On 31 January 2011, EU Commission Decision 2011/61/EU (the “Decision”) held that Israel ensures an adequate level of protection to allow for the transfer of personal data to Israel from EU Member States, without additional guarantees being necessary. This decision of the Commission is binding on EU Member States and should be read in conjunction with Directive 95/46/EC (the “Directive”) and Ireland’s Data Protection Acts 1988-2003.
The Directive allows for the transfer of personal data to non-EU countries, if the non-EU country ensures “an adequate level of protection”. In addition, before transfer, the individual EU Member State’s laws implementing the Directive must be complied with.
The Commission has decided that Israeli law, comprised of the Israeli Basic Law’s protection of privacy combined with the Privacy Protection Act 5741-1981, as well as the independent supervision carried out by the Israeli Law, Information and Technology Authority (“ILITA”) provides “an adequate level of protection”. Other countries which have been deemed to provide an adequate level of protection include Argentina and Switzerland.
However, it should be noted that this Decision applies only to automated international transfers of personal data, or non-automated transfers (manual transfer) where the personal data is subject to further automated processing in Israel.
Please note that the Decision defines Israel “in accordance with international law” and “without prejudice to the status of the Golan Heights and the West Bank, including East Jerusalem, under the terms of international law”. Therefore if it is intended to transfer personal data to one of these areas listed, best practice would require that a more detailed analysis be conducted.