On April 14, 2016 EU Parliament approved a major new legislative development on data protection - the General Data Protection Regulation (the 'GDPR'). As a Regulation, this new EU legislation applies directly to EU member State without the need for such State to specifically adopt by internal legislation. The aim of the GDPR is to harmonize data protection laws throughout the EU member States. The GDPR is to apply as from May 2018.
The EU has also approved the Law Enforcement Agencies Directive ('LEA' Directive) – which addresses certain activities carried out for national security purposes. This is also due to apply during 2018 and the activities covered by the LEA Directive are not covered by the GDPR (nor does the GDPR address processing carried out by individuals purely for personal/household activities).
So what is the importance of the GDPR for Israel and Israeli entities in mid-2016?
The territorial reach of the GDPR is potentially very wide and applies to: (i) organizations with an establishment in the EU where personal data is processed in the context of the activities of such establishment; or where: (ii) an EU resident's data is processed in connection with goods or services offered to such individual; or (iii) the behavior of individuals within the EU is monitored – this apply to both data processors and data controllers. So, if an Israeli entity has an 'establishment' in the EU and in the context of the activities of such establishment, personal data is processed, the GDPR will apply – this could extend to those with sales offices in the EU targeting EU residents. In addition as per paragraphs (ii) and (iii) the GDPR extends a long arm jurisdiction, the data controllers and data processors will need to have a formal representative in the EU who can be approached with respect to all issues arising with respect to the processing of personal information under the GDPR. Given the width of the territorial reach of the GDPR, Israeli entities should already start considering whether they fall within it scope and if yes, what steps they need to take.
It should also be noted that the GDPR introduces some new as well as varied concepts. The major concepts, which stand out in this context include: (i) stricter consent requirements from data protection subjects (consent must be by clear affirmative action or statement, once given consent should be easily withdrawn and bundling of consents for different data processing activities is not permitted); (ii) greater transparency with more information to be provided to individuals with respect to the processing of their personal data; (iii) encouragement of use of pseudonymisation (processing personal data so that the individual data subject cannot be identified without access to additional information with the latter being kept separate); (iv) obligations to notify in case of breach of personal data security; (v) new rights for data subjects such as the right to be forgotten. It can be noted that there was a legislative proposal to introduce such a right into Israeli law (please refer to our previous newsletter on the legislative proposal under Israeli law). Also new is the right of portability from one data controller to another; (vi) profiling – the data subject's express, affirmative consent is required for profiling; (vii) specific provisions addressing children; (viii) provisions also address cross border transfer of personal information to outside the European Economic Area. With respect to Israel, the EU currently continues to recognize Israel as a state meeting the minimum requirements for cross-border transfer.
The GDPR also introduces administrative fines of up to Euro 10 million or 2% of the annual turnover of the preceding financial year for violation of data breach provisions.
In conclusion, while the GDPR only enters into force in 2018 – companies are encouraged to start reviewing their data protection activities, rules, policies, agreements, consent procedures, etc. in order to verify whether the GDPR applies to them and, if so, whether they will be ready to comply with the requirements of the GDPR once it enters into force.