By: Liav Shapira, adv. (Israel) | Samson Morpurgo, Adv. (Israel) | Levi Sanders, Adv. (New York)
Max Schrems is back and has done it again. By striking down the EU-U.S. Privacy Shield framework governing the transfer mechanism by which the personal data can be transferred out of the EEA (Schrems II), he unintentionally instilled new hope for Israeli privacy advocates in what seems like Israel's last chance to avoid the impending revocation of the European Commission's adequacy decision on the data protection adequacy in Israel.
Seemingly fearing the negative momentum, the Israeli Ministry of Justice has drafted and published this week its proposed amendments to the Israeli Privacy Act of 1981 (the last significant revision was back in 1996), adapting it a little closer to the GDPR's definitions, i.e. regarding 'Personal data'; 'Processing of personal data; a database 'Controller'; 'Processor; 'Biometric data' and 'Special categories of sensitive data'; and no less significant – narrowing down the database registration requirement.
The proposed amendments have arrived in a not-so-fashionably-late manner, over 13 years since similar recommendations were proposed in a report by the 'Shoffman committee'.
Better late than never, but is this too little and too late?
Some would argue that the current proposed amendments should have been much more comprehensive, and that the database registration requirement is better off canceled altogether (instead of just narrowing it down); perhaps we should have drafted a brand new revamped digital privacy codex, befitting the "Start-up nation". Others would simply be thankful for this modest modification in a rare opportunity to pass it in a stable (as stable goes in Israel) legislating parliament, before it disassembles again towards another early round of re-elections.
Whether the modifications included in this proposal are sufficient AND assuming it passes early enough to save Israel's adequacy, there's little doubt as to what crucial matters are missing: digital data use and regulation (i.e., cookies and other digital trackers), data anonymizations reasonableness of methods, legitimate purposes for processing, and further processing for the greater good (i.e. health, research), etc.
Uncordially, none of these essential issues are regulated nowadays in Israel, nor do they receive even the slightest mention in the new proposal. However, while racing against time and seizing this rare opportunity in Israel, one should probably not be too greedy.
It should be noted that another round of amendments is looming around the corner; one that served up back in 2018, though eventually did not move forward because of, you guessed it, the Israeli parliament early disassembly. That proposal revolves mainly around the Israeli Privacy Protection Authority enforcement authorities. Albeit essential on its own merit, it still leaves Israel's privacy laws' scope of protection severely lacking.
That next round, if handled and amended properly, could be Israel's last chance in a long time to finally have its data protection laws catch up to its cyber-tech capabilities.
Will Israel miss another chance to miss a chance for a comprehensive change, or will the Israeli shoemaker be left walking barefoot?
Turning to the west, it’s early to predict how U.S. regulatory and legislative bodies will react to Schrems II. Back when the Safe Harbor framework was invalidated in 2015 (Schrems I), the EU and U.S. Department of Commerce negotiated and implemented, within less than a year, the Privacy Shield to address Safe Harbor’s issues. While the basic principles remained the same – companies self-declaring adherence to privacy principles, the main changes in Privacy Shield focused on individual EU citizen rights, third party transfers, stricter requirements for U.S. businesses, and robust restrictions on U.S. government access to personal data.
Will the turnaround be as seamless this time?
In the FAQ published July 23, 2020, by the European Data Protection Board (EDPB), regarding Schrems II, the EDPB confirmed that the standard contractual clauses (SCC) and Binding Corporate Rules (BCR) are valid alternative frameworks for personal data transfer, and there will be an evaluation of additional transfer mechanisms such as approved codes of conduct and certification mechanisms.
However, in contrast to the transition from Safe Harbor to Privacy Shield where organizations had a grace period to implement alternative data transfer mechanisms to adopt the Privacy Shield, there is currently no grace period.
This means that future transfers of personal data to the U.S. need to adhere to SCC or BCR and will be subject to a transfer adequacy assessment to determine appropriate safeguards, taking into account the circumstances of the transfers and supplementary measures. If such measures can’t be met, Personal data transfer must be suspended.
The EDPB is expected to provide further guidance of the Personal data transfers based on consent, contractual provisions, and public interests subject to the strict necessity test.
The good news – A statement by European Commission Vice President for Values and Transparency Věra Jourová and Justice Commissioner Didier Reynders suggested that plans to modify the Privacy Shield to address the CJEU decision are already underway.
This means we can hope for another gradual step under a new framework. As opposed to the EU’s GDPR, the U.S. lacks federal-level data privacy and security law. On the state level, several states are introducing state legislation (notably, the CCPA which came into effect January 2020). Due to the lack of a robust legislative framework, it wouldn’t be unreasonable to expect another “tweak” to the Privacy Shield and repackaging it as a new framework (which will probably have some dramatic name such as “Protector of the Digital Realm”).
Practically speaking, current organizations transferring Personal data from EEA to the U.S should seek alternative data transfer mechanisms such as those mentioned above. For instance, the day Schrems II was published, Salesforce announced that they will be relying on their Processor BCR and the European Commission’s SCC, both of which are already included in their Data Processing Addendum.