The European Commission has formally approved Israel's status as a country that provides an adequate level of protection for personal data transferred from the EU. The decision, which recently entered into force, removes many significant substantive obstacles that companies previously needed to overcome in order to transfer personal data from the EU to Israel. In practical terms, the decision will make it easier for EU entities to engage Israeli service providers (for example, in the area of financial services or analysis, insurance services or health data processing); for international companies to share personal data with their Israeli headquarters or affiliates, and for Israeli companies to conduct business with the EU.

Israel joins a select group, as only eight other countries have received an adequacy determination: Switzerland, Canada (for certain sectors), Argentina, the Channel Islands of Guernsey and Jersey, Isle of Man, the Faroe Islands and Andorra.

What is the EU Data Protection Directive?
The Data Protection Directive, officially EU Directive 95/46/EC, regulates the processing of "personal data" collected from the EU and is a fundamental component of EU privacy law. The Data Protection Directive facilitates the movement of such personal data within and beyond the EU.

What is personal data?
The Data Protection Directive defines "personal data" as information relating to an identified or identifiable natural person. The definition is intended to be broad and captures information that can be linked to a specific individual.

What does the adequacy finding mean?
Under the Data Protection Directive, personal data may only be transferred to a country outside of the EU if that country provides an adequate level of data protection, unless certain narrow exceptions apply. Typically these exceptions result in companies entering into standard contractual clauses (model contracts approved by the EU) or, for multinational companies, implementing binding internal corporate rules, such as a code of conduct. The process is often time-consuming and expensive.

As a result of the adequacy decision, companies that wish to transfer personal data from the EU to Israel no longer need to find a specific exemption or enter into standard contractual clauses or binding corporate rules.

There are several advantages for Israeli business.

First, the reduction in bureaucracy makes the transaction process smoother and quicker (and cheaper, since legal fees can in many instances be reduced). Second, we expect that EU organizations will be more comfortable transacting with Israeli organizations (especially in matters involving personal data) that are subject to data protection laws that are similar to the EU's. Third, Israeli companies should have a competitive advantage over rivals that are not based in an "adequate" country and are therefore required to navigate through additional bureaucratic and legal issues. As stated above, this will make it easier for EU entities to engage Israeli service providers; for international companies to share personal data with their Israeli headquarters or affiliates, and for Israeli companies to conduct business with the EU.

The adequacy decision does not mean, however, that Israeli companies can do whatever they want with the personal data. They are still subject to complying with Israel's privacy and data protection laws. The Israeli Law Information and Technology Authority (ILITA), which is the Israeli data protection regulator, is responsible for enforcing privacy and data protection laws in Israel. Among its other powers, ILITA has the authority to impose administrative fines for breaches of the law, and it has increasingly done so in the past two years. ILITA played an instrumental role during the lengthy adequacy assessment procedure and is likely to be active in ensuring that Israeli companies comply with their privacy and data protection legal obligations. Indeed, ILITA has an added incentive to be active, since Article 3 of the adequacy decision states that EU data protection regulators can suspend data flows to Israel if they believe ILITA is not ensuring the necessary standards of data protection. Any slip-up by your company could therefore result, inter alia, in it facing public relations difficulties and an administrative fine.

The big picture
The adequacy decision is exciting news for Israeli business and follows on from Israel's hosting of the 2010 International Conference of Data Protection and Privacy Commissioners in Jerusalem. However, even though the decision does make it easier to transfer personal data from the EU to Israel, it does not change the fact that your business may be subject to other restrictions on the collection and use of personal data. It is therefore important to ensure that your website or service’s privacy policy, as well as your internal business procedures, are up-to-date and properly cover the spectrum of privacy and data protection laws that apply to your business.