This post was written by Nick Tyler.
The EU Commission has recently approved Israel as a country providing “an adequate level of protection for personal data transferred from the European Union”.
This follows a lengthy process which was nearly derailed, after Irish Government objections, following the assassination in Dubai last January of a Hamas official allegedly committed by agents of Mossad, Israel’s Secret Service, and associated allegations of identity theft involving the passports of Irish (as well as UK) citizens.
Israel has now joined a very select band of countries, including Argentina, Canada and Switzerland, which have received the EU-data protection ‘seal of approval’. This group is likely to expand further in the coming months, with the expected addition of Uruguay following the positive opinion of the Article 29 Working Group in October last year (see our related blog post). The equivalent opinion on Israel was issued as long ago as December 2009.
Israel’s data protection regulator, ILITA (the Israeli Law Information and Technology Authority) has been formally recognised as an independent supervisory authority in spite of its links with the Israeli Ministry of Justice. In October last year ILITA hosted the International Conference of Data Protection and Privacy Commissioners in Jerusalem.
This Decision marks an important legal and commercial development as it enables the automated international transfer of personal data from the EU to Israel between corporate affiliates, or from European corporations to data processing operations in Israel. It also covers non-automated transfers of personal data that will be subject to further automated processing in Israel.
There are two restrictions on the scope of the Decision:
- It does not cover the non-automated transfer of manual data which is then processed in Israel by non-automated means.
- EU data protection regulators will monitor the effectiveness of ILITA when it comes to enforcing privacy and data protection laws in Israel, to verify that personal data transferred to Israel is adequately protected in practice. The rights of those EU regulators to suspend data flows to any particular recipient in Israel have been expressly reserved.
While this Decision provides a way past the legal obstacle that previously restricted the transfer of personal data from Europe to Israel, when it comes to other data protection compliance obligations it is important that clients operating, or otherwise conducting business, in Israel take appropriate legal advice and assistance on compliance with local laws.