July 22, 2024

Cross-Border Data Transfer Agreements – the Position of the Israeli Privacy Protection Authority

On July 8th, 2024, the Israeli Privacy Protection Authority (the “Authority”) published a draft opinion (link in Hebrew) for the general public’s comments on the interpretation of Section 2(4) to Protection of Privacy Regulations (Transfer of Data to Databases Abroad), 5761-2001 (the “draft opinion”, and the “regulations”, respectively). In the Draft Opinion, the Authority expressed an expansive view both regarding the extraterritorial application of Israeli privacy protection legislation, and regarding the content of data transfer agreements.

Background

The Regulations prohibit the transfer of personal data from an Israeli database outside of Israel’s borders, except when one or more of the (alternative) conditions outlined under Section 2 of the Regulations are met. One such condition, specified under Section 2(4), permits the transfer if “the data is transferred to a person bound by an agreement with the owner of the database from which the data is transferred, to comply with the conditions for the ownership and use of the data applying to a database in Israel, with necessary modifications”. The Draft Opinion focuses on this condition, particularly on the phrase “with necessary modifications”.

Extraterritorial Application of the Privacy Protection Law

The Draft Opinion contains a precedential expression of the Authority’s view on the extra-territorial application of the Privacy Protection Law, 5741-1981 and the regulations enacted thereunder (collectively, the “Privacy Protection Law”). In the Draft Opinion, the Authority notes that there may be databases abroad that will be subject to all the provisions of the Privacy Protection Law, even if their owners are not registered in Israel, for example, due to their extensive impact on Israeli data subjects.

Furthermore, the Authority clarifies that in the case of data transfer between a database owner in Israel and a holder of a database located outside of Israel, the holder is required to fully and accurately comply with the provisions of the Privacy Protection Law. The Authority’s position implies, for instance, that an American company offering cloud storage services to Israeli companies is directly subject to the Privacy Protection Law, even if it has no physical presence in Israel.

Content of the Data Transfer Agreement

In the Draft Opinion, the Authority clarifies that the “the conditions for the ownership and use of the data applying to a database in Israel” are not limited to the Privacy Protection Law but include all legislation in the areas of privacy and data protection. The Authority also clarifies its position that personal or organizational circumstances of the data recipient, which do not allow compliance with these laws, do not constitute a “necessary modification.” Rather, this standard should be examined objectively. For example, non-compliance with the database registration requirement under to the Privacy Protection Law will be considered a necessary modification if such an obligation does not exist in the country to which the data is transferred.

Regarding the components of the data transfer agreement, the Authority clarifies that the agreement must include the data recipient’s commitment to fulfill obligations towards the data subject that are identical in content to those in the Privacy Protection Law. This includes, for example, the prohibition of using the data for purposes other than those for which it was provided, granting the right of access, correction, and deletion to data subjects, and maintaining confidentiality concerning data received by an individual in connection with his/her position.

Additionally, the agreement must address aspects of data security. In that context, it is possible to include a commitment by the data recipient to fulfill the obligations stipulated in the Privacy Protection Regulations (Data Security), 5777-2017 (the “Data Security Regulations”), or a declaration that the data recipient has obtained ISO/IEC 27001 certification and complies with it, as well as with the requirements stipulated under the Guideline of the Database Registrar No. 3/2018 (link in Hebrew) regarding the application of the Data Security Regulations in the case of such certification.

If the database from which the data is transferred also includes information transferred from the European Economic Area, the data recipient will also be required to comply with the provisions stipulated under the Privacy Protection Regulations (Instructions Regarding Data Transfers from the European Economic Area to Israel), 5783-2023 (for more information on those regulations, see here).

Bottom Line

The Draft Opinion illustrates the Authority’s expansive approach regarding both the extraterritorial application of Israeli privacy protection laws to foreign entities, as well as the content of a data transfer agreement under the Regulations.

The Draft Opinion is open for public comments until August 8, 2024, via the following email: [email protected].

Please do not hesitate to contact us with any questions and/or advice regarding the above.

 


  • This client update was prepared with the assistance of Shira Even Chen.
  • This update is intended to provide general and concise information only. It does not constitute a full or complete analysis of the discussed issues, does not constitute a legal opinion or legal advice, and should not be relied upon as such.

Hit enter to search or ESC to close