Due to recent changes in global privacy and data protection laws, certain entities may be subject to both Israeli data protection laws as well as the European Union's General Data Protection Regulation ("GDPR"). These entities should be aware that while adopting a comprehensive GDPR compliance program may bring them closer to compliance with Israeli data protection laws, in order to be compliant with Israel data protection requirements additional actions must be taken.
2016 was a watershed year for global privacy, with major developments taking place in the area of personal data regulation worldwide. Most notably, the GDPR, which is effective as of May 25, 2018, is sweeping legislation which fundamentally alters data protection standards for data of European Union ("EU") data subjects. As we've noted in prior client releases, applicability of the GDPR is determined on the basis of the location of the data subject, not on the basis of the location of the entity controlling or processing personal data. Therefore, Israeli entities that are physically present in Israel will under certain conditions be subject to obligations under the GDPR, even where activities are not physically conducted in the EU--for example, when personal data of an EU data subject is processed in connection with goods/services offered to him/her or where the behavior of individuals within the EU is monitored.
In parallel, significant developments have taken place in the sphere of Israeli data protection law. For example, as of May 2018 new data security regulations apply in Israel; these regulations include specific and exacting requirements with respect to data security which in certain ways exceed formal requirements under EU law. That significant changes in Israel occur at the same as core changes in Europe is not random. Since 2011 Israel has been recognized by the European Commission as guaranteeing an adequate level of protection for personal data, and thus Israel has appeared on the European Union 'white list' for data exports originating in Europe. This places Israel within the select number of jurisdictions so recognized and permits data transfers from European Union countries (and Norway, Liechtenstein and Iceland) to Israel on the same terms as intra-EU transfers, without the need for additional data transfer agreements or other procedural requirements. Israeli government authorities recognize the value of Israel's 'white list' designation, and have taken affirmative steps to bring Israel's data protection laws sufficiently in synch with those applicable in the European Union in an effort to protect Israel's 'white list' designation.
Many entities that are physically resident in Israel or otherwise subject to Israeli data protection laws have undertaken GDPR compliance efforts; these efforts often involve substantial investments of time and resources. Entities subject to Israeli data protection laws should note that there exist substantial differences between GDPR compliance and Israeli law, with certain key obligations under Israeli exceeding GDPR requirements. Additional steps will need to be taken to achieve compliance with Israeli Israeli privacy and data protection requirements.
Key Differences between Israeli Data Protection Requirements and GDPR
While a full comparison of Israeli data protection laws and the GDPR is beyond the scope of this alert, set forth below is a high level description of certain areas in which Israeli laws exceed requirements under the GDPR. In order to be compliant with Israeli laws, even entities that have implemented robust GDPR compliance programs will need to undertake take additional efforts in order to be compliant under Israeli law.
- Data Security. The GDPR stipulates a general security principle which requires controllers and processors to take appropriate technical and organizational measures to ensure the level of security that is appropriate to the level of the risk. By contrast, the Israeli Data Security Regulations (2017) establish four categories of databases which vary according to data sensitivity, how data is used, the number of individuals having database access and the number of data subjects. These regulations include specific, granular requirements with respect to personal data collected and maintained in databases. Certain of these obligations exceed requirements under the GDPR.
- Data Export Restrictions. Subject to specific derogations, the GDPR permits exports of data to entities that are determined by the European Commission as having an adequate level of protection of personal data (ie, appear on the EU 'white list') or when the data exporter provides adequate safeguards for the data; certain of these safeguards are spelled out in the GDPR. Under Israeli law, data exports from Israel must meet both a 'legal basis' and 'written undertaking' requirements, with the 'undertaking requirement' including a commitment to protect data and not to transfer data to another in the same or other countries. In many circumstances, data subjects will either need to consent to data export, or the data recipient will need to commit to protect the information in accordance with Israeli law; other grounds legitimizing export under the GDPR are not available under Israeli law. In addition, while the GDPR permits data recipients to transfer data to sub-processors in certain cases, these subsequent transfers may violate Israeli law. In addition, for registered databases, data exports must be notified to the Database Registrar in the form of an update to the database registration form.
- Data Protection Officer. Under the GDPR, controllers and processors must designate a Data Protection Officer ("DPO") under certain circumstances. Similarly, under Israeli law, entities must appoint a "data security officer" (whose role is roughly equivalent to that of a DPO) in certain cases. However, there may be an obligation to appoint a data security officer under Israeli law where not comparable obligation exists under the GDPR, for example, in the case of entities holding five or more databases requiring registration.
- Outsourcing. Under the GDPR, processing of data may be outsourced by a controller to a processor, subject to specific written agreements ensuring that the processor will process the personal data on behalf of and under the instructions of the controllers and subject to specific data protection obligations. Additional specific terms must be added to agreements for the outsourcing of data processing activities in order to comply with Israeli law.
- Database Registration. The GDPR does not include the requirement of registration of a database. While the obligation to pay fees for database registrations was recently repealed, Israeli law still requires that certain databases be registered with the Database Registrar.
Who is subject to Israeli Data Privacy Laws?
While the GDPR by its terms stipulates that the law applies to organizations (including those situated outside the EU) which offer to sell goods or services to, or monitor individuals in, the EU, Israeli law and court decisions do not definitively define the scope of geographic applicability of Israeli data privacy laws. Depending on the circumstances, it is possible that Israeli law may apply where any of the following are true: (i) servers are located in Israel, (ii) an Israeli person or entity controls how data may be accessed or used; (iii) data is processed in Israel, or (iv) data of Israelis is processed.
Enforcement and Penalties
Violations of Israeli privacy laws are subject to civil and criminal penalties and may be the subject of individual tort claims. The Israeli data protection authority has announced its intent to perform audits with respect to privacy compliance.
In addition, entities subject to Israeli data protection laws should take special note of a significant draft law that is currently pending before the Israeli Parliament. Proposed Amendment 13 to the Israeli Protection of Privacy Law (1981), if passed, will vest Israel's data protection authority, the Protection of Privacy Authority with enhanced supervisory powers. It will also result in exponentially higher penalties for Privacy Law violations, including fines up to NIS 3.2 million, two percent daily increases for uncured breaches of law, double fines for repeat offenders and personal liability for officeholders in certain cases. If passed, the draft law, which is on fast-track to passage and was already approved by a first reading in the Knesset, will be a game-changer in respect of consequences for failure to comply with Israeli data protection laws.
Due to differences between the GDPR and Israeli data protection laws, entities that are subject to Israeli data protection laws are advised to take steps to ensure compliance with Israeli data protection laws, even where a robust GDPR compliance program is in process or in place. Increased penalties for data protection violations are likely to come into effect in Israel, which, if passed, will increase the risk profile substantially, and random audits by the Israeli DPA are expected to commence.