(1) Pursuant to Directive 95/46/EC, Member States are required to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and if the Member States' laws implementing other provisions of the Directive are complied with prior to the transfer.
(2)
The Commission may find that a third country ensures an adequate level of protection. In that case, personal data may be transferred from the Member States without additional guarantees being necessary.
(5)
The State of Israel’s legal system has no written constitution but constitutional status has been conferred on certain ‘Basic Laws’ by the Supreme Court of the State of Israel. Those ‘Basic Laws’ are complemented by a large body of case law, as the Israeli legal system adheres to a great extent to common law principles. The right to privacy is included in the ‘Basic Law: Human Dignity and Liberty’ under section 7.
(6)
The legal standards for the protection of personal data in the State of Israel are largely based on the standards set out in Directive 95/46/EC and are laid down in the Privacy Protection Act 5741-1981, lastly amended in 2007 in order to establish new processing requirements for personal data and the detailed organization of the supervisory authority.
(9)
The legal data protection standards applicable in the State of Israel cover all the basic principles necessary for an adequate level of protection for natural persons in relation to the processing of personal data in automated databases. Chapter 2 of Privacy Protection Act 5741-1981, which lays down the principles for the processing of personal data, does not apply to the processing of personal data in non-automated databases (manual databases).
(12)
The State of Israel should therefore be regarded as providing an adequate level of protection for personal data as referred to in Directive 95/46/EC with regard to automated international transfers of personal data from the European Union to the State of Israel or, where those transfers are not automated, they are subject to further automated processing in the State of Israel. Conversely, international transfers of personal data from the EU to the State of Israel whereby the transfer itself as well as the subsequent data processing is carried out exclusively through non-automated means should not be covered by this Decision.
(13)
In the interest of transparency and in order to safeguard the ability of the competent authorities in the Member States to ensure the protection of individuals as regards the processing of their personal data, it is necessary to specify the exceptional circumstances in which the suspension of specific data flows may be justified, notwithstanding the finding of adequate protection.
(14)
The adequacy findings pertaining to this Decision refer to the State of Israel, as defined in accordance with international law. Further onward transfers to a recipient outside the State of Israel, as defined in accordance with international law, should be considered as transfers of personal data to a third country.
(15)
The Working Party on the protection of individuals with regard to the processing of personal data established under Article 29 of Directive 95/46/EC has delivered a favourable opinion on the level of adequacy as regards protection of personal data in relation to automated international transfers of personal data from the European Union or, whether they are non-automated they are subject to further automated processing in the State of Israel. In its favourable opinion, the Working Party has encouraged the Israeli authorities to adopt further provisions which extend the application of Israeli legislation to manual databases, which expressly recognise the application of the proportionality principle to personal data processing in the private sector and which interpret the exemptions in international data transfers as in accordance with the criteria set out in its ‘Working document on a common interpretation of Article 26(1) of Directive 95/46/EC’ (2). This opinion has been taken into account in the preparation of this Decision (3).
1. For the purposes of Article 25(2) of Directive 95/46/EC, the State of Israel is considered as providing an adequate level of protection for personal data transferred from the European Union in relation to automated international transfers of personal data from the European Union or, where they are not automated, they are subject to further automated processing in the State of Israel.
2. The competent supervisory authority of the State of Israel for the application of the legal data protection standards in the State of Israel is the ‘Israeli Law, Information and Technology Authority (ILITA)’, referred to in the Annex to this Decision.
1. This Decision concerns only the adequacy of protection provided in the State of Israel, as defined in accordance with international law, with a view to meeting the requirements of Article 25(1) of Directive 95/46/EC and does not affect other conditions or restrictions implementing other provisions of that Directive that pertain to the processing of personal data within the Member States.
1. Without prejudice to their powers to take action to ensure compliance with national provisions adopted pursuant to provisions other than Article 25 of Directive 95/46/EC, the competent authorities in Member States may exercise their existing powers to suspend data flows to a recipient in the State of Israel in order to protect individuals with regard to the processing of their personal data in the following cases:
(b)
where there is a substantial likelihood that the standards of protection are being infringed, there are reasonable grounds for believing that the competent Israeli authority is not taking or will not take adequate and timely steps to settle the case at issue, the continuing transfer would create an imminent risk of grave harm to data subjects and the competent authorities in the Member State have made reasonable efforts in the circumstances to provide the party responsible for processing established in the State of Israel with notice and an opportunity to respond.
2. The suspension shall cease as soon as the standards of protection are assured and the competent authority of the Member States concerned is notified thereof.
1. Member States shall inform the Commission without delay when measures are adopted on the basis of Article 3.
2. The Member States and the Commission shall inform each other of cases where the action of bodies responsible for ensuring compliance with the standards of protection in the State of Israel fails to secure such compliance.
3. If the information collected under Article 3 and under paragraphs 1 and 2 of this Article provides evidence that any body responsible for ensuring compliance with the standards of protection in the State of Israel is not effectively fulfilling its role, the Commission shall inform the competent Israeli authority and, if necessary, present draft measures in accordance with the procedure referred to in Article 31(2) of Directive 95/46/EC with a view to repealing or suspending this Decision or limiting its scope.
The Commission shall monitor the functioning of this Decision and report any pertinent findings to the Committee established under Article 31 of Directive 95/46/EC, including any evidence that could affect the finding in Article 1 of this Decision, that protection in the State of Israel is adequate within the meaning of Article 25 of Directive 95/46/EC and any evidence that this Decision is being implemented in a discriminatory way. In particular, it shall monitor the processing of personal data in manual databases.
Member States shall take all the measures necessary to comply with the Decision within three months of the date of its notification.
This Decision is addressed to the Member States.
Done at Brussels, 31 January 2011.