Written by Haim Ravia and Dotan Hammer
The Israeli government formally published the new privacy regulations that apply primarily, but not exclusively, to personal data that originates from the European Economic Area (EEA). The new regulations were adopted to support the efforts of the EU Commission to renew its recognition of Israel as an adequate country whose level of protection of personal data is equivalent to that of the EU. If Israel’s adequacy status is renewed, Israeli organizations can continue to receive personal data from the European Economic Area (EEA) almost seamlessly.
The key provisions of the regulations are as follows:
- Data Deletion. Subject to certain exceptions, database owners are required to delete or anonymize data if the data is no longer necessary for the purposes for which it was collected, received, or stored.
- Data Minimization. Database owners must implement mechanisms to ensure that they do not retain personal data that is no longer necessary for the purpose for which it was originally collected or held.
- Data Accuracy. Database owners must implement mechanisms to ensure that the information retained in the database is accurate, complete, clear, and up to date.
- Transparency. When a database owner receives personal data about a data subject from the European Economic Area, the database owner must provide a privacy notice to the data subject as soon as possible, and no later than one month after receiving the data. The privacy notice needs to include certain information such as the database owner’s name and contact information, the purpose of the transfer, the type of information transferred, and the data subject’s rights to access, rectify, or erase the information.
- Expansion of Database Registration Obligation: Information about a person’s ethnic or racial origin, and employee union membership, will be considered “sensitive information”. A database containing sensitive information requires that the database be registered according to the Israeli Privacy Protection Law.
The regulations do not apply to personal data transferred from the EEA directly by the data subject. They will come into force in phases. They will first take effect on August 7, 2023, regarding personal data that is received from the EEA as of that date onward. Beginning on May 7, 2024, the regulations will also apply to personal data received from the EEA before August 7, 2023. Beginning on January 1, 2025, the regulations will also apply to all other non-EEA personal data that is stored in the same database with personal data of EEA origin.
Click here to read the Privacy Protection Regulations (Provisions Regarding Information Transferred to Israel from the European Economic Area), 2023 (in Hebrew).