High achievers such as Stanford law students and global privacy leaders don't usually revel in being called "adequate". But the European Commission's decision yesterday affirming Israel’s status as a country providing “adequate protection” for personal data under the European Data Protection Directive is a major legal and economic success for Israel. It will allow unrestricted transfers of personal data from the EU to Israel, for example between corporate affiliates or from European companies to data centers in Israel for storage and processing. It will help Israeli start ups and tech companies in data rich industries such as ICT, data security and personalized medicine. Yet it emphasizes the shortcomings of the EU adequacy framework which is under increasing risk of unraveling.
The European Data Protection Directive restricts transfers of personal data from the EU to any third country unless such third country is approved as "adequate" or the data transferor complies with cumbersome contractual or organizational measures with exotic names like "Controller to Processor Model Clauses" or "BCR". The rationale is straightforward: data are easily and costlessly zipped across the globe, so EU privacy laws would easily be circumvented if companies were permitted to transfer data to servers in Bermuda or the Cayman Islands. Hence, the need for approval of the laws of the transferee jurisdiction as "adequate". The problem is that since the implementation of the adequacy framework in 1995, only the following countries have been deemed adequate : Argentina, Canada (private sector only), Andorra, Switzerland, Faeroe Islands, Isle of Man and Jersey. A separate arrangement governs data transfers from the EU to the U.S. under the Safe Harbor framework. An adequacy framework whereby hardly any country is adequate is clearly inadequate to address the ubiquity of international data transfers in a global economy.
The Commission's decision on Israel is the culmination of a three-and-a-half year process, which included an examination of Israel’s laws, regulations and data protection enforcement. It marks a departure from the Commission's one-time approach equating adequacy with identity. Israeli law is not entirely identical to EU law. The Israeli supervisory authority is not fully independent in the European sense, as it is a part of the Ministry of Justice. The definitions of the terms “personal data”, “sensitive data” and “database” deviate from those in the EU Directive. And yet Israel’s regime was recognized as “adequate”. However, this move may possibly have come too late, given that with the rejection of the US and Australia, the adequacy framework has already lost much credence.
An additional problem concerns onward data transfers. Israeli law has been rather lax on cross border data transfers. As far as I know, there has not been a single enforcement action by Israel's data protection regulator under the Cross Border Data Transfer Regulations. As we all know, a chain is only as strong as its weakest link. Israel must now ensure - and European regulators verify - that it does not become a “springboard” for onward transfers to third countries without adequate data protection. All eyes will be on Israel’s data protection regulator to tighten controls over data transfers abroad to prevent breach of Euro zone protections.