In the pre-GDPR era, Israel was recognized as affording “adequate” protection of privacy, which enabled the transfer of personally identifiable information (“PII”) between the EU and Israel. Israel’s Protection of Privacy Law (and related regulations) (the “Law”) are falling behind the high standards that were set by the GDPR. The historic recognition of “adequacy” still stands, however it is being examined. Should this recognition be revoked, additional measures will be required to be implemented in order to lawfully transfer personal data from the EU to Israel. The recent decision of the Schrems2 case, in which the “Privacy Shield” arrangement (enabling EU-US transfer of PII) was revoked, is another indication that the EU requires a certain threshold of protection of PII, and countries that are not able to cross it will have great difficulty doing business with the EU.
In light of the above, a new draft bill was published on Thursday night for public comments. It serves as an incremental step towards Israel’s alignment with the GDPR framework and intended, inter alia, to help maintain Israel’s adequacy recognition. However, this is only one step and additional revisions should be made to the current Law in order to properly protect personal data in the current technological era.
The draft bill adds or updates certain basic definitions: “information”; “information having special sensitivity” (replacing the definition of “sensitive information”); “biometric information”; “processing” and “use”; a “database owner”; a “database holder”. Generally speaking, the foregoing changes are intended to mimic parallel definitions in the GDPR, or at least their essence.
In addition, the draft bill also narrows the obligation to register databases with the Israeli Database Registrar. Under the current Law, specific categories of databases require registration with the Israeli Database Registrar: (i) databases that contain “sensitive information”; or (ii) databases that contain “information” (even if not sensitive) regarding more than 10,000 data subjects; or (iii) information which was obtained without the consent of the people to whom it pertains; or (iv) the database belongs to a public body; or (v) the database is used for direct marketing. The thresholds promulgated by the Law have led to many database registrations but have not proven to better the protection of PII (and are also burdensome to companies and the Registrar itself). The draft bill requires the registration of large databases that contain PII of more than 100,000 data subjects that have special sensitivity, whether due to (a) containing “information having special sensitivity” (as such term is defined in the new bill), (b) the type of the database owner (public entity), (c) the purpose of the PII’s processing (in order to transfer it to third parties), or (d) the manner in which the PII was collected (without the knowledge or permission of data subjects). That said, the Registrar would have discretion to require the registration of a certain database, or to exempt another, according to the circumstances at hand.
In the context of alignment with the GDPR, we expect more bills to be introduced in the next coming months to address matters such as the strengthening the Privacy Protection Authority’s monitoring and enforcement powers, the lawful grounds of PII processing, broadening data subject rights and the allocation of responsibilities among data owners (controllers) and data holders (processors). We will keep you informed of these developments.
GKH’s IP and Privacy Group is available to assist clients in bettering the privacy and security practices of their business.
For further information regarding this update, please contact Adv. Ella Tevet, Partner, Head of IP and Privacy Practice, at ellat@gkh-law.com or 03-6074588.