Schrems II: The Israeli perspective
Recently, the Court of Justice of the European Union ('CJEU') in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18), the so-called Schrems II case, invalidated the EU-U.S. Privacy Shield ('the Privacy Shield'), which entered into force in February 2016, and was designed to replace the Safe Harbor agreement and provide companies located in the EU with the ability to transfer personal information to the US in compliance with data protection requirements. In Schrems II, the CJEU held in its ruling that such arrangement can no longer be used as a valid mechanism for the transfer of personal information from the EU to the USA. Subsequently, the Swiss authorities similarly invalidated the equivalent EU-Swiss Privacy Shield. Dalit Ben-Israel and Efrat Artzi, Partner and Senior Associate respectively at Naschitz, Brandes, Amir & Co., discuss changes to data transfer requirements and available legal transfer mechanisms to and from Israel in light of the Schrems II judgment.
The Israeli Cross Border Regulations - export of Israeli personal information
The Protection of Privacy (Transfer of Data to Databases Abroad) Regulations, 5761-2001 ('the Transfer Regulations') are the regulations that govern the ability to transfer personal information of Israeli data subjects abroad, under certain principals and limitations.
Regulation 1 - level of protection in the receiving country
Regulation No. 1 of the Transfer Regulations restricts the ability to transfer personal information of Israeli data subjects outside of Israel, unless the law of the country to which such personal information is being transferred ensures a level of protection not less protective than that provided under Israeli law, by complying with the following set of principles in the importing country:
- personal information is duly collected and processed;
- personal information is used for the purpose for which it was collected;
- personal information is accurate and updated;
- data subjects have the ability to review and correct their information; and
- there is an obligation to implement appropriate security measures to protect personal information.
In the absence of any Israeli 'adequacy' determinations, this provision has not been operationalised until recently. On July 2020, the Israeli Privacy Protection Authority ('PPA') published an opinion according to which the EU Member States and the European Economic Area's ('EEA') data protection laws and regulations are considered as complying with the foregoing principal. Consequently, personal information of Israeli data subjects can be transferred to EU Member States, and also to countries that are no longer part of the EU, provided, however, that such countries continue to apply and act according to the EU data protection laws.
Regulation 2(8)(1) of the Transfer Regulations - Convention 108
To the extent that the basic adequacy principle for the transfer of personal information abroad is not met, the Transfer Regulations enumerate other options for the transfer. One of them is set forth in Regulation 2(8)(1) of the Transfer Regulations, according to which personal information may be transferred to a country which is a party to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 108) ('Convention 108').
Regulation 2(8)(2) of the Transfer Regulations - Israeli adequacy
Another option for the transfer of personal information abroad is set forth under Regulation 2(8)(2) of the Transfer Regulations, according to which personal information can be transferred to a country which receives data from Member States of the European Community (meaning, the EU Member States and the EEA), under the same terms of acceptance.
Based on the Safe Harbor agreement which regulated the transfer of personal data from the EU to the USA, the PPA previously held that Regulation 2(8)(2) to the Transfer Regulation entitles the transfer of personal information of Israeli data subjects to the USA. However, due to the cancellation of the Safe Harbor agreement by CJEU in 2015, the PPA invalidated its former decision, and stated that Regulation 2(8)(2) to the Transfer Regulations is no longer a valid mechanism for the transfer of personal information from Israel to the USA, and such transfer may only be permissible by using other mechanisms available under the Transfer Regulations.
PPA guidelines on data transfers to UK and US
PPA guidelines on the transfer of personal information to the UK
On July 2020, the PPA issued an opinion clarifying that although the United Kingdom is no longer a member of the EU, the transfer of personal information of Israeli data subjects to the UK is still permissible under Regulation 2(8)(1) to the Transfer Regulation as the UK previously signed Convention 108 and that, by doing so, they remain obligated to take the necessary steps in its domestic legislation to protect the fundamental human rights of all individuals with regard to processing of their personal data.
PPA guidelines on the transfer of personal information to the US
Three months following the CJEU decision on the invalidation of the Privacy Shield Framework, the PPA has repeated its former opinion regarding the use of Regulation 2(8)(2) of the Transfer Regulations as a mechanism to transfer personal information of Israeli data subjects to the US, and announced on 29 September 2020 that transfer of personal information to the US can no longer rely on the Privacy Shield or on the determination that the US is an adequate country in terms of Israeli law, and may only be permissible by using the other remaining mechanisms in the Transfer Regulations.
Regulation 2(1) - consent, and Regulation 2(4) - contractual obligations
Additional requirements of the Transfer Regulations - no further transfer
In addition, the owner (controller) of the personal information should ensure, in a written agreement, that the recipient of such personal information implements adequate measures to ensure the privacy of the data subjects and guarantees that the personal information shall not be further transferred to any other party.
This last obligation creates some difficulties, especially when the processing of personal information involves the engagement of third parties acting on the holder's (processor) behalf as sub-processors, which are located abroad (for example, in cloud-service agreements, outsourcing services agreements, etc.).
One common solution for this situation is by entering into a written agreement between the owner and the sub-processors, which complies with one of the transfer mechanisms under the Transfer Regulations. To the extent that a direct legal privity between the owner and sub-processor is not applicable, the alternative is that in the agreement between the owner and holder, the holder will contractually obligate that its agreements with each sub-processor include the sub-processor's obligations to fully comply with the Israeli data protection laws and regulations, mutatis mutandis.
Importing EU personal information to Israel
Israel is currently defined as an adequate country by the EU. This decision was rendered prior to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and in currently under review. The Schrems II invalidation of the Privacy Shield was based mainly on the ability of the US intelligence agencies to access personal data relating to Europeans and additionally because US law does not provide appropriate judicial redress for European data subjects. Taking into account the Israeli secret service involvement in contract tracing during the COVID-19 pandemic, and in light of the Schrems II judgment reasoning, it remains to be seen whether the Israeli adequacy will be maintained.