Citing the European Court of Justice’s (ECJ) October 6, 2015 decision in Schrems v. Data Protection Commissioner, which invalidated the EU Commission’s Safe Harbor decision, the Israeli Law, Information and Technology Authority (ILITA) announced, on October 19, 2015, that it was revoking its prior authorization of transfers of personal data from Israel to the United States based on the Safe Harbor Framework.
Israel is only one of 11 countries deemed by the E.U. Commission to have adequate safeguards in place to receive transfers of data from the European Union (EU) under the EU’s Data Protection Directive. (The other countries are Andorra, Argentina, Canada, Guernsey, Isle of Man, Jersey, New Zealand, Switzerland, Faroe Islands, and Uruguay. The United States, through the Safe Harbor Framework, was considered adequate prior to the Schrems decision.) Consequently, Israel permits transfers of personal data to the EU as a matter of course. Like the EU’s Data Protection Directive, Israel’s Privacy protection regulations restrict data transfers from Israel to third countries that have inadequate protections but allow transfers from Israel to (1) the EU, (2) other countries that the EU has deemed to have adequate protections, and (3) entities in otherwise inadequate countries that have adopted model contract clauses or binding corporate rules or that use other valid legal arrangements or derogations under the EU’s Data Protection Directive such as the U.S.-EU Safe Harbor Framework.
Because the legal basis of the Safe Harbor Framework was declared invalid in the Schrems decision, the ILITA announced that “organizations can no longer rely on [Safe Harbor] as a basis for the transfer of personal data from Israel to organizations in the United States.” Therefore, “database owners who are interested in transferring personal data from Israel to the United Sates are therefore required to assess whether they can legitimize the data transfers on one of the other derogations set forth in the [Israel Privacy Protection] Regulations.”
Fortunately, the derogations set forth in the regulations permit data transfers to otherwise inadequate countries if the data subject has consented to the transfer. Additionally, data may be transferred to a country “which receives data from Member States of the European Community, under the same terms of acceptance.” Thus, Israel will continue to recognize and permit data transfers to the United States based on EU-approved methods such as of model contract clauses and binding corporate rules.
Meanwhile, the Schrems case moves forward. Prior to reaching the European Court of Justice decision, Austrian national Maximilian Schrems had brought a claim before the Irish Data Protection Commissioner (IDPC) alleging that transfers of his personal data by Facebook Ireland to the United States pursuant to the Safe Harbor Framework violated both EU and Irish data-protection law. The IDPC ruled that European Commission’s Decision authorizing the Safe Harbor Framework prevented it from investigating Schrems’s claim. Schrems appealed this ruling to the High Court of Ireland, which in turn referred the matter to the ECJ. In addition to invalidating the European Commission decision authorizing the Safe Harbor Framework, the ECJ remanded the Schrems case back to the High Court of Ireland to determine whether the IDPC should investigate Schrems’s claim.
On October 20, 2015, the High Court issued its decision in the remanded Schrems case and overturned the IDPC’s decision holding that it did not have authority to investigate Schrems’s claim. While the High Court did not order the IDPC to investigate Schrems’s claim, it described the Schrems case as being of “transcendent international importance.” Consequently, the IDPC’s investigation will now commence under section 10 of the Irish Data Protection Act (1988), which requires the IDPC to first arrange for the “amicable resolution” of Schrems’s complaint. If no such resolution occurs, the IDPC may “carry out or cause to be carried out such investigation as he or she considers appropriate in order to ensure compliance with the provisions of this Act . . . and to identify any contravention thereof.”
The IDPC’s investigation of this complaint will consider three issues. First, whether Schrems “has given his or her consent to the transfer” or whether the transfer was “necessary for the performance of a contract between the data subject and the data controller,” As required under the Irish Data Protection Act. If the answer to either is yes, then the prohibition on transfers outside the EU may not apply. The answer may turn on the terms and conditions upon which Schrems agreed when he created a Facebook account.
Secondly, whether the United States “ensures an adequate level of protection for the privacy and the fundamental rights and freedoms of data subjects in relation to the processing of personal data having regard to all the circumstances surrounding the transfer” (European Communities (Data Protection) Regulations, 2001). The IDPC’s determination will be based on several factors including the nature of the data transferred, the purposes for which the data is processed, the laws in force in the United States, any security measures taken regarding the data in the United States, and the international obligations of the United States.
Third, depending on the answers to the first two issues, the IDPC can issue a notice prohibiting transfers by Facebook Ireland outside the EU after determining “whether the transfer would be likely to cause damage or distress to any person and have regard to the desirability of facilitating international transfers of data” (European Communities (Data Protection) Regulations, 2001.)
Stay tuned for further developments.