Alain Bensoussan

Last April 4, 2011, the EU Article 29 Data Protection Working Party issued an Opinion on the level of protection of personal data in New Zealand. This is the occasion to make a recap on the EU legal rules for transborder flows of personal data, with a focus on the latest country found to provide an adequate level —Israel.

Today, with globalization, it’s common practice for businesses to transfer personal data around the globe. This of course raises issues on the security of such data. The European Union does not allow businesses to send personal data outside its boundaries unless the recipient country provides an adequate level of protection. The last country to join the club of countries with an adequate level: Israel!

EU legal framework for cross-border flows of personal data

In a decision dated January 31, 2011, the European Commission considered that the State of Israel was providing an adequate level of protection for personal data transferred from the European Union (EU) in relation to automated international transfers of personal data from the European Union or, where they are not automated, they are subject to further automated processing in the State of Israel.

As a rule, transfers of personal data made between EU Member States are free and may not be restricted. However, this is not the case of transfers between EU countries and non-EU countries (“third countries”). In such case, Article 68 of the French Data Protection Act prohibits the transfer of personal data to a third country that does not provide a sufficient level of the protection of individuals’ privacy, liberties and fundamental rights with regard to the processing of their personal data.

The sufficient nature of the protection provided by the State is assessed taking into account in particular, the provisions in force in this State, the security measures that this State applies, the specific characteristics of the processing, such as its purposes and duration, as well as the nature, origin and destination of the processed data.

To date, the European Commission has recognized that the following countries were providing a sufficient level of protection: Andorra, Argentina, Canada, the Faeroe Islands, Guernsey, Iceland, Isle of Man, Jersey, Liechtenstein, Norway, Switzerland and the USA, subject that the company has joined the Safe Harbor..

Legal basis for the EU Commission’s decision on Israel’s data protection law

To base its decision, the EU Commission first noted that the legal standards for the protection of personal data in the State of Israel were largely based on the standards set out in the Data Protection Directive 95/46/EC and were laid down in the Israeli Privacy Protection Act 5741-1981 of April 1st, 1981, lastly amended in 2007 in order to establish new processing requirements for personal data and the detailed organization of the supervisory authority

As a result, the European Commission stated that for the purposes of Article 25(2) of Directive 95/46/EC, the State of Israel was considered as providing an adequate level of protection for personal data transferred from the European Union in relation to automated international transfers of personal data from the European Union (Article 1 of the EU Decision).

The competent supervisory authority of the State of Israel for the application of the legal data protection standards in the State of Israel is the “Israeli Law, Information and Technology Authority (ILITA)”. The ILITA is an independent regulator established by the Ministry of Justice of Israel in September 2006. The Israel’s data protection authority is invested with powers of investigation and intervention. ILITA’s mandate applies to both the private and public sector IT.

The EU adequacy decision will help promote the development of bilateral trade between the State of Israel and EU Member States.

Consequences from a French perspective

The State of Israel is now considered as providing a sufficient level of protection within the meaning of Article 68 of the French Data Protection Act.

This means that while transborder flows of data to Israel no longer need to be authorized by the French data protection authority (the CNIL), it is nonetheless still required to inform the CNIL of such transfers. In practice, such information is done by completing the appendix “Transborder Flows” attached to the notification required to be filed with the CNIL before any processing of data.

In short,

(i) a data controller established in the EU no longer needs to conclude a data transfer agreement to transfer data in Israel, but

(ii) data transfers to Israel still have to be notified to the CNIL when filing the relevant notification for the processing involving such data transfer.