ILITA (Israeli Law Information and Technology Agency), which sits within the Israeli Ministry of Justice, has announced that companies and other entities can no longer rely on the EU’s “Safe Harbor” framework as a basis for transferring personal data from Israel to the United States. This statement follows the landmark October 6, 2015 decision by the European Court of Justice (CJEU) in Schrems v. Data Protection Commissioner, which invalidated (effective immediately) the Safe Harbor program permitting companies to transfer personal data from the EU to the U.S. through self-certification of compliance with EU privacy standards. The Schrems and ILITA decisions have far-reaching implications for business, technology, and trade.
A full analysis of the Schrems case can be found in a previous Client Alert. In short, EU privacy laws generally prohibit the transfer of personal data to non-EU countries, including the US, that are deemed to have inadequate data protection measures. The Safe Harbor program, established in 2000, had allowed
U.S. companies to transfer personal data from the EU to the U.S. by self-certifying compliance with EU privacy standards. In Schrems, the CJEU effectively terminated the Safe Harbor program after determining that program rules had not been consistently and appropriately followed by U.S. companies and that the program had not adequately protected personal data of EU citizens from U.S. intelligence agencies. As the Article 29 Working Group of EU data protection officials warned on October 16, 2015, “transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful.”
Israel’s privacy regulations, like EU privacy laws, generally prohibit the transfer of personal data to countries deemed to have inadequate data protection regimes. One exception to this rule is that data may be transferred outside Israel if such transfers would be permitted under EU privacy regulations. Thus, companies certified under the EU Safe Harbor program had been deemed by Israel to be “safe” for data transfer, even if the companies were based in countries (like the U.S.) that were insufficiently protective of privacy. However, given the CJEU’s recent Safe Harbor invalidation, it is now ILITA’s position that the Safe Harbor program can no longer serve as a basis for the legal transfer of personal data from Israel to the U.S.
At present, companies should clearly not transfer personal data from Israel to the U.S. under the Safe Harbor program. EU Model Clauses and binding corporate rules continue to be effective for data transfers to the U.S. from the EU – and therefore from Israel as well – but there is a risk that these mechanisms, like the Safe Harbor program, may be invalidated on the grounds that data in the U.S. is vulnerable to U.S. governmental surveillance activities. Thus companies should consider other alternatives, including individual consent, strong encryption, and a change of server location. Until a new Safe Harbor program or other mechanism is negotiated, companies with U.S. ties are advised to review the sources and types of information they (and their vendors) collect, store, and transmit to determine how the CJEU decision affects them. Compliance is required immediately.