Israel Piles on Against U.S.-EU Data Safe Harbor

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jenny David

Oct. 22 — Israel's data protection authority Oct. 19 revoked its prior authorization for data transfers from Israel to the U.S. based on the U.S-EU Safe Harbor Program certification.

The move by the Israeli Law, Information and Technology Authority (ILITA) comes in the wake of the Oct. 6 European Court of Justice decision to invalidate the Safe Harbor Program.

Consequently, Israeli companies will need to find an alternative legal basis for transferring personal data to the U.S., and could experience an “uncomfortable transition period,” Limor Shmerling, ILITA's director of licensing and inspection, told Bloomberg BNA Oct. 21.

“It's too early to tell how the market will be affected and how practices may need to be changed,” she said, adding that the authority is “considering the implications of the new legal status and will further address the subject accordingly.”

According to a statement by the U.S.-based International Association of Privacy Professionals (IAPP), “the decision could pose a significant barrier to data flow from Israel's surging technology sector,” including large local operations of multinationals such as Intel Corp., Microsoft Corp., Google Inc., Facebook Inc. and Hewlett-Packard Co., as well as Israeli “unicorns” such as Waze, Wix and ironSource.

Israel's Privacy Protection Law states that a citizen's personal data cannot be exported to a country with a lesser level of protection than that guaranteed by Israel. The 2001 law does, however, include ten derogations under which Israeli companies can self-assess whether a data transfer to an overseas country could be considered “safe.”

Uncut the Legal Basis for Transfers

The European Court of Justice held that the U.S.-EU Safe Harbor Program failed to provide adequate protection for EU citizens.

“Since the Safe Harbor arrangement is currently invalid under European law, and as long as there is no other valid arrangement or another formal decision of the European Union (EU) with respect to the transfer of data from Europe to destinations in the United States, database owners who wish to transfer personal data from Israel to entities in the United States are therefore required to assess whether they can base the data transfer on another of the derogations determined in the regulations,“ the ILITA said in its decision.

The EU's recognition of U.S. Safe Harbor certification, combined with its 2011 granting of “adequacy” status to Israel under the EU Data Protection Directive, allowed personal data to flow freely between the EU and Israel, and on to U.S. companies on the Safe Harbor certification list.

The Safe Harbor system has been widely used to legitimize the outsourcing of services by EU-based companies and their commercial partners to U.S.-based cloud or software-as-a service (SAAS) providers, and to facilitate intra-group data-sharing among entities with both U.S. and EU operations

But the ECJ held that Safe Harbor doesn't in fact provide an adequate level of data protection because it is unable to prevent access by U.S. intelligence agencies to data transferred from Europe, and is therefore invalid.

The ruling undercut the legal basis for such transfers, and subjected data transfers to the U.S. to the same restrictions placed on transfers to non-EU-member states, and countries that don't have a valid legal arrangement for the receipt of data originating in the EU.

The Yigal Arnon & Co. Law Firm, one of Israel's largest and oldest, said the invalidation could actually create an opportunity for Israeli companies. Since the European Commission's 2011 decision remains in effect, the ECJ decision “may therefore create a competitive advantage to companies conducting processing or storage activities in Israel, as these companies can continue to receive data from Europe without the uncertainty now inherent in EU-US data transfers,” it said in an Oct. 6 statement.

It added, however, that current Israeli business models could be affected, including Israeli companies with European affiliates that previously relied on the Safe Harbor arrangement to transfer data to the U.S., as well as Israeli companies outsourcing storage or processing activities to U.S. service providers or affiliates that include information on European customers, in which case they may need to amend their customer agreements to include authorization for the transfers.

To contact the reporter on this story: Jenny David in Jerusalem at

To contact the editor responsible for this story: Jimmy H. Koo at