On May 7th 2023, a new set of regulations was legislated in Israel, regarding the transferring of information from the EU to Israel. These regulations were legislated in conjunction with Israel’s efforts to keep its status with the European Economic Area (EEA) as an “adequate” country. The adequacy status is very important because it means that the EEA will allow the continued free flow of personal information from European countries to Israel (subject to keeping the applicable regulatory obligations, of course).
These new regulations require Israeli database owners to undertake certain obligations as well as grant certain rights to EEA data subjects with respect to their personal information transferred to Israel from the European Economic Area, but also to all of the information stored alongside it in an Israeli database.
Below you will find a comparison between the main duties the new regulations impose on database owners, and the existing rights of Israeli data subjects according to the Privacy Protection law, 5571, 1981:
| New Regulations | Existing Privacy Protection law |
| The right of a data subject to request deletion of their personal information if the information was obtained in an illegal way or is not necessary anymore | The right of a data subject to request deletion of their personal information only exists if they find the data to be untrue, partial, unclear or not updated |
| The obligation to put in place mechanisms to ensure unnecessary information is not kept | —— |
| The obligation to put in place mechanisms to confirm the accuracy of the personal information | —— |
| The obligation to disclose details regarding the personal information and its processing to the data subject and provide notification of their rights | The right of data subjects to review personal data held about them in a data base |
As we can clearly see in the table above, the new regulations grant data subjects with additional rights and impose more obligations on the processors of personal information. Unfortunately, Israeli data subjects will only enjoy these rights if their data resides in the same database as the data of EEA data subjects. A lot of debate exists around this regulation due to the discrimination between Israeli data subjects and EEA data subjects. Separating the databases – which is a technical act, will result in deprivation of certain rights which should be fundamental and should be granted to any data subjects regardless of how their personal information is organised.
When will this enter into effect?
The new regulations will enter into force starting August 7 2023m regarding information received from this date onwards. Starting May 7 2024, the regulations will also apply to information received before August 7 2023.
Regarding information that was not received from the European economic region, but is held alongside it in the same database, the regulations will enter into force on January 1 2025.
What does this mean for me as a database owner?
If your company is registered or operates in Israel and owns a database that includes personal information of EEA data subjects, you should put procedures in place to cater to the obligations and rights imposed by the new regulation including responding to requests of EEA data subjects. This operationally means:
- Plan and assess your strategy in relation to structure of your data bases, namely whether to allow inclusion of EEA personal information with other personal information;
- Assessing and mapping all databases that include personal information, and particularly EEA personal information;
- Assess and map whether or not your databases include EEA personal data;
- Consider various mechanisms that may cater to the new obligations;
- Put in place policies and procedures to ensure compliance with the obligations, for example, procedures with respect to handling and responding to data subject requests to erase their personal information;
- Educate and train your personnel to ensure smooth implementation of the requirements.