The Israeli data protection authority, (the Privacy Protection Authority, or “PPA”), recently published a draft position paper that, if implemented as definitive policy, would simplify the process of international data transfers of database information from databases that are subject to Israeli law.
On January 3, 2022, the PPA published a Public Statement Draft regarding Regulation 3 of the Privacy Regulations (Transfer of Data Outside the Borders of The State) – 2001.
Regulation 3 states that in order to export database information from Israel to a recipient outside of Israel, the non-Israeli recipient must undertake to (1) take the necessary measures in order to ensure the security and integrity of the personal data, and (2) not transfer the personal data to any third party.
This regulation, particularly the latter obligation of the recipient, historically raised questions regarding the permissibility of subsequent transfers of exported data, including to sub-processors.
This presented a significant difficulty in many of our clients’ commercial engagements, in which the transfer of personal data is often intended to be processed by a number of entities acting on behalf of the recipient.
In the Public Statement Draft, the PPA recognized that an all- encompassing ban on subsequent transfers of exported data is not appropriate in the current technological and commercial milieu.
The PPA also acknowledged that in many situations data owners are not, as a practical matter, able to comply with this restriction, nor does this restriction have a counterpart in the European General Data Protection Regulation (GDPR) or other modern privacy legislation.
In view of the above, the PPA clarified that the restriction prohibiting subsequent transfers of exported data will not apply where the data exporter consents in writing to the subsequent transfer, provided that the following conditions are met:
- Legal basis exists for subsequent transfer, such as data subject consent, or the transfer is otherwise authorized under Israeli law.
- If the data had been transferred directly from the data controller to the third party, this transfer would have complied with the terms of Regulation 1 or Regulation 2 of the Privacy Regulations (which establish additional alternatives according to which data exports are permitted).
In addition, the PPA clarified that the scope of the recipient’s commitment to ‘take the necessary measures in order to ensure the security and integrity of the personal data’ does not necessarily require the non-Israeli data recipient to comply with all terms of Israeli data protection law; rather, appropriate security measures must be employed to ensure the privacy of the data subjects, taking into consideration the sensitivity of the data and other relevant factors.
The position paper described above is a draft and does not reflect the PPA’s definitive view with respect to matters addressed therein. The PPA is accepting comments to the draft guidance through January 24th, 2022.