In a draft opinion published today, the Israeli Privacy Protection Authority (IPPA) relaxed one of the most stringent requirements under Israel’s data protection law, which for years cast doubts over the legality of any onward transfer in case of a data transfer from Israel. The opinion states that onward transfers are authorized under certain conditions, including primarily the consent of the entity exporting data from Israel. Interestingly, this comes even as the European Commission reassesses Israel’s adequacy determination, including its onward transfers regime.
The opinion interprets Article 3 of Israel’s Privacy Protection Regulations (Transfer of Data to Databases Outside of Israel), 2001 (the “Regulations”). Article 2 of the Regulations permits data transfers from Israel to: (i) EU Member States; (ii) other signatories of Council of Europe Convention 108; and (iii) a country “which receives data from Member States of the European Community, under the same terms of acceptance” (Article 2(8)). In the past, the PPA interpreted this provision to allow transfers from Israel to Safe Harbor companies in the US. However, after the Court of Justice of the EU decision in the Schrems case, the PPA withdrew that authorization.
The Regulations permit transfers to other countries: (i) subject to data subject consent (Article 2(1)); (ii) from an Israeli corporate parent to a foreign subsidiary (Article 2(3)); or (iii) provided the data importer “enters into a binding agreement with the data exporter to comply with the Israeli legal obligations concerning the storage and use of data” (Article 2(4)).
However, under Article 3 of the Regulations, regardless of the basis for an international transfer, data exporters had to obtain the data importer’s written undertaking that:
“it is taking adequate measures to ensure the privacy of the data subjects, and that it guarantees that the data shall not be transferred to any other person, whether in that country or in another country.” (Emphasis added).
Under a literal reading of this provision, even if an initial data transfer were justified under Article 2 of the Regulations, onward transfers would never authorized. For many years, this language introduced legal uncertainty and risk into transactions involving data transfer from Israel. (Although, to the best of our knowledge, they have never been enforced).
Now, the IPPA issued a draft opinion stating that the prohibition on onward transfers is unreasonable, does not align with changes in the technological and business context over the past two decades, and is stricter than transfer restrictions under GDPR and other global privacy laws.
According to the IPPA, onward transfers would be permitted with the consent of the Israeli data exporter. Such agreed upon onward transfers, the IPPA reasoned, are equivalent to an initial transfer from the data exporter in Israel to the onward transferee. Moreover, the IPPA provided that the “written undertaking” under Article 3 does not need to mirror the Article 2(4) contract imposing the same legal obligations as those under Israeli law. Rather, it should offer “more limited protections” for data subjects taking into account the volume and sensitivity of the data.
However – and this may dampen the enthusiasm of affected companies – the IPPA further stated that an onward transfer must also be legitimized by data subject consent or compliance with a legal obligation. It isn’t clear whether the IPPA would require such data subject consent even where an onward transfer is to a processor or subprocessor as opposed to another controller.
The IPPA is soliciting comments on the draft until January 24, 2022, at the following email address: ppa@justice.gov.il.