By Ariel Yosefi, Firm: Herzog, Fox & Neeman
The GDPR has had a significant effect on data protection in Israel, with organisations with links to the EU working to ensure compliance and the adoption of a similar local regulatory regime in 2017.
The GDPR has significantly affected the Israeli regulatory environment in five main aspects; some are direct while the others are indirect.
1. In most cases, Israeli companies with a local operational presence in the EU or with a remote offering that is directed to the EU are subject to the GDPR’s territorial or extraterritorial reach. Consequently, such companies have been working on complying with the GDPR’s requirements in the past two years.
2. While in many cases local Israeli branches of multinational companies are not directly subject to the GDPR, as their employees and operations are focused on the Israeli market, these companies have been required to comply with global data protection policies which have been adopted by their global management, effectively requiring them to comply with many material aspects of the GDPR.
3. Similarly, Israeli service providers that process personal information of EU-based data controllers are subject to contractual requirements applying the material GDPR requirements, even when these service providers are not directly subject to the GDPR.
4. Israel has been recognised by the European Commission as an adequate jurisdiction for processing personal information, which allows a straight-forward movement of personal data between controllers and processors in both jurisdictions. This recognition was adopted pursuant the previous data protection regime in the EU, and while it continues to apply under the current regime, there are public discussions among regulators and scholars regarding the possibility of losing this important recognition when it is re-reviewed by the EU, considering the significant developments in the regulatory environment in the EU, with which Israeli law has not fully caught up.
5. The GDPR introduced an updated and significantly comprehensive data protection regulatory regime, which has to some extent affected the legislative review of the regime in Israel, as well as the regulatory approach. The GDPR indirectly affected the enactment of the Israeli Protection of Privacy (Data Security) Regulations in 2017, which entered into force at the same time as the GDPR and adopted requirements that are partially similar to the GDPR’s in some aspects, mainly data security and data processing management. The global effect of the GDPR has also indirectly affected the Israeli Data Protection Authority in its regulatory approach with respect to the enforcement of the new Regulations, as well as in enhancing its collaboration with EU-based data protection authorities in the context of GDPR enforcement on Israeli-based companies that are subject to the GDPR’s territorial or extraterritorial reach.