One of the key privacy protection issues in Israel is whether and to what extent the activities of an Israeli company may be subject to foreign privacy protection laws. This question has become of critical importance since the enactment of the General Data Protection Regulations in the European Union. These regulations herald the implementation of a strict regime that (according to the EU) also applies to foreign companies, even if they have no presence in the territories of the EU.
Is it possible to find a legal argument to refute such an application? Google recently filed a motion with a US court to receive an injunction against a judgement handed down by the Canadian Supreme Court, which ruled that Google must remove, on a global basis, the search results for products that infringe on copyrights. According to Google, such a judgement, which purports to apply outside Canadian jurisdiction, contravenes US law and, therefore, cannot be allowed.
Google’s argument may also be applied to Israeli companies, who could argue that the European General Data Protection Regulations cannot be applied to the activities of foreign companies who have no presence in the jurisdiction of the European Union. This argument is appealing and has a legal foundation that cannot be ignored. Israeli courts may concur and, as such, nullify the application of the GDPR on Israeli companies that have no presence in the European Union.
The problem, however, is that such a ruling may end up being a Pyrrhic victory. In the final analysis, if an Israeli company violates the European Union’s data protection laws, regardless of whether or not it has a presence in its jurisdiction, ignoring this violation and its associated implications will deal a severe blow to the company in practical terms, whether because its business partners inside the EU will be forced to sever commercial relations with it, or because of civil suits that might be filed against the company and administrative sanctions that might be imposed on it, with all that this implies.