On Aug. 13, Israel's DPA, the Israeli Law, Information and Technology Authority, published for public comment new draft guidelines on the interpretation and implementation of the Privacy Protection Law 5741-1981, in relation to the transfer of ownership of a database, which set extensive standards for privacy protection and data subjects' control of personal data under such circumstance.
The new guidelines articulate the DPA's position, according to which, the interpretation of the Protection of Privacy Law mandates that under certain circumstances, the transfer of ownership of a database, as a result of a change in the identity of the controller of the database, and the transfer of all rights in the database to a different legal entity (for example, in the framework of the sale of the database, an acquisition or merger of the controller, or receivership of the controller), necessitates obtaining prior consent from the data subjects for the transfer of their personal data to the new entity.
In other circumstances, according to the guidelines, notification of the transfer to the data subjects will be sufficient; however, the data subjects may be entitled to opt out of the engagement with the new controller and even to request the erasure of their personal data from the transferred database.
The key principle specified in the new guidelines states that the data subject's prior consent to the transfer will be deemed necessary if either: (i) the identity of the controller is a factor of importance for the data subject and such identity influenced the data subject's original decision to consent to the processing of personal data; or (ii) the purpose of processing will expand as a result of the transfer of ownership.
Any expansion of the purpose of processing requires the informed, explicit consent of the data subjects. This limitation, according to the ILITA, is an implementation of the purpose limitation principle as set in the Privacy Protection Law.
Furthermore, according to the ILITA, in circumstances where the characteristics of the transferee of the database differ from those of the transferor in a manner that may significantly affect the data subject's rights or considerably deviates from the data subject's expectations regarding the processing of personal data, an opt-in mechanism should be implemented and data subjects' consent is necessary, even if the purposes of processing are not expected to change as a result of the transfer.
Under the guidelines, the parties to the transfer will be required to notify the ILITA of the transfer of ownership, and specify the actions they intend to take to protect the privacy of the data subjects.
The new guidelines stipulate that in cases where the identity of the controller is of no importance to the data subject, and the purpose of processing, conditions under which the database is maintained, manner of processing and conditions of further transfers will not change due to the transfer, it will be sufficient to inform the data subjects of the transfer, and provide the data subjects with the contact information of the new controller, so that they may determine whether they wish to continue their engagement with the new controller. They may then notify the new controller if they wish to terminate the engagement and request the erasure of their personal data from the database if such erasure is possible and relevant according to the database's nature.
The ILITA identifies several circumstances that would necessitate the data subjects' prior consent to the transfer of personal data to the new controller. While this list is open and by no means exhaustive, it serves to clarify the DPA's position and provides privacy professionals with some road signs in assessing the privacy risks associated with a particular contemplated transfer. The examples specified by the ILITA include:
- When the transferor is an individual whose identity was a significant consideration in the data subject's original decision to engage with the transferor, or if the transferor is under a special fiduciary relationship or privilege with the data subject, such as patient-doctor relationship, attorney-client, or the relationship between a client and an accountant or an insurance agent.
- When the transferor is Israeli and the transferee is a foreign resident.
- When the transferor is a public entity and the transferee is a private entity and vice versa.
- When the transferee, or an interested party or the controlling shareholder in the transferee, is the controller of additional databases or has additional business which give rise to a conflict of interests in relation to the purpose of the transferred database, or which increase the risk that the transferee will use the database for purposes which exceed the purpose of the transferred database or the consent of the data subjects.
- When the transferee, an interested party or the controlling shareholder of the transferee, has violated the law in other databases or businesses under his control or was convicted of an offense, the severity or circumstances thereof cast doubt on the transferee's suitability to control the transferred database.
Under the guidelines, the parties to the transfer will be required to notify the ILITA of the transfer of ownership, and specify the actions they intend to take to protect the privacy of the data subjects, including updating the data protection policy of the database, conducting risk assessment, modifying access authorizations and designating transferee's authorized personnel, describing the treatment of excess data, data optimization and update of data transfer processes, as applicable. The transferor will also be required to provide an affidavit (approved by an attorney) attesting that the database is purged in full from the transferor's systems following the transfer, and the transferee will be required to submit an application to update the registration of the database at the ILITA registry of databases.
The position presented in the new draft guidelines is notably different from current common practices in M&A transactions in Israel and will require controllers, and their privacy advisors, to incorporate privacy considerations and data protection risk assessments in thus-far unfamiliar territories.
Public comments on the draft guidelines may be submitted to the ILITA until Oct. 1. In light of the important stipulations introduced in the new guidelines, it is likely that the draft will draw attention from affected entities.
Head of ILITA, Adv. Alon Bachar, stated in the introduction of the draft: "We must all remember that personal data always belongs to the data-subject. Even when a company or business manage personal data about clients, the date does not become theirs. The draft guidelines we are publishing for public comments clarifies to companies the data they manage about people belongs to the public. The sale or merger of companies or businesses does not enable the free transfer of personal data at their discretion. The public must be informed and its consent must be sought." (Author's translation from Hebrew)