Challenges for Companies with an Israel Nexus

15.04.2019

In May 2018, the Israeli Protection Of Privacy Regulations (Data Security 2017) (the “Regulations”) came into effect. The Regulations promulgated under the Israeli Protection of Privacy Law, 1981 (the “Law”), include specific and exacting requirements with respect to data security, which may exceed formal requirements under EU law. In addition has Israel has regulations regarding the transfer of data abroad, which is not entirely consistent with the GDPR, and has a mandatory database registration requirement, for databases which meet certain conditions.

When is a database subject to Israeli database laws? The Law is silent on the law’s territorial scope. No official guidance has been issued on this point either. The general view is that if there is an Israeli nexus, information will be subject to Israeli law. The determination of whether there is an Israeli nexus, is done by reviewing characteristics of the controller and of the data base itself. In general, if the controller is located or incorporated in Israel or if the controller is foreign but  has a local Israeli subsidiary it will be deemed to have an Israeli nexus.  If the company proactively markets in Israel and/or has Israeli data subjects – this would imply and Israeli nexus.

There are still many situations that are still in a grey area such as, if the servers are located in Israel, but the information is only with regard to foreign nationals or if an Israeli company is defined under the European Union's General Data Protection Regulation (the “GDPR”) as a processor for a foreign national1.

If it were to be deemed that a company has an Israeli nexus then the relevant database(s) would be subject to Israeli data protection and registration requirements, which include amongst others:

If it were to be deemed that a company has an Israeli nexus then the relevant database(s) would be subject to Israeli data protection and registration requirements, which include amongst others:

(1) Data Security: The GDPR stipulates a general security principle which requires controllers and processors to take appropriate technical and organizational measures to ensure the level of security that is appropriate to the level of the risk. By contrast, the Regulations dictate specific granular security requirements depending on the classification of the data base as low, medium or high security. The Regulations divide databases into categories depending on size of data base and sensitivity of data stored. It is important to note that certain of these obligations may exceed requirements under the GDPR. It is possible that meeting the Regulations will be sufficient (and may even serve as a defense) to comply with the GDPR’S more general requirements for “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”

(2) Mandatory Database Registration. Israeli law requires the owner of a computerized database to apply for registration of the database with the Data Base Registrar, if the data base includes personal information, is not intended solely for personal use and meets certain other conditions2. There is no comparable requirement under the GDPR. Upon applying for registration of a database, various documents are required to be submitted, including: (i) a database definition document which describes the type of data stored, the use of the data, information with regard to the storing of the data and where it is stored.; (ii) the company security policy; (iii) a document mapping the structure of the database, and various other documents.

(3) Export of Data - Israeli law severely restricts cross-border transfer of personal data originating from databases in Israel. Notwithstanding the fact that the Israeli provisions may often reach a similar conclusion as the GDPR , this matter needs to be evaluated on a case by case basis as the Israeli Regulations (Transfer of Data to Data Bases Out of Israel) 2001, requires both a written undertaking and the meeting of one of several pre-conditions.

(4) The Israeli Regulations require the appointment of a data security officer (similar to a DPO ) – but there may be situations where a data security officer is required and a DPO is not. In addition, the responsibilities and the requirements of these data security officers are not identical. Amongst others, the data security officer shall be in charge for preparing the Company’s security procedure and for a plan regarding the ongoing supervision of the compliance of the Regulations. The data security officer shall not perform any additional function that may cause him to be in a conflict of interest in the performance of his duties under the Regulations.

(5) The breach notification requirements under the Regulations are different from those of the GDPR.

Adopting a robust GDPR compliance program is a big step in the direction of Israeli data protection laws, however in order to be compliant with Israel data protection requirements additional actions must be taken.

Violations of Israeli privacy laws are subject to civil and criminal penalties and may be the subject of individual tort claims. On January 28, 2019, the Privacy Authority advised it would begin strict enforcement, in particular with regard to serious data breaches. The Regulations stipulate that a database owner with a medium or high security obligation is required to notify the Privacy Protection Authority within 24 hours from the date of disclosure of a serious information security event and in any event not later than 72 hours, and to report on the steps taken following the incident.

As of May 2018, 86 enforcement proceedings were held following severe information security events. Attorney Ali Calderon, who is in charge of administrative enforcement in the Authority for the Protection of Privacy said that “Cases in which serious findings will be discovered in the conduct of bodies regarding their compliance with the requirements of the law, including the manner in which information security events are handled, failure to report to the authorities, to comply with the instructions or an attempt to hide them may lead to a prohibition of continued use of information and as a result thereof, could lead to significant damage to the business activity of such entity.

Due to differences between the GDPR and Israeli data protection laws, entities that are subject to Israeli data protection laws should note that there exist substantial differences between GDPR compliance and Israeli law, with certain key obligations under Israeli exceeding GDPR requirements and are advised to take steps to ensure compliance with Israeli data protection laws, even where a robust GDPR compliance program is in process or in place.  

References:

  1. According to un-official guidance we received from the authorities, it is not subject to the Regulations in this particular situation.
  2. 1. the database contains data about more than 10,000 people; 2. the database contains sensitive data; 3. the database contains data about natural persons not provided by them, on their behalf or with their consent; 4. the database belongs to a public body; or 5. the database is used for direct mail services.

External links:

 

Article provided by: Beverley Zabow, Adv., CIPP/E of BL&Z Law Offices and Notaries

 

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.org

VIEW PROJECT

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.