Furthermore, in many countries authorities have to be notified immediately when a data breach occurs. Therefore, an internal action plan is of the utmost importance in order to guide companies through the important and hectic moments immediately following a data breach.
4. Big changes are on the way in Europe
Since 2012, EU policy makers have been working on new data protection legislation, the so-called General Data Protection Regulation. Negotiations have now entered their final stage and it is expected that the final text will be adopted by the end of 2015. After a two-year transitional period, the Regulation will start to apply.
The aim of the new Regulation is to modernize the current rules and to create one single piece of legislation that applies directly in all 28 European member states.
The territorial scope of these rules will be significantly broader than the current rules. It will be sufficient for Israeli companies to target European citizens by offering goods or services to them or by monitoring their behavior in order to fall within the scope of the future Regulation. Taking into account the potential fines of up to 5 percent of an enterprise's worldwide turnover, companies simply cannot afford to ignore these rules.
5. Israel appears on the "white list" of the European Commission
Both the current and the future legal framework contain strict rules which generally prohibit the international transfers of personal data, i.e. transfers from the European Economic Area (EEA) to third countries, unless additional safeguards are provided.
Since Israel is deemed to offer adequate protection, being one of the few countries appearing on the "white list" of the European Commission, transfers of personal data from the EEA to Israel are in principle not hindered by these rules. However, it should be stressed that being included on this list does not release Israeli companies from the compliance with the European data protection obligations, such as the application of the general principles of transparency, legitimate purpose and proportionality, when they transfer personal data across Europe.
Further, in a recent landmark decision, the Court of Justice of the European Union ruled that every national data protection authority has the right to examine whether such country does indeed provide an adequate level of protection. This ruling substantially lowers the degree of legal certainty offered by the Commission's white list. In the aftermath of this court ruling, the Israeli data protection authority also decided that Israeli companies may no longer rely on the so-called Safe Harbor framework for their transfers of personal data from Israel to the US. Israeli companies transferring personal data to the US should seek legal advice as to how they can adequately protect themselves while this area of the law is in flux.
In any case, Israeli companies should bear in mind that when they transfer personal data from the EEA to third countries, the EU restrictions on data transfers will fully apply.
6. Big data
During the past year, authorities worldwide, ranging from the European Working Party 29 (an advisory body on data protection composed of all EU data protection authorities), to the Obama Administration and the International Data Protection and Privacy Commissioners Conference, have published guidelines and resolutions in which they emphasized that data protection rules continue to apply fully in a big data context if personal data are analyzed.
This may be problematic, since big data, which often involves the reuse of massive amounts of information, challenges some key privacy protection principles, such as the principle of purpose limitation (i.e. personal data must be collected for specified, explicit and legitimate purposes and not be further processed in a way incompatible with those purposes) and the principle of data minimization (i.e. the data collected should not be excessive in relation to the purpose and not be retained longer than necessary).
It is recommended that Israeli companies that offer data analytics services consider seeking legal advice on how to offer their services in a privacy-compliant way. Using appropriate anonymization techniques may help, but this approach is not a cure-all. We also recommend that such companies closely monitor the legal developments in this area.
7. Privacy by design
Privacy by design is a concept originally developed in the 1990s by the Information and Privacy Commissioner of Ontario, who defines privacy by design as “an approach to protecting privacy by embedding it into the design specifications of technologies, business practices, and physical infrastructures.” This concept has started to find its way into data protection legislation; for instance, the upcoming EU data protection regulation enshrines privacy by design as one of its core principles.
In practice, this means that companies will have to develop new products or services in a privacy-friendly way which ensures compliance with data protection legislation by embedding key privacy-by-design principles, such as data minimization, transparency and appropriate storage terms of data, into the very process of product/services development. To ensure such compliance, we strongly recommend that companies build in legal counsel as part of the development process, from the outset. By starting right now to embed the privacy by design principle in their products and services, Israeli companies may be able to turn this future legal obligation into a competitive advantage.
8. Internet of Things
The Internet of Things is the constellation of objects with built-in wireless connectivity: all the personal devices, from watches to cars, able to connect users to the Web wherever they are. The success (or failure) of the Internet of Things will be closely tied to the enormous privacy and security challenges these technologies raise.
In such an environment in which massive amounts of data are created and collected 24/7, building customer trust and confidence will only be possible by respecting the highest privacy standards. Israeli companies that address these mounting issues with sensitivity and thoroughness will be ahead of the game.