Data Residency in Israel: Privacy Protection Law and Adequacy Status
Understand Israel's Privacy Protection Law, EU adequacy status, and cross-border data transfer rules for compliance.
Introduction
Israel occupies a unique position in the global data protection landscape. As one of the few non-European countries to hold EU adequacy status, Israel benefits from free data flows with the EU/EEA while maintaining its own independent privacy framework under the Privacy Protection Law (PPL) of 1981. With a thriving technology sector and significant international data flows, understanding Israel's data residency requirements is essential for organizations operating in this market.
Overview of Israel's Privacy Framework
The Privacy Protection Law (PPL)
Israel's Privacy Protection Law, 5741-1981, is the foundational privacy legislation. While enacted decades ago, it has been supplemented by regulations and guidelines that keep it relevant in the modern data processing environment.
Key Regulations
- Privacy Protection Regulations (Data Security), 5777-2017: Comprehensive data security requirements that took effect in May 2018
- Privacy Protection Regulations (Transfer of Data to Databases Abroad), 5761-2001: Rules governing cross-border data transfers
- Privacy Protection Authority (PPA) Guidelines: Interpretive guidance on various aspects of the PPL
The Privacy Protection Authority
The PPA (formerly known as the Israeli Law, Information and Technology Authority, or ILITA) serves as Israel's data protection regulator. Its functions include:
- Supervising compliance with the PPL and regulations
- Investigating complaints
- Issuing guidance and recommendations
- Registering databases
- Conducting audits and inspections
Key Definitions
- Database: A collection of data stored on a medium and intended for computer processing (Israel's privacy law is database-centric rather than processing-centric)
- Database Manager: The person who determines the purposes and means of data processing
- Database Owner: The entity that owns the database
- Sensitive Data: Data on personality, intimate affairs, health, financial status, opinions, and beliefs
- Database Registrar: The PPA official responsible for maintaining the database registry
Database Registration
One of Israel's distinctive features is its database registration requirement. Databases must be registered with the Database Registrar if they meet certain criteria:
| Database Type | Registration Required |
|---|---|
| Databases with more than 10,000 data subjects | Yes |
| Databases containing sensitive information | Yes |
| Databases used for direct mailing services | Yes |
| Public body databases | Yes |
| Databases managed by a body corporate for purposes other than its own business needs | Yes |
Registration Information
The registration must include:
- Name and purpose of the database
- Types of data held
- Categories of data subjects
- Identity of the database owner and manager
- Details of data transfers, including cross-border transfers
- Security measures
Cross-Border Data Transfer Rules
Israel's cross-border transfer regulations were updated in 2001 and continue to govern international data flows.
General Rule
Transfer of data from a database in Israel to a person outside Israel is permitted if the destination country provides a level of protection that is no less than the level of protection under Israeli law.
Transfer Conditions
Data may be transferred abroad when:
- The data subject has given consent to the transfer
- The transfer is made pursuant to a law that permits or requires such transfer
- The transfer is necessary for the performance of a contract between the data subject and the database owner/manager
- The transfer is necessary for urgent medical care
- The transfer is to a corporation that is part of the same corporate group, subject to adequate internal data protection policies
- The destination country has data protection laws ensuring a level of protection no less than Israeli law
- The transfer is pursuant to standard contractual clauses or binding corporate rules approved by the PPA
EU Adequacy and Its Implications
Israel was granted EU adequacy status in 2011, which means:
- Personal data can flow freely from the EU/EEA to Israel
- Israel is recognized as providing an adequate level of data protection
- This status is subject to periodic review by the European Commission
The adequacy status is particularly important for Israel's technology sector, which frequently processes EU personal data.
Maintaining Adequacy
Israel has been actively modernizing its privacy framework partly to maintain EU adequacy status. Key efforts include:
- Strengthening enforcement powers of the PPA
- Updating data security regulations
- Enhancing data subject rights
- Aligning with international data protection standards
Data Security Regulations
The Privacy Protection Regulations (Data Security) of 2017 introduced detailed security requirements based on the sensitivity and volume of data:
Security Levels
| Level | Criteria | Key Requirements |
|---|---|---|
| Basic | Databases managed by an individual for personal or domestic purposes | Minimum security measures |
| Medium | Databases of up to 100,000 data subjects without sensitive data | Written security procedures, access controls, periodic reviews |
| High | Databases with sensitive data, more than 100,000 subjects, or internet-accessible | Comprehensive security program, DPO appointment, annual audits, penetration testing |
Key Security Requirements (Medium and High)
- Written information security procedures
- Appointment of a person responsible for data security
- Mapping of all database systems and data flows
- Access control mechanisms
- Encryption requirements for data in transit and at rest
- Physical security measures
- Employee training
- Incident response procedures
- Regular audits and reviews
Rights of Data Subjects
Israeli law grants individuals several rights regarding their personal data:
- Right of Inspection: Request to view data held about them in a database
- Right of Correction: Request correction of inaccurate data
- Right to Deletion: Request deletion of data in certain circumstances
- Right to Refuse: Object to the use of data for direct marketing
- Right to Compensation: Claim damages for violations of the PPL
Exercising Rights
- Requests must be submitted in writing to the database manager
- The database manager must respond within 30 days
- If the request is refused, the data subject may apply to a magistrates' court
Proposed PPL Reforms
Israel has been considering significant reforms to its privacy framework:
Key Proposed Changes
- Broader scope beyond the database-centric model
- Enhanced individual rights aligned with modern standards
- Stronger enforcement powers for the PPA
- Updated cross-border transfer mechanisms
- Mandatory breach notification requirements
- Higher penalties for violations
- Alignment with GDPR concepts where appropriate
These reforms are partly motivated by the need to maintain EU adequacy status and to address the realities of modern data processing.
Sector-Specific Considerations
Technology Sector
Israel's thriving tech sector processes significant volumes of international data:
- Cloud service providers must comply with data security regulations
- Cybersecurity companies handling customer data face specific obligations
- AI and machine learning processing must comply with PPL principles
Financial Services
- The Bank of Israel and the Capital Markets Authority have additional requirements
- Payment data is subject to PCI DSS standards alongside PPL requirements
- Anti-money laundering regulations affect data retention
Healthcare
- Health data is classified as sensitive
- Additional protections under the Patient Rights Law
- Clinical trial data has specific handling requirements
- The Ministry of Health oversees health data practices
Defense and Security
- National security data has specific handling requirements
- Defense-related data may be exempt from certain PPL provisions
- Government security databases have unique rules
Practical Compliance Steps
Step 1: Determine Database Registration Requirements
Assess whether your databases require registration:
- Count the number of data subjects
- Identify whether sensitive data is stored
- Determine if the database is used for direct mailing
Step 2: Classify Security Levels
Determine the appropriate security level for each database and implement the corresponding measures.
Step 3: Review Cross-Border Transfers
Audit all international data transfers:
- Verify the adequacy of protection in destination countries
- Implement appropriate transfer mechanisms
- Document the legal basis for each transfer
Step 4: Implement Data Security Measures
Deploy security measures appropriate to the database classification level.
Step 5: Monitor Reform Developments
Stay informed about proposed PPL reforms and prepare for potential new requirements.
How GlobalDataShield Supports Israeli Compliance
Israel's position as a technology hub with EU adequacy status creates unique data residency opportunities and obligations. GlobalDataShield enables organizations to manage data residency across Israeli and international infrastructure, leveraging Israel's adequacy status for EU data flows while maintaining the security controls and documentation that the PPL's data security regulations require.
Conclusion
Israel's privacy framework combines a longstanding privacy law with modern data security regulations and EU adequacy status. While the database-centric approach of the PPL is distinctive, ongoing reform efforts are modernizing the framework. Organizations processing personal data in Israel should focus on database registration, security regulation compliance, and maintaining robust cross-border transfer mechanisms, while preparing for anticipated legislative updates.
Ready to Solve Data Residency?
Get started with GlobalDataShield - compliant document hosting, ready when you are.