Reporting from Israel, legal consultant Dr. Omer Tene writes:
On January 31, 2011, the European Commission formally approved Israel’s status as a country providing “adequate protection” for personal data under the European Data Protection Directive. The decision is restricted to automated international data transfers from the EU, as well as to non-automated data transfers that are subject to further automated processing in Israel. It will allow unrestricted transfers of personal data from the EU to Israel, for example between corporate affiliates or from European companies to data centers in Israel.
Israel joins a select group of countries, including Argentina, Canada, Switzerland, Andorra and several English Channel Islands, which have obtained similar status. A separate arrangement governs data transfers from the EU to the U.S. under the Safe Harbor framework.
The decision is the culmination of a three-and-a-half year process, which included an examination by the European Commission of Israel’s laws, regulations and data protection enforcement. It follows the positive opinion of the Article 29 Working Party concerning the level of protection under Israeli law.
The decision marks a great success for Israel’s data protection regulator, the Israeli Law, Information and Technology Authority (“ILITA”), which was recognized as an independent supervisory authority despite its links to the Israeli Ministry of Justice. However, it also imposes a burden, since enforcement of privacy and data protection in Israel will now be followed closely by EU regulators seeking to verify that data originating from their country and sent to Israel is indeed protected. The decision expressly provides that “the competent authorities in Member States may exercise their existing powers to suspend data flows to a recipient in the State of Israel in order to protect individuals with regard to the processing of their personal data…where there is a substantial likelihood that the standards of protection are being infringed, [and] there are reasonable grounds for believing that the competent Israeli authority is not taking or will not take adequate and timely steps to settle the case at issue…”
Data controllers and processors active in Israel should take adequate measures to comply with local privacy and data protection laws.