Below please find our July 2020 alert regarding the invalidation of the EU-US Privacy Shield Framework by the European Court of Justice.
As we anticipated in our prior guidance, the Israeli Privacy Protection Authority has confirmed that Privacy Shield self-certification can no longer serve as valid legal basis for data exports from Israel to the US.
Entities that previously relied on the Privacy Shield self-certification of US-based data recipients to establish legal basis for data exports from databases subject to Israeli law will need to find alternate legal basis to support such data exports.
The full text of the Privacy Protection Authority's guidance can be found here.
On July 16, 2020, in a landmark decision, the European Court of Justice invalidated the European Union (EU) -United States (US) Privacy Shield Framework. The EU-US Privacy Shield Framework allowed US companies to self-certify to comply with more stringent EU privacy and data protection standards, and thus served as the basis to legitimize transfer of personal data of EU individuals to certified recipients in the US. The Privacy Shield mechanism was used by thousands of companies to legitimize such transfers. The framework was challenged by Max Schrems, an Austrian lawyer and privacy activist, who claimed that US law does not provide for adequate protection of personal data. As the decision to invalidate the Privacy Shield Framework cannot be appealed, the Privacy Shield Framework is no longer valid.
The invalidation of Privacy Shield has significant consequences for organizations operating in Israel, as described below.
The EU's General Data Protection Regulation (GDPR) restricts the export of personal data to countries outside of the European Economic Area (EEA) unless certain mechanisms are implemented. Personal data can be transferred freely to a jurisdiction certified by the European Commission as having an 'adequate' level of protection for personal data. Israel, for example, appears on the EU's 'white list' of countries certified as adequate.
Though the EU has not designated the US as having an adequate level of protection for personal data, the Privacy Shield Framework allowed data recipients in the U.S. to self-certify and undertake to comply with a higher level of protection than is generally required by US law. Privacy Shield allowed for the export of data of EU data subjects to certified entities without the need to satisfy additional procedural hurdles, for example, use of Standard Contractual Clauses.
Relevance to Israeli Organizations
The invalidation of the Privacy Shield Framework may be relevant to Israel-based organizations in a number of ways.
Organizations that are affected by the ruling, whether directly or indirectly, should review their data transfer practices, as well as their relationship with service providers and business partners in the US. While the Privacy Shield Framework has been invalidated, the European Court of Justice did confirm the use of the Standard Contractual Clauses to allow for cross-border transfers. It should be noted, however, that when using Standard Contractual practice, the burden is placed on the 'controller' exporting data out of the EEA to review the law in the recipient country to ensure that it is adequate and institute additional data protection mechanisms as needed in order to ensure that personal data is properly safeguarded. It may take some time for companies to adapt their businesses in light of this decision, however it is imperative for organizations to commence such efforts.
Clients interested in reviewing their practices and adapting those in accordance with the new ruling are urged to contact our privacy team - Yoheved Novogroder-Shoshan (YohevedN@arnon.co.il), Netanella Treistman (NetanellaT@arnon.co.il) or Miriam Friedmann (MiriamF@arnon.co.il ).
This memo is intended to serve as a general overview and does not constitute a replacement for legal counsel on the matters discussed herein.