On 31 January 2011, Israel became the most recent addition to the European Commission’s list of non-EEA countries offering ‘adequate protection of personal data’, joining Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Jersey and Switzerland (and the US’s Safe Harbor regime). The finding of adequacy issued by the Commission is limited to automated data transfers to Israel, and non-automated transfers of data which are then subject to automated processing once in Israel (but may well be expanded to cover manual processing in the future).
This is good news for Israeli businesses, and those with Israeli group companies and subcontractors, as data exports from Europe to Israel will now be free from the requirements Model Clauses contracts or Binding Corporate Rules (as would generally be needed for European law compliant data transfers to Israel). Whilst this free export of data is of course subject to compliance with the various other (non-export related) aspects of applicable local privacy law (processing of the data cannot exceed the purposes for which the data was originally collected, for example), it will make transfers of data from European companies to Israeli affiliates (or service providers) much easier.
Businesses and consumers should also feel more confident in dealing with Israeli service providers, as the application of local data protection laws will be closely monitored by both Israeli and European level regulators, as they check that the data protection safeguards are up to standard in practice.
This finding of adequacy has been a long time coming for Israel, which initiated the process in 2007, and has overcome political objections raised by Ireland over concerns of how Israeli officials may use the personal data. It currently looks like New Zealand may be next in line, with recent changes to its data privacy legislation being pushed through to open the way to a favourable decision by the European commission – watch this space.