The newly introduced agreement on the new framework for the transatlantic data flows – the Privacy Shield, is probably not a reason for celebration at the moment.
It is a joint effort of the US and the EU to meet the Article 29 Working Party's deadline from October 16 last year.
However, it is yet to go through the EU regulators' scrutiny within the next two months, with an unclear outcome, as they already expressed their concerns about the US legal framework, especially regarding the scope of surveillance and remedies available to individuals.
The fate of the Privacy Shield is also questionable because many US companies have already adapted to the EU Model Contract Clauses, and they will use the Privacy Shield framework only if it will serve better their interests.
It seems that although there is still unease with the post Schrems situation, companies from both sides of the ocean manage to get along without the Safe Harbor and Privacy Shield frameworks.
Transferring Personal Data from Israel to Other Countries is a Different Ballgame.
Cloud based services and other data processing services should be aware that the Model Contract Clauses do not apply under Israeli law.
Israeli clients are facing other requirements under local law, essentially encompassing three substantial sets of laws and regulations:
- The 2001 Regulations for the transfer of data from data bases in Israel abroad;
- Requirements from "Holders" of data bases, pursuant to the 1981 Protection of Privacy Act;
- The 2011 Data Bases Registrar's Guidelines on the Outsourcing of Personal Data Processing.
The contractual requirements under the combined law provisions and regulations resemble the Model Contract Clauses only in part. Pursuant to these requirements, an Israeli customer may ask its service providers to provide the following contractual assurances –
- Guarantees, such as insurance, liquidated damages, bank guarantees and indemnification;
- The provider will need to provide the necessary assistance to the customer in registering the provider as a "Database Holder", pursuant to the data base registration requirements under Israeli law, and further assist with any related procedures which the local regulator may initiate;
- The provider will provide the customer an immediate notice of a data breach; and,
- The provider will submit the providers' systems to audits without prior notice.
International companies with subsidiaries or offices in Israel and web-based service providers with Israeli corporations as customers, should get acquainted with and be prepared to address the necessary considerations under Israeli law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.