Israel and the EU: Data Protection Adequacy

Israel was one of the first countries to be recognized as adequate, in 2011. Adequacy status is not permanent. It can be revoked and must be periodically reviewed.vIn January 2024, eleven third countries and territories received a positive adequacy assessment from the Commission, including Israel.

EU data protection law changed with the introduction of the GDPR, but Israel still relies on its sparingly amended 1981 Protection of Privacy Law. The only area that received recent attention is data security, which was addressed by secondary legislation in 2018.

Because of Israel’s antiquated law, the Commission identified several areas that it wanted Israel to address. Rather than change the statute, Israel opted for a stop-gap measure: the Privacy Protection Regulations (Provisions for Data that was Transferred to Israel from the European Economic Area), 5783-2023 (unofficial translation: Privacy Protection Regulations (Instructions for Data that was transferred to Israel from the European Economic Area).pdf (www.gov.il) (the “EEA Data Regulations”).

These regulations entered into force on August 7, 2023, regarding personal data that was received from the EEA as of that date onward, and on May 7, 2024 regarding personal data that was received from the EEA, irrespective of when it was received. From January 1, 2025, the regulations will apply to all data (including non-EEA data) that is kept together with personal data which was received from the EE

The EEA Data Regulations address three key areas:

Data Deletion and Retention

Normally, Israeli data subjects can only demand deletion of profiling data used for direct marketing, or of inaccurate data but only if the controller refuses to rectify it. The 2018 data security regulation requires controllers to annually check whether they have personal data not necessary for the purpose for which it was collected. However, controllers are not under an explicit duty to delete such data.

The EEA Data Regulations add a data subject right to request data deletion of data that was unlawfully obtained or is unlawfully processed or is no longer needed for the purposes for which it was collected.

In addition to deletion upon request, EEA Data Regulations require controllers to put in place organisational, technological or other mechanisms to delete data that is no longer necessary for the purpose for which it was collected, or for any other purpose for which it may be retained in accordance with any law.

Controllers may nonetheless retain personal data based on public interest considerations such as freedom of expression, archival purposes, scientific research or statistical research; to comply with legal obligations or to exercise authority; to protect legal rights; to address fraud, theft or other incidents affecting the integrity of the data processing operations.

Instead of deletion, controllers may opt for anonymisation.

Data Accuracy

The principle of data quality and accuracy is only implicitly recognised in the context of the right to rectification of inaccurate personal data.

But under the EEA Data Regulations, controllers must put in place organisational, technological or other measures to ensure that data is correct, complete, clear and up to date, and must delete or rectify data that is not.

Duty to Inform

Normally, controllers are only under a duty to inform only data subjects whom they actively approach of the purposes of processing and of any third-party transfers and the purpose of such transfers.

The EEA Data Regulations expand the duty to inform to cover data subjects who data is indirectly obtained. The regulations also expand the types of information which must be provided, to include: the identity and contact details of the controller, the purpose for which the data was transferred to the controller, the types of data received, and the rights of the data subject regarding data deletion, access, and rectification. This notification should occur as soon as possible after the data is received, and no later than one month from that date.

Additionally, controllers who intend to transfer data to third parties must inform data subjects of the identity and contact details of such third parties, the purpose and type of data to be transferred, and the data subjects’ rights. This information must be provided promptly, and before the data is transferred onwards.

Exceptions to the duty to inform apply under certain conditions, such as when data subjects are already aware of the information, if data subjects’ contact details are unknown, if informing them would be unreasonably burdensome, if there is a legal duty of confidentiality duty, or if informing data subjects could affect journalistic activities or reveal a journalistic source. Another exception applies where informing would disproportionately affect the rights of others compared to the harm caused by not disclosing the information to the data subject. These exceptions must be necessary and proportionate to the circumstances.

Additional provisions

the EEA Data Regulations also introduce two new categories of sensitive (special category) personal information, ethnic origin and trade union membership. However, the categorization as sensitive information has very limited implications under the current legislation.

The EEA Data Regulations do not apply to data provided directly by data subjects. While processors are not excluded from the regulations, in practice the additional provisions are only applicable to controllers.

Article provided by INPLP member: Eyal Roy Sage (AYR Lawyers, Israel)

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)