Written by Haim Ravia and Dotan Hammer
The Israeli Ministry of Justice has begun drafting new data protection regulations that will establish a legal framework whereby personal data originating from the European Union will be subject to a higher level of data protection than any other data collected or processed in Israel.
The Ministry’s motive for this initiative is the European Commission’s ongoing reevaluation of Israel’s 2011 EU data protection adequacy status, which has been facilitating the seamless transfer of personal data from the EU to Israel in the past decade. The EU is Israel’s main data market, and the Ministry of Justice is justifiably concerned that a repeal of Israel’s adequacy status will have far-reaching implications on Israel’s economy as well as its political status.
The proposed regulations, which are yet to be published for public comment, aim to impose four main obligations on Israeli database owners, echoing key principles of the GDPR:
- Right to deletion (“right to be forgotten”) – database owners will be obligated to delete personal data, upon request, if the data was unlawfully created, received, collected, accumulated, or used, or where such data is no longer necessary for the purposes for which it was collected. An exception will apply if retention of such data is required to promote public interests and freedom of speech.
- Data and purposes limitation – database owners will be obligated to implement mechanisms to ensure that they do not retain data that is no longer necessary for the purposes for which it was collected, and not use it for purposes other than the purposes for which it was collected.
- Data accuracy – database owners will be obligated to implement mechanisms to ensure that the data retained in the database is correct, complete, clear, and up-to-date, and rectify or delete any data that does not comply with these requirements.
- Notice to data subjects – database owners will be obligated to provide EU data subjects a notice regarding the identity of the database owner, the types of data transferred to the database owner, and the purposes for which it was transferred; the data subjects’ right to review the transferred data and have it rectified; and the identities of the third parties to whom the database owner intends to transfer the data (if any) and the purposes of such transfer.
The Ministry of Justice recently held an expert roundtable consultation on the matter. The participants strongly criticized the proposed legal framework labeling it a ‘legal apartheid’ and arguing that it violates the constitutional right to equality. Participants also called on the Ministry to apply the proposed regulations to all data collected and processed in Israel, regardless of its origin.
