Written by: Haim Ravia, Dotan Hammer
Israel’s Privacy Protection Authority (PPA) published a position paper interpreting Regulation 2(4) of the Privacy Protection Regulations (Transfer of Data to Databases Outside the Borders of the State), 2001 — one of the most commonly relied-upon legal bases for transferring personal data from Israel to foreign recipients.
Under Israel’s framework, Regulation 1 prohibits transferring personal data from an Israeli database to a country whose laws do not ensure equivalent protection. Regulation 2(4) creates an exception: transfers are permitted where the foreign recipient commits, by agreement with the Israeli exporter, to comply with the conditions applicable to Israeli databases, “with necessary modifications.” The position paper clarifies what these “necessary modifications” mean in practice.
The PPA acknowledges that full compliance with every Israeli requirement will not always be feasible across all jurisdictions, given differences in legal frameworks. However, it makes clear that the standard is objective — a foreign recipient cannot claim that its personal or organizational circumstances prevent compliance and treat that as a “necessary modification.” Nor does reliance on Regulation 2(4) exempt the Israeli exporter from its own obligations under the Privacy Protection Law.
The PPA specifies the substantive commitments that must be included in the transfer agreement. The recipient must undertake obligations identical, or substantially similar, to those in the Privacy Protection Law: a prohibition on using data for purposes other than those for which it was originally provided; granting data subjects the right to inspect data held about them; allowing data subjects to request correction or deletion; and maintaining confidentiality.
On data security, the PPA offers two alternative paths. The recipient may commit to the substantive obligations in the Data Security Regulations, 2017. Alternatively, it may declare that it holds ISO/IEC 27001 certification, complies with all relevant Annex A controls, and commits to the additional obligations identified in PPA Directive No. 3/2018 on the applicability of the Data Security Regulations to ISO-certified organizations.
One permissible “necessary modification” is identified: failure to register a database with the PPA will be accepted where the destination country imposes no similar requirement.
The position paper also addresses data originally transferred from the European Economic Area. Where an Israeli database holds EEA-origin data subject to the EEA Data Regulations (2023), the foreign recipient must also commit to the substantive obligations in Regulations 3–7 of those regulations — a requirement applicable since January 1, 2025.
Finally, the PPA emphasizes that Regulation 2(4) refers broadly to all conditions applicable to Israeli databases — not solely the Privacy Protection Law. Where other Israeli laws impose data protection obligations on the transferred data, the recipient must commit to those as well.
Click here to read the Israeli Privacy Protection Authority position paper on cross-boarder transfers.
