Since 2011, Israel has been recognized by the European Union as a country with adequate level of protection of personal data. This "binding adequacy decision" has enabled many Israeli technology companies to provide their services in Europe with relative ease. Israel is one of 13 non-EU countries that have received this recognition. Among them are Canada, Argentina, New Zealand and Japan. But that may soon change.
As part of the provisions of the European General Data Protection Regulation (GDPR), the EU is currently re-examining the status of the recognized countries, including Israel. Privacy experts warn that while many countries have made progress in their privacy legislation, Israel has lagged behind, which could cost it dearly. They say that Israel's outdated privacy laws, several recent laws and regulations that contravene data privacy principles, internal security policies, as well as General Security Services (GSS) location tracking, are all likely to undo EU recognition and set back data transfer between Israel and Europe by a decade.
"Only Israel has stagnated"
Prof. Michael D. Birnhack, a lecturer in the Faculty of Law at Tel Aviv University, was a consultant to the EU and was involved in the recognition process for Israel about a decade ago. "Many countries have amended their policies in recent years and they all see GDPR as the most advanced privacy mechanism, while only Israel has stagnated."
Birnhack adds that, from the outset, "EU recognition relied on the Israeli government’s statement that it would amend some things in the legislation. But to this day it hasn’t made these amendments. Two years ago, new data protection regulations came into force in Israel, but these were regulations, not legislation. There are still many things that Europe has and we don’t," he says. "For example, the right to be forgotten, a citizen's right to withdraw consent given to process their personal information, and a formal requirement that companies present a legitimate purpose for the collection of information."
"The Privacy Protection Authority has proved weak"
Dr. Tehila Schwartz-Altshuler, a senior researcher at the Israel Democracy Institute, says that Israel has made no progress in privacy legislation for three reasons: the Israel’s Privacy Protection Authority's steady decline in status over the past decade; problems with the Israeli legislation amendment model; and the state's lack of understanding of the vast importance of privacy in today’s data-driven world.
"This is a tragic story of a government authority that failed to realize its potential. And it's really tragic, because over the last decade, privacy has become an important issue in all areas - in medicine, finance, facial recognition, and voting applications," she says.
"Today, the authority can file criminal cases, but it does not have the ability to impose administrative fines. There is a legislative amendment to the powers of private protection authorities that deals with the power to impose fines, called Amendment 13, and it has been stalled in the Knesset for 10 years. Meanwhile, other authorities have moved ahead of the Privacy Protection Authority. The Consumer Protection Authority was given the power to impose fines two years ago. Why wasn’t the Privacy Protection Authority? "There was a lack of political pressure from someone with teeth capable of pushing this matter through," she adds. "The authority has not been headed by anyone strong over the years, and in the past year and a half there has been a freeze on all public authority appointments. The Privacy Protection Authority has emerged as weak because it has been unable to look out for itself and therefore it lacks the power to help others."
This situation is due to both the reason mentioned of the people involved and to the Ministry of Justice’s lack of understanding of the importance of this issue. "Since GDPR, many countries in recent years have been updating their privacy laws for compliance with Europe, both in the West and in Asian democratic countries, like Taiwan and South Korea. In the US, in California, a new privacy law has been passed, and two federal bills have been submitted to Congress - one by the Democrats and one by the Republicans. Meaning, there is an across-the-board understanding that an update is needed. In Israel, to this day, there isn’t even a draft amendment, we haven’t even seen a text."
Very hard to pass legislation in Israel
This approach has left the State of Israel with an outdated law that does not address significant issues of privacy today. For example, the law refers to the collection and publication of data - such as whether it is permissible to make secret recordings or photograph inside a person's home, and whether it is permissible to publish this information. The law does not at all address data processing, however, which is the foundation of any technology business today. Another example is the right to a class action by consumers affected by leaks of personal data, such as Israelis who were damaged by the Cambridge Analytica affair.
In addition, Shwartz-Altshuler describes a cumbersome mechanism delaying legislative amendments in every field in Israel: "Over the past few years, I’ve led a team of experts, and we drafted an updated privacy bill, but it is very difficult to pass legislation in Israel. In this sense, the right to privacy is an example that illustrates a much more problematic phenomenon," she says. "If it was up to the Privacy Protection Authority, it would promote legislative amendments. But then the Department of Justice's Advisory and Legislation Department - which is a well-known bottleneck when it comes to legislative amendments - comes along to say it has no resources to allocate and to wait another year or two."
Privacy protection expert Adv. Haim Ravia, of law firm Pearl Cohen Zedek Latzer Baratz, believes that not only has Israel not progressed enough in terms of privacy, it has actually regressed: "The country has gone backwards since the agreements with Europe were signed. It did not fulfill its commitment to Europe to add enforcement powers to the Privacy Protection Authority; Israel has not updated its outdated 1981 law; and Israel has enacted a series of laws that massively infringe on privacy: the Biometric Database Law, the Communications Data Law, and the Credit Data Law. Each of these transfers to the state very intimate information about every one of us."
As part of the EU’s review, Israel’s Ministry of Justice submitted a report outlining the country's privacy policy; the EU is expected to formulate its decision based on this report. The report was submitted in 2017 and, to date, has remained undisclosed. It is supposed to provide the EU with evidence that Israel’s privacy laws comply with the European Union principles, and that the free transmission of European citizens’ data to Israel will therefore not violate their rights.
According to a source involved in the contacts between Israel and the EU in this matter, Israel probably cannot meet the EU's requirements, but is doing everything in its power to present itself within the report as if it does meet them. The same source believes that this is why the document is considered sensitive: if disclosed, it could arouse criticisms that would give rise to questions on the part of the EU.
The European approach: Legislative colonialism
The calls by experts for Israel to come into line with European law are not a simple matter, and they themselves point to the difficulty. They argue that the EU legislation has within it a colonialist element, one that imposes the European model on other countries of the world.
"Why should we care what Europe says? Why does Europe think it has this right? There is considerable element of colonialism here," says Shwartz-Altshuler. "But even if it is colonialism, given the situation, the State of Israel cannot afford to lose its alignment with Europe. It would cause great damage to Israel, especially to small companies and start-ups and to academic research. The big companies will hire good lawyers and fully adapt to GDPR, but small companies and researchers in academic institutions won’t have the money to do that.
"Another thing is that because of the restrictions in Europe, if Israel does not get this approval, it could become Europe's backyard for data experiments. If Europe has restrictions on the use of private data, then international companies will come here, saying ‘We want to do experiments and research on the data of Israelis, because it’s allowed here while in Europe it’s forbidden.' We Israelis have the right to protection of our privacy, regardless of Europe. Europe is the current gold standard for privacy protection; we deserve to be protected as in Europe."
"It’s clear that the recognition made things much easier for small and medium-sized businesses. I’m less worried about the big businesses because, for the most part, they employ people who specialize in this issue and have the financial ability to pay for it," Birnhack concurs, adding that beyond the anticipated economic price to pay, should Israel lose its EU recognition, there is also a geopolitical cost. "If they deny us recognition, it will also have a political price. The Israeli government requested recognition from the European Union in 2008 - if it’s rescinded, this would be a fiasco on an international level."
"How did Israel get adequacy in the first place?"
In a live webinar last week for several hundred participants, Ireland's Data Protection Commissioner Helen Dixon chose to stop the discussion on encrypting private data, and addressed a question from the audience: "Someone has asked 'How did Israel get adequacy in the first place?''' Dixon laughed and said, "Well… yeah. Also a good question."
Although a laconic statment on the matter, it is significant coming from the Data Protection Commissioner for Ireland - a country where the headquarters of most of the major American technology companies are located.
The discussion followed a ruling by the European Court of Justice last week on the EU’s data transfer agreement with the United States. The results of the ruling will be taken into account when the EU examines other existing agreements - including with Israel.
In recent years, the United States' position vis-à-vis Europe on privacy issues has been based on the "Privacy Shield" agreement, which replaced the Safe Harbor Agreement. The agreement allowed American companies to voluntarily submit to European privacy laws and thus transmit data freely from the country. In 2015, Max Schrems, a lawyer and human rights activist, challenged the legality of this agreement, following the revelations of Edward Snowden. Snowden revealed that US intelligence agencies can actually gain access to data stored on US servers, including on European citizens.
After years of deliberations, last week, the European Court of Justice ruled that US domestic security policy violated EU privacy regulations and endangered the privacy of European citizens, thus revoking US status as a partner in the transmission of private information from Europe.
"A particularly worrisome signal for Israel"
Over the weekend, privacy and legal experts sent a letter to Attorney General Dr. Avichai Mandelblit and Justice Minister Avi Nissenkorn, as well as to the Foreign Affairs and Defense Committee, in which they warned that Israel could face a similar fate.
They wrote that Israel must promote new privacy legislation to replace the existing law from 1981, and cancel the GSS’s power to monitor civilians, in order to maintain its status as a country recognized by the EU as a privacy protector.
"Israel's economy, and the smooth running of organizations, government and research institutions, depend on the free movement of personal information. Damage to their activities, along with the already acute economic crisis prevailing in Israel, may bring with it dire and unexpected results," they wrote. Among the signatories to the letter: Adv. Naama Matarasso, an expert in law and privacy, Prof. Birnhack, Dr. Orna Berry, Adv. Yoram Hacohen, Prof. Karine Nahon, Adv. Ravia and Dr. Shwartz-Altshuler.
According to Birnhack, the ruling on the agreement with the US is a "particularly worrisome signal for Israel." In his words, "If European data are transferred to Israel, the question arises whether security agencies in Israel can have access to this information, in what form and whether this is proportionate. "We warned the Minister of Justice and, in another letter, the Foreign Affairs and Defense Committee,, to take note that GSS monitoring because of the coronavirus, aside from all the other problems associated with it, could complicate our EU recognition status."
According to Ravia, who is also among the signatories, "GSS surveillance within the framework of supporting the fight against coronavirus, is not only serious in itself, it has also uncovered the fact that the GSS is constantly tracking every one of us using a database nicknamed, 'The Tool'.
"We see that in Europe, legislation on national security, etc. is being examined in each country in order to determine its adequacy. Europe does a huge amount of trade with the US, far more than with Israel, and yet the EU authorities didn’t hesitate to cancel the arrangement with the US."
Disclosure: Dr. Tehila Shwartz-Altshuler is the author of the "Globes" Code of Ethics.
Published by Globes, Israel business news - en.globes.co.il - on July 23, 2020
© Copyright of Globes Publisher Itonut (1983) Ltd. 2020