The judgement of the Court of Justice of the European Union (CJEU) which struck-down, earlier this month, the US-EU Safe Harbor program, now directly affects Israel: the Israeli Law, Information and Technology Authority (ILITA) at the Ministry of Justice has published a statement clarifying that the US-EU Safe Harbor can no longer be relied on as a legal basis under Israeli law for cross-border transfer of personal data from Israel to US entities certified to the US-EU safe harbor.
The Israeli Protection of Privacy Regulations (Transfer of Data to Databases Abroad) 5761-2001 limit cross-border transfer of personal data from Israel, specifying that “a person shall not transfer, nor shall he enable, the cross-border transfer of data from databases in Israel, unless the law of the country to which the data is transferred ensures a level of protection no lesser, mutatis mutandis, than the level of protection of data provided for by Israeli law”.
Nevertheless, the regulations recognize certain cases of permitted data transfers. One such case permits cross-border transfer of data to a database in a country that is a party to the European Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (also known as Council of Europe Convention 108). Another such case permits cross-border transfer of data to a country that receives information from Member States of the European Union and European Economic Area (EEA), in accordance with the requirements under European data protection law. Prior to the CJEU’s ruling, ILITA’s position, as published on its website, asserted that the US-EU 'safe harbor' program can be utilized for cross-border transfer of personal data from Israel to US entities certified to the US-EU 'safe harbor', under the regulations' rubric the permits cross-border transfer of data to a country recognized by the European Commission as ensuring an adequate level of personal data protection, pursuant to the EU data protection directive.
Law.co.il notes that it is questionable whether this regulation could have been initially relied upon for the lawful transfer of information to the United States: The U.S. is not a party to the Council of Europe Convention 108 and information from EU/EEA countries was not transferred to the U.S. as a country recognized by the European Commission as ensuring an adequate level of personal data protection – but to particular companies who had undertaken the Safe Harbor compliance standards – under the terms of European data protection law. At the same time, ILITA’s statement does not address alternative arrangements under the EU data protection directive which permit the transfer of information to certain companies, such as the Standard Contractual Clauses (Amazon, for example, has announced that information may be transferred to it by virtue of this arrangement).