The European Data Protection Directive 95/46/EC contains certain restrictions on the export of personal data to a country outside the European Economic Area (“third country”). Whether personal data may be transferred from the EU to a data importer located in a third country has to be assessed on the basis of a two-step test. First, the transfer must be justified on the basis of an explicit legal permission or the data subjects’ consent. Second, the third country where the data importer is located must ensure an adequate level of data protection.
With decision of 31 January 2011 (2011/61/EU), Israel – in addition to Argentina, Canada, Guernsey, Isle of Man and Switzerland – has now formally been recognized by the European Commission as a country which provides an adequate level of protection of personal data. The Israeli Law, Information and Technology Authority ("ILITA") will be the responsible supervisory authority.
Without such formal recognition a data transfer to a third country may only take place on specific conditions or where additional adequate safeguards are adduced (e.g. the conclusion of an appropriate transfer agreement based on the EU standard contractual clauses for the transfer of personal data to third countries).
Against this background, Israel’s formal recognition by the European Commission as a country providing an adequate level of data protection will help to reduce legal uncertainties and administrative efforts. However, before transferring data from the EU to Israel, data exporters should still be aware that the formal recognition only fulfills the second prerequisite of the two-step test outlined above. In any case, the data transfer itself requires a legal justification.
The EU Commission’s decision is available at the Commission’s website.