Background

The Regulations were adopted as part of the European Commission's review process of Israel's status as an adequate country, currently providing an essentially equivalent level of protection to the one guaranteed by EU data protection law, enabling the transfer of personal information from the EEA without additional measures or regulatory obligations (by both the transferor and transferee). Israel's adequacy was granted by the EU in 2011 and is up for review (together with other countries) as required under the General Data Protection Regulation (GDPR).

The Regulations were adopted as part of the requirements raised in the negotiations with the EU authorities to maintain the adequacy status, resorting to alternative means through which changes are implemented in the data protection regime without being able to amend the primary legislation due to the impasse of the Parliament caused by the political situation in Israel and the timeline for the EU review.

The Regulations complement the historic decision adopted by the Israeli Government, on October 2, 2022, substantiating the independence of the Privacy Protection Authority (PPA) in the exercise of its authorities, which is also a step towards maintaining the adequacy status. This decision also defined the criteria for the appointment of the head of the PPA and laid out instructions on the separate management of the PPA budget within the Ministry of Justice's budget.

Obligations and rights under the Regulations

The Regulations add the following obligations on Israeli controllers and the corresponding rights to data subjects whose personal information is transferred from the EEA:

Obligation to delete information upon request (right to be forgotten)

The Privacy Protection Law 5741-1981 (PPL) does not award a right to be forgotten, but rather a limited right to amend or delete personal information if it is incorrect, incomplete, unclear, or outdated (Section 14(a) of the PPL). According to the Regulations, a controller will be obligated to delete or anonymize (so that the data subject could not be identified with reasonable means) personal information upon the request of a data subject whose personal information is transferred from the EEA if:

• the personal information was created, received, accumulated, or collected contrary to the provisions of any applicable law;
• the continued use of such personal information violates any applicable law; or
• the personal information is no longer needed for the original purposes.

A controller may refuse the deletion request if the personal information is used for one of the purposes listed in the Regulations (as required, and in a proportionate manner for such purpose), which include exercising freedom of speech or the public right to be informed, fulfilling a legal duty, performance of a legally authorized act, protecting a public interest including archive, scientific, or statistical research, managing a legal process or debt collection, fraud and theft prevention, prevention of other actions that may affect the accuracy or reliability of the personal information, and exercising obligations under an international agreement to which the Israeli Government is party.

Although the PPL does not include a right to be forgotten as such, the purpose limitation principle is part of the PPL (Sections 2(9) and 8(b) of the PPL). To that effect, its practical enforcement would be the deletion of personal information which is no longer needed for the original purposes. In addition, there are specific laws mandating the deletion of specific information in certain circumstances or after a certain time period (only available in Hebrew here).

Deletion of excess personal information

The controller is required to implement an organizational, technological, or another mechanism to ensure that it does not process personal information which is no longer required for the original purpose or for another legally permitted purpose, and to delete such excess information at the earliest time possible under the circumstances. The obligation does not apply if the personal information has been anonymized (so that the data subject cannot be identified with reasonable means) or if the personal information is used for one of the purposes listed above as exceptions to the right to be forgotten, excluding the case of fulfilling a legal duty or performance of a legally authorized act which does not apply here.

It should be noted that Israeli database owners are already required to review, at least annually, if personal information is stored in a database longer than required for the purposes of the database (Regulation 2(c) of the Protection of Privacy Regulations (Data Security) 5777-2017 (the Data Security Regulations)). The Regulations add the obligation to implement a specific mechanism for such purpose, whilst explicitly adding a deletion obligation of excess personal information.

Obligation to maintain personal information accurate

A controller is required to implement an organizational, technological, or another mechanism to ensure that the personal information is correct, complete, clear, and up-to-date and employ reasonable measures under the circumstances to rectify or delete such personal information detected through the aforementioned mechanism.

The obligation to amend or delete personal information if it is incorrect, incomplete, unclear, or outdated exists anyway under Section 14 of the PPL. Additionally, the Regulations require the controller to implement a mechanism to perform such obligation, which shifts the burden to the controller to perform such correction or deletion at its own initiative, and not necessarily based on a data subject request. The Regulations explain that the extent of resources needed to adopt this mechanism depends on the relevant circumstances, including, inter alia, the scope of personal information in the database, and its sensitivity. In our opinion, the burden imposed by this requirement is significant and will most likely be subject to a lot of interpretation.

Notification obligation

A controller is required to inform data subjects whose personal information is transferred from the EEA, as soon as possible after receiving the personal information and no later than one month thereafter, that it is processing such data subject's personal data, including all of the following:

• the controller's and the database's manager identity, addresses, and contact information;
• purposes for which the personal information was transferred;
• the type of personal information transferred; and
• the data subject's rights of deletion under the Regulations, as well as access and correction rights under Sections 13 and 14 of the PPL.

The controller must also notify such data subject, as soon as possible and no later than upon transfer of the personal information, when the latter is transferred to a third party, including the identity and contact information of the third party or the types of third parties, purposes of the transfer, types of personal information transferred, and data subject rights. The notification may be satisfied through the entity exporting the personal information from the EEA.

A controller is exempt from the notification obligation if one of the exceptions listed in the Regulations apply (as required, and in a proportionate manner under the circumstances), which include that:

• the controller has a reasonable ground to assume that the data subject is aware of the details regarding the transfer of personal information;
• the controller does not know the data subject's contact details;
• implementing the notification obligation involves an unreasonable burden on the controller;
• there is a statutory confidentiality obligation or a legal prohibition on disclosing the details under the Regulations;
• there is a statutory provision already governing disclosure of such details;
• the implementation of the notification obligation may harm the life or well-being of an individual; and
• the implementation of the notification obligation is more harmful to the rights of an individual than non-disclosure of the details under the Regulations.

The notification obligation is also not novel in Israeli data protection law. The novelty is that the notification obligation under Section 11 of the PPL applies only to the entity collecting the personal information prior to, or at the time of, collection and does not apply to a processor receiving personal information from a controller. Equally, the level of transparency in the Regulations is broader than under Section 11 of the PPL (for further information, see also: Israel: PPA's new opinion regarding disclosures and transparency). This addition will most probably be implemented primarily through imposing these requirements on the EEA transferor of the personal data, by incorporating them in its privacy notice, which in any event needs to list the third-party recipients of the data and cross-border transfer aspects. Otherwise, it is doubtful how an Israeli controller, who is not collecting the personal information directly from EEA data subjects, will be able to notify each individual EEA data subject about the processing, whereby the implementation costs may well increase the cost of service.

In addition, the Regulations add to the legal definition of 'sensitive information' under Section 7 of the PPL (which is the Israeli equivalent of the GDPR's 'special categories of data'), only for data subjects whose personal information is transferred from the EEA, information about a person's origin, and information about trade union membership.

Irrespective of the Regulations, in relation to trade union membership, there is a difference between the Israeli and the EU legal systems: in Israel, trade union membership would not be deemed as sensitive personal information unless such membership reveals opinions or beliefs of the data subject. Nevertheless, a person's origin should indeed be regarded as sensitive personal information, also for an Israeli data subject (and such proposal is included in the Protection of Privacy Bill (Amendment No. 14), 2022 (Bill No. 14) (Amendment 14) that was introduced in the former Parliament, passed initial reading, and will be heard in continuity in the current Parliament).

To put things in perspective, it should be noted that the amended definition is relevant mostly to determine if the entity collecting such types of personal information is required under the PPL to register a database (Section 8(c)(2) of the PPL).

Databases with EEA and non-EEA personal information

In compliance with the purpose of their adoption, the Regulations apply to personal information transferred to Israel from the EEA.

Nevertheless, in the hearing held on April 23, 2023, on the approval of the Regulations by the Constitution, Law and Justice Committee of the Parliament, the chairman of the committee proposed to award the same rights to Israeli personal information if such personal information is maintained in the same database as personal information originating from the EEA. This proposal was a partial attempt to overcome the numerous objections raised against the draft Regulations, claiming that they create a different regime for Israeli data subjects who will not enjoy these additional rights and therefore rendering Israeli data subjects inferior. Therefore, the final text of the Regulations was amended to apply to any kind of personal information included in a database in Israel, which covers personal information transferred from the EEA, meaning also personal information originating in Israel. Personal information of Israeli data subjects not included in a database, together with personal information originating from the EEA, will not be subject to the rights under the Regulations (although some rights can be applied through the existing purpose limitation principle and the obligation to delete excess data).

Scope of application

The Regulations will not apply:

• when personal information from the EEA is transferred directly by individuals about themselves;
• with respect to personal information transferred from a law enforcement or security agency in the EEA to security agencies in Israel (police, military police, intelligence branch of the Israel Defense Forces, security services, the Institute for Intelligence and Special Operations (Mossad), and the Witness Protection Authority); and
• when the use of personal information is necessary for national security or law enforcement purposes, in the required and proportionate scope in order to achieve such purposes.

It should be noted that the Regulations apply to controllers, but not to processors. Therefore, a processor in Israel receiving personal information from an EEA controller is not subject to the additional obligations under the Regulations (although such processor will usually be required by the EEA controller to sign a GDPR-compliant data processing agreement which will anyway incorporate some of the requirements under the Regulations).

Entry into force

The obligations under the Regulations will enter into force in three phases:

• August 7, 2023, for 'new' EEA personal information transferred to Israel on or after May 7, 2023;
• on May 7, 2024, for 'old' EEA personal information already transferred prior to May 7, 2023; and
• on January 1, 2025, for non-EEA information.

The PPA's Q&A

On August 8, 2023, the PPA published Q&As regarding the Regulations (only available in Hebrew here). Although a significant portion of the Q&As directly cites the Regulations, the PPA clarified several issues, as described below:

• The Regulations do not apply to personal information received from the UK or Switzerland.
• The new four obligations stipulated in the Regulations do not apply directly to processors, but only to controllers. Nevertheless, controllers bear the responsibility for complying with these obligations, even in cases where personal information is held or processed by a processor on their behalf; in practical terms - controllers need to include in their agreements with processors downstream of these obligations. It is important to note that controllers remain accountable and may face penalties if a processor violates the Regulations.
• The expanded definition of 'sensitive information' also includes information about national affiliation, and that it is relevant for both controllers and processors. The PPA further clarified that the practical aspect of this revised definition is particularly in the context of the obligation to register a database containing such sensitive information.
• Archiving, scientific research, or statistics will not automatically justify refusal to delete personal information if, for example, such purposes can be achieved in another manner.
• The controller's obligation to implement an organizational, technological, or another mechanism to ensure that: (i) personal information is not processed longer than required for the original purpose or for another legally permitted purpose; or (ii) personal information is correct, complete, clear and up-to-date; can be implemented in different ways, depending on the nature of the information in the database, its scope and sensitivity, the purpose of its collection or possession, etc., and the extent of resources invested in such mechanisms varies accordingly.
• Controllers may institute a mechanism designed to alert their attention to the necessity of conducting periodic assessments in order to examine whether their databases contain information that is unnecessary, incorrect, incomplete, unclear, or out-of-date. In addition, controllers can determine retention periods, taking into account the purpose for which the information is held and the applicable regulatory requirements. Furthermore, controllers can also determine a mechanism that will automatically update information (if applicable), e.g., when the database includes information on a person's age (which inherently changes each year) or from public resources.

Concluding thoughts on the Regulations

While the Regulations are not the obvious vehicle to amend primary legislation, especially when adding material obligations and rights, such as a right to be forgotten or an obligation to employ mechanisms for searching excess personal information, due to the timeline for completion of the adequacy review by the EU and the problematic political situation in Israel, which has halted all previous legislative efforts to amend the PPL, it seems like the only practical way to introduce these rights into the Israeli legal system. It should be noted that other material data protection obligations, such as data breach notifications, have also been introduced in Israel through secondary legislation (Section 11 of the Data Security Regulations).

The importance of preserving Israeli adequacy is paramount and has also been stressed in the explanations included in the draft Regulations, especially the impact of free transfers of EEA personal information on the economy and the foreign affairs of the State of Israel. It is especially important in the start-up and technology ecosystem which will be burdened with significant individual compliance efforts and costs if the adequacy is lost.

Nevertheless, the Regulations are controversial, initiating loud discussions among Israeli stakeholders, privacy practitioners, and human rights activists, because they create a different regime and level of protection for EEA data subjects compared to Israeli data subjects, with the latter receiving inferior treatment.

As we have demonstrated above, not all of the rights proposed under the Regulations are novel, and some are already incorporated in the current legal framework in Israel, but there is a major difference when enforcing a right that is based on formal regulations (for EEA personal information), as opposed to a guidance note or recommendation of the PPA (for Israeli personal information). The amendment of the Regulations to apply to all types of personal information included in the same database with EEA personal information constitutes a crucial step to align the Israeli data subject rights. Israeli controllers wanting to avoid the applicability of the Regulations on non-EEA personal information may choose to register separate databases for EEA and non-EEA personal information.

On the other hand, this artificial separation may prove to be complicated to implement; the complexity of implementing some of the obligations only for EEA personal information when a company has one customer or user database may well cause controllers to award the superior rights also to Israeli personal information in practice (as we have already seen for many companies that are GDPR-compliant and do not differentiate between data subjects from other jurisdictions).

The requirements under the Regulations to implement mechanisms to ensure that personal information which is no longer required is not processed and to ensure that the personal information is correct, complete, clear, and up-to-date require the controller to be the initiator and not just act upon a data subject request. This requirement is novel and there is already a discussion among practitioners on how to implement it and if the Regulations assume technical solutions, instead of merely adopting an internal procedure (which will be applied in practice). It is expected that the PPA will issue guidance on the manner of implementing this requirement, what these mechanisms are, and other practical aspects of implementing the Regulations.

It also remains to be seen if and how soon the PPL will eventually be amended to include the changes introduced by the Regulations and apply them to all data subjects, including Israeli data subjects whose personal information is not maintained in a database with EEA personal information, as was the case in Japan. It should be noted that the parliamentary committee adopting the Regulations urged the Ministry of Justice to advance the amendments to the PPL, including the addition of material rights under the Regulations to the PPL itself for all personal information. As stated by the Ministry of Justice in the hearing, the expectation is to provide the Government with a draft of such proposed bill (titled Amendment 15) by June or July 2023

Dalit Ben-Israel Partner, Chair IT and Data Protection Practice
[email protected]
Naschitz, Brandes, Amir & Co., Tel Aviv