Israel was an early adopter of privacy and data protection legislation. The Protection of Privacy Law 1981 (Privacy Law) is the main Israeli law dealing with privacy,data protection and databases. In addition, privacy rights in Israel have held quasi-constitutional status since 1992 under the Basic Law: Human Dignity and Liberty.
The Privacy Law is supplemented by various regulations and court decisions. The Israeli Law Information and Technology Authority (ILITA) has functioned as Israel's data protection authority since 2006 and has issued a number of detailed directives. In addition, certain sector-specific laws provide additional protection for medical, genetic, psychological treatment, financial, credit and other information. Those familiar with data protection laws in the European Union will find certain core principles of Israeli data protection law extremely familiar; however Israeli law does have a number of unique characteristics.
Those familiar with data protection laws in the European Union will find certain core principles of Israeli data protection law extremely familiar; however Israeli law does have a number of unique characteristics.
The Privacy Law prohibits an infringement of the privacy of any person without that person's consent, it provides for both civil and criminal liability for an infringement of privacy, and it identifies a range of activities which, if carried out without consent, constitute breaches of privacy. These include the following, among others: breach of a legal or contractual privacy obligation, disclosure or use of personal information other than for the purpose for which it was provided, publishing matter obtained by means of a breach of certain privacy rights, publishing matter relating to a person's sex life, state of health or private conduct and harassment or spying on or tracking a person in a manner likely to harass.
The definition of "person" under the Privacy Law only includes natural persons. While the Privacy Law's privacy, data protection and database provisions do not by their terms apply to corporations or other legal entities, under case law corporations are entitled to limited privacy rights. A "database" is defined in the Privacy Law as "a collection of data, stored by magnetic or optical means and intended for computer processing."
Under the Privacy Law, personal data may be used only for the purpose for which it was provided, and data included in databases requiring registration may only be used for the
purposes for which the database was created as reflected in the Database Registry. This "purpose limitation" is the core principle of Israeli data protection law. By implication, use of data beyond the permitted purpose requires legal justification or the consent of the data subject (the individual to whom particular personal data relates). The Privacy Law defines "consent" as informed consent, whether express or implied.
Other key principles of applicable Israeli law include the following:
Notice Obligation: Solicitations of personal data that will be included in a database must be accompanied by a notice to the data subject which indicates (i) whether the data subject is legally obligated to provide the information or whether delivery is voluntary; (ii) the purpose for which the data will be used; and (iii) to whom the data will be delivered and for what purpose.
Database Registration: A database owner is required to register a database with the Registrar of Databases, ("Registrar") if the database: contains data about more than 10,000 people; contains sensitive data (currently defined as details regarding a person's personality,
private affairs, state of health, economic situation, opinions and faith); contains data about natural persons not provided by them, on their behalf or with
their consent; belongs to a public body; or is used for direct mail services.
Database registration entails filing an application containing information regarding the database and payment of an application fee and annual fees. A proposed law currently pending before the Israeli parliament (Knesset) would eradicate database registration requirements for most databases, and substitute accountability, internal documentation and notification requirements.
Data Security: Owners,holders and managers of databases are each responsible for data security. In addition, in certain cases a competent Security Officer must be appointed.
International Data Transfers
With respect of outbound data transfers from Israel, database information may only be transferred outside the State of Israel if the following two requirements are met: (1) there is legal basis supporting the transfers and (2) the database owner attains a written undertaking from the data recipient that such recipient will take sufficient precautions to protect the privacy of the data subjects and will not transfer the data any further. In accordance with the Privacy Law's regulations, there is a closed list of legal bases which may support such data exports. The most common legal bases used to support data exports are: (i) the transfer to a recipient within the European Union; or (ii) the data subject consents to the transfer; or (iii) a recipient's undertaking to toward the owner of the Israeli-based database to uphold the laws regarding data storage and use applicable to Israeli databases. The recently-introduced Privacy Shield framework provides a legal means for transferring data from the European Union to the United States. It is anticipated that transferring the data to a Privacy Shield certified entity in the U.S. will be sufficient to establish legal basis for purposes of data exports from Israel as well. However, as of the date of writing, ILITA has not yet issued an opinion on the matter.
With respect to inbound transfers to Israel, since 2011 Israel has been recognized by the European Commission as guaranteeing an adequate level of protection for personal
data, and thus Israel has appeared on the European Union "white list" for data exports originating in Europe. This places Israel within a selective number of jurisdictions recognized as such and permits data transfers from European Union countries to Israel on the same terms as intra-EU transfers, without the need for additional data transfer agreements or other procedural requirements.
Data Subject Rights: Data subjects have the right to inspect and correct their personal information maintained in databases, subject to certain exceptions.
Employee Data: Employees' personal data is subject to a heightened standard of protection under Israeli law and may be used only for essential interests or a legitimate purpose. Collection and use of employees' personal data must meet the proportionality test. Courts closely scrutinize consent given by employees in the context of their employment, so if an employer suggests that detrimental changes to an employee's conditions of employment will occur if consent is withheld, or the employee subjectively believes such detrimental changes may occur, an Israeli court may find that the consent was not freely given and is therefore invalid.
It is anticipated that transferring the data to a Privacy Shield certified entity in the U.S. will be sufficient to establish legal basis for purposes of data exports from Israel as well.
The monitoring of employees' email or their other use of technology is possible only under limited circumstances. A precedential decision by Israel's highest labor court in 2011 established the following stringent requirements for monitoring employees' use of computers, email, mobile devices and other workplace technologies. These include legitimate business purpose and proportionality requirements, extensive employee disclosure requirements, express employee consent, and an absolute ban on accessing personal emails without employee consent (on a case by case basis) or court order.
While statutory penalties for violations are lower than those under the European General Data Protection Regulation, a draft law currently pending before the Knesset would grant the Registrar additional investigatory, supervisory and enforcement powers, including the power to impose fines that are substantially higher than those currently authorized under the Privacy Law.
Historically, ILITA has focused its enforcement activities on illegal data use, data security breaches or the use of data in a manner not consistent with the purpose limitation. While most Israeli commercial entities were relatively uninformed regarding local privacy and data protection requirements during the earlier years of the Privacy Law, there is currently a substantially higher level of awareness of privacy and data protection obligations and most sophisticated companies are making greater efforts to comply.
Yigal Arnon & Co.
Yoheved Novogroder-Shoshan, Special Counsel
Yigal Arnon & Co., one of the most prominent law firms in Israel, provides a full range of legal services to a wide ranging client base,including Fortune 500 and other major global companies,local and foreign banks,financial institutions,venture capital and private equity funds, emerging growth companies, investor groups, government entities, and individuals.
We represent clients in a wide variety of industries, including technology (internet & mobile, IT, Internet of Things, cybersecurity, fintech, semiconductors, data privacy) life sciences (digital health, pharmaceuticals, biotechnology, medical devices), energy (including oil & gas, solar power and cleantech), as well as banking, insurance, real estate, telecommunications, transportation & aviation, and consumer products.
With a proven track record of innovation and success in meeting clients' needs, we combine the expertise of a specialty boutique practice with the advantages of a well-resourced multidisciplinary law firm.
A substantial part of Yigal Arnon's practice is international in scope. We act as lead counsel in international transactions, including M&A transactions, strategic alliances, venture capital and private equity transactions, joint ventures, public and private financings, corporate and debt restructurings, tax, distributorships, franchises, real estate investments, and more.
Given the international experience and training of many of our lawyers, we are especially active in the U.S., the UK, Europe, as well as in China, India, Japan and Australia.
Yoheved Novogroder-Shoshan focuses on technology law, intellectual property, corporate partnering and privacy and data protection issues.
Yoheved has vast experience in sophisticated licensing transactions, technology transfer arrangements, development and supply arrangements, distribution agreements and other commercial transactions, with a particular focus on the life sciences sector.
Yoheved advises clients in connection with a wide range of database and privacy matters, including the collection and use of personal information, management of databases, cross-border transfers, email marketing, commercial transactions having privacy and data protection implications, and privacy compliance investigations.
Regularly quoted in the press and ranked in the international legal directories, Yoheved's particular experience ensures she is first port of call for high profile clients in need of privacy advice or operating in the fields of life sciences, telecommunications, software or e-commerce.
www.arnon.co.il office: + 972-2-623-9200 firstname.lastname@example.org