An increasing number of businesses and individuals store their data on remote servers, known as ‘clouds.’ The cloud storage industry is evolving so rapidly that cloud service providers need more guidance from data protection authorities and the law to help them ensure compliance. Yoheved Novogroder-Shoshan, Partner at Yigal Arnon & Co., discusses some of the challenges facing cloud service providers and consumers in Israel in the absence of such guidance.
2016 was a watershed year for global privacy, with major data protection developments worldwide. Surprisingly, while Israeli companies are leaders in technological innovation, in many ways the Israeli privacy laws that purport to regulate such innovations are old, technologically irrelevant and devoid of any meaningful guidance to the industry on how the laws are to be applied in the real world.
This dichotomy of technological advancement accompanied by regulatory antiquation is particularly striking in the cloud computing arena. Israeli companies are both leading providers of cloud based services and avid consumers of such technologies. Israel’s data protection laws are in need of modernisation to accommodate the cloud-based services that are a mainstay of the Israeli business environment. The lack of regulatory guidance creates challenges for both providers of cloud based services and Israeli businesses seeking to use these services.
Cloud services in Israel
Israeli companies ofer a wide range of cloud-based services, in areas of security, including IT management, mobile applications, quality solutions, business intelligence, enterprise solutions (such as CRM, ERP, collaborative applications, HR management applications), industryspecific solutions as well as enablement or management solutions such as security and performance. In January, Oracle Corp. announced the creation of an Israeli start-up accelerator focused on cloud innovation, the second such centre to be founded globally, demonstrating faith in the Israeli cloud technologies ecosystem.
Understanding the laws applicable to Israeli providers and consumers of cloud based technologies requires a basic familiarity with the structure and content of the Israeli privacy regime. Israel was an early adopter of privacy regulation, and has had a national data protection law for over 35 years. The foresight of Israeli legislators, while admirable, was not followed by significant updates to the law in several key areas, resulting in a data protection regime that is ill-suited to the cloud-based technologies heavily relied upon by Israeli technology and leaves Israeli based cloud service providers without much-needed guidance.
Israel’s primary data protection law is the Protection of Privacy Law, 5741 - 1981 (‘the Privacy Law’). The Privacy Law is supplemented by various regulations as well as sector-specific laws that apply to medical, genetic, financial, credit and other information. Underscoring the primary importance ascribed to privacy by Israeli legislators, the Privacy Law’s protections are supplemented by the quasi-constitutional Basic Law: Human Dignity and Freedom 1992 (‘the Basic Law’), which recognises the right to privacy as a fundamental human right. The Basic Law provides that ‘every person is entitled to privacy and to the confidentiality of his life’ and ‘there shall be no infringement of the confidentiality of a person’s conversations, correspondence and writings.’
The Israeli Law Information and Technology Authority (‘ILITA’) has functioned as Israel’s data protection authority since 2006 and serves as the Registrar of Databases (‘Registrar’). ILITA has issued a number of detailed directives which, at the very least, are indicative of ILITA’s interpretation of applicable law, and are indicative of potential ILITA enforcement activities. During the early years following its formation ILITA had a higher level of engagement and communication with local industry, making itself available at public forums and providing informal indications of its view of existing law and enforcement priorities; this activity has waned somewhat in recent years.
Privacy and databases
The Privacy Law includes general privacy provisions, as well as provisions specifically applicable to databases. The privacy provisions prohibit an infringement of the privacy of any person without that person’s consent, provides for both civil and criminal liability for an infringement of privacy, and identifies a range of activities which, if carried out without consent, constitute privacy breaches.
‘Person’ under the Privacy Law only includes natural persons. However, while the Privacy Law’s privacy, data protection and database provisions do not expressly apply to corporations or other legal entities, under case law corporations are entitled to limited privacy rights.
In addition to the privacy provisions described above, the Privacy Law provides a detailed regime for the regulation of databases. The Privacy Law defines a ‘database’ as ‘a collection of data, stored by magnetic or optical means and intended for computing processes,’ with certain databases not intended for commercial use exempted from the definition. ‘Data’ is defined in the Privacy Law as details regarding a person’s personality, personal status, private afairs, state of health, economic situation, professional qualifications, opinions and faith. The Israeli Supreme Court interprets the term ‘data’ broadly, and the term ‘private afairs’ is often construed by Israeli courts as encompassing various types of personal information that are not specifically mentioned in the definition above. Thus, the Israeli Supreme Court’s decisions have held that a person’s address, telephone number, bank account information, national ID number and IP address are all deemed to be data under the Privacy Law. Since ‘person’ under the Privacy Law refers to natural persons, collections of data that do not relate to a ‘person’ are not deemed to be ‘databases’ under the law and are not subject to the its database provisions. As such, a collection of data that contains information solely regarding corporate entities would not be deemed to be a ‘database’ under the Privacy Law. However, if the collection of data includes data regarding individuals associated with those entities, or information regarding other individuals, the collection of data would be deemed to be a database for purposes of the Privacy Law. Most collections of data used for commercial purposes, for example, cloud-based CRM solutions favoured by Israeli businesses, are likely to be subject to this database framework even where most or all of the customers are corporate entities and not individuals.
As mentioned above, the Israeli legal regime creates certain challenges when applied to the cloud context.
Cloud challenge #1: Territorial application; when is a database subject to Israeli database laws?
Unlike the EU’s General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) and certain other national data protection laws, the Privacy Law and supplemental regulations are silent on the law’s territorial scope. To date, ILITA has not issued guidance on this point. While for many years ILITA has indicated that it is preparing guidance as to the application of Israeli law in the cloud computing context, at the time of writing, no such guidance has been issued and the timeframe for issuing such guidance is unclear.
In the absence of firm guidance from the regulator, it is possible that four factors would be relevant to the question of whether a database stored in the cloud is subject to Israeli law:
1. Server location - are the servers physically located in Israel?
2. Location of database owner/controller - does an Israeli company hold legal authority to direct access to, and use of, the database, or is the company’s management based in Israel?
3. Location of processing - are the database administrator or individuals who actively process data on a regular basis based in Israel? and
4. Data subjects - are there Israeli data subjects?
If this four factor test were to be applied, when an Israeli entity engages a cloudbased service provider, the resulting database would be subject to Israeli legal protections regardless of where the cloud service provider is located. The situation is somewhat more complex when the provider of cloud-based services is located in Israel. Under that scenario, factors (1) and (3) may or may not be met, depending on where servers are located and where processing activities are performed. Similarly, factors (2) and (4) may or may not be satisfied, depending on the location of the customer and data subjects. The Privacy Law gives providers and consumers of cloud-based services virtually no guidance as to the key question of territorial application of Israeli database laws and responsibilities thereunder.
Cloud challenge #2: data export restrictions
Israeli law restricts international data exports, and ‘subsequent transfers’ from data recipients outside Israel to others are strictly prohibited. The extent to which these data transfer restrictions apply in the cloud context is not clear. Consider the case of an Israeli-based cloud service provider - when the provider’s non-Israeli customers use their own data stored on servers outside of Israel, have these entities violated Israeli database laws? ILITA has not addressed this question. Such application of the data export regulations would appear to be illogical.
One advantage held by Israeli cloud services providers is the EU’s adequacy decision. Issued in 2011, the adequacy decision declared that Israel’s domestic law provided an adequate level of protection for personal data. Israel’s inclusion on the EU’s ‘white list’ of countries providing adequate levels of data protection enables the transfer of personal data from the EU to Israel without the need for special arrangements such as standard contractual clauses or Binding Corporate Rules; for the purposes of EU privacy law, data transfers from the EU to Israel are treated as substantially equivalent to transfers from one EU country to another. Shortly following the EU adequacy ruling, the then-incumbent Registrar publicly stated that ILITA would not enforce data transfer regulations for data exports to EU-based data owners who had transferred data to Israel.
However, this statement was not made part of any ofcial guidance. We would hope that ILITA would take the same approach with respect to non-Israeli consumers of cloud services provided by Israeli companies, regardless of where the consumers are located.
Cloud challenge #3: database registration
Israel has a mandatory database registration requirement, which poses particular challenges to Israeli providers of cloud-based services. Database owners must register databases with the Registrar, where any one of the following conditions is met:
1. the database contains data about more than 10,000 people;
2. the database contains sensitive data;
3. the database contains data about natural persons not provided by them, on their behalf or with their consent;
4. the database belongs to a public body; or
5. the database is used for direct mail services.
Since all financial data, health data, or other data regarding a person’s personality, private afairs, opinions or faith and government-issued personal identification numbers are all considered sensitive data, the registration requirement applies to many databases that do not meet the 10,000 data subject threshold.
The registration requirement raises a number of questions. For example, when an Israeli company provides cloudbased storage or processing services, are non-Israeli customers obligated to register the relevant databases in Israel? Applying the registration requirement in this manner would destroy international demand for these services. In addition, while database registration is the responsibility of the database owner, Section 8(a) of the Privacy Law provides that it is prohibited to ‘hold’ a database that must be registered pursuant to Section 8 of the Privacy Law unless the database has been registered or a registration application has been submitted and no response has been received within the statutory period. ILITA has taken an expansive view on what entities are considered database ‘holders’ and has indicated that entities providing storage services are deemed database holders for purposes of the Privacy Law. Are Israeli cloud storage service providers in violation of the law if their non-Israeli customers have not registered the stored databases in Israel in accordance with Israeli law? The Privacy Law does not provide guidance on this point. The requirement to register these databases would seem to be unduly burdensome and onerous, and inconsistent with the rationale behind the registration obligation. While a draft law currently pending before the Israeli Parliament would abolish the database registration obligation for the clear majority of databases, the questions above would remain with respect to the narrower class of registrable databases.
Admittedly some of the challenges described above are not unique to Israel. It has been argued that the GDPR, which will come into force in May 2018, presents significant challenges to EU-based cloud service providers. What is clear is that the world has changed dramatically in the 35 years since the Israeli Privacy Law was enacted. For the befit of the Israeli cloud service ecosystem and the myriad of Israeli companies utilising cloud based services for HR management, ERP and other services, the time has come for ILITA to provide much-needed guidance on how these services may be provided and used in compliance with Israeli laws.