What is an Adequacy Decision?
The Adequacy status was initially granted to Israel in 2011. This status may be granted to a country that is not a member of the European Union, following an in-depth examination conducted by the European Commission. In the course of such examination, the European Commission reviews and inspects the local data protection law and regulatory data protection and privacy practices to ensure that the examined country offers adequate safeguards to personal data related to individuals in the EU.
Adequacy Decision as a Transfer Mechanism set forth in Chapter V of the GDPR
Chapter V of Regulation (EU) 2016/679 General Data Protection Regulation (“GDPR”) details the requirements that apply to personal data transfers from the EU abroad. These requirements include implementing suitable safeguards to assure that personal data that is exported from the EU remains protected. Such safeguards include implementing various mechanisms, such as contractual mechanisms (Standard Contractual Clauses), regulatory approval mechanisms, and organizational mechanisms, all for the protection of exported personal data. Article 45 of the GDPR addresses data transfers on the basis of an Adequacy Decision and states that where such status is granted to a country outside the EU, no additional transfer mechanism will be required for the execution of lawful data transfer under the GDPR.
Efforts have been Worthwhile – Israel’s Adequacy Decision was Reaffirmed
When the GDPR came into effect, the European Commission initiated a reexamination of the status recognition provided to all “adequate” countries, including Israel. After finalizing this process, the European Commission published its report (“Report”) on the functioning of the adopted adequacy decisions where it reaffirmed Israel’s Adequacy Decision alongside additional countries.
The European Commission’s decision, with respect to Israel’s status, was consequent to a comprehensive examination that was conducted with the support of the Israeli Protection of Privacy Authority (“PPA”) and the Office of Legal Counsel and Legislative Affairs. The process included a review of Israel’s legal data protection regime and the specific safeguards implemented to reinforce the protection of personal data transferred from the European Economic Area (“EEA”). Such safeguards include the consolidation of the PPA’s independence in a binding Government Resolution, the introduction of the Privacy Protection Bill (Amendment No. 14), 5722-2022, that offers an opportunity to consolidate and codify data protection developments, as well as promotes enforcement, and various guidelines published by the PPA, designed to bridge the gap for compliance with EU data protection law.
In its Report, the European Commission also acknowledged the adoption of the Privacy Protection (Data Security) Regulations, 5777-2017, that strengthened the requirements for data security as well as the Privacy Protection Regulations (Instructions for Data that was Transferred to Israel from the European Economic Area), 5783-2023, that are specifically designed to assure the protection of personal data transferred to Israel from the EEA.
What does the “Adequacy” Status Mean in Practice?
The result of the European Commission’s reaffirmation of Israel’s Adequacy Decision means that businesses that operate in the Israeli market, may transfer personal data from the EEA to Israel in a manner that does not require them to implement any additional contractual or regulatory mechanisms. The PPA stated on the matter, that this recognition is significant to the Israeli market and economy, as it facilitates data flow from the EU to Israel and reduces the legal and regulatory requirements that may apply to Israeli entities receiving personal data originating from the EU.
Indeed, the PPA states that the fact that Israel was deemed adequate again, which made certain transfer mechanisms non-applicable, may reduce resources and costs for Israeli organizations. Nonetheless, from a commercial perspective, it is important to understand that the operational practices of many Israeli organizations that process personal data, may include sharing personal data with entities located outside of Israel and the EU, such as suppliers, business partners and affiliates. When these data-sharing practices are performed, and data transfers are executed outside of Israel and the EU, such organizations will have to review their practices according to the Protection of Privacy Regulations (Transfer of Data to Databases Outside of Israel), 2001, and in some cases Chapter V of the GDPR.
We will be happy to assist with any question regarding the data transfer practices relevant to your organization and, in case required, advise on the appropriate transfer mechanism.
We are at your service for any questions or clarifications via email or phone at 03-370-5000
With regards,
Cyber, Data Protection & Privacy Department
Shibolet & Co.
The information in this update is provided solely as general information and may not be relied upon for any individual instances without further legal consultation.