Category: News

In its decision from January 15th, 2024 (“Decision”), the European Commission (“Commission”) re-affirmed Israel’s adequacy status, meaning that transferring personal data related to European data subjects to Israel will continue to be seamless.

The free data flow from the European Economic Erea (“EEA”) to Israel will remain in place, and as a result business between Israel and the EEA can be conducted in an easier, more convenient manner compared to other non-EEA countries.

Background

The adequacy status can be given to a country which is not a member of the European Union after an in-depth examination by the Commission to assure that such country offers adequate safeguards to the personal data related to European data subjects. Adequacy status was granted by the Commission only to a limited number of countries.

The renewal of the adequacy status of Israel is a relief for Israel-based companies, after the re-examination procedure of the adequacy status ( originally given in 2011) that began following the Regulation (EU) 2016/679 (General Data Protection Regulation) – GDPR which entered into effect in 2018.

The Israeli government had taken several steps in order to ensure that the adequacy status is renewed. The Commission mentioned in the Decision some of them , including “specific safeguards to reinforce the protection of personal data transferred from the European Economic Area by adopting Privacy Protection Regulations (Instructions for Data that was Transferred to Israel from the European Economic Area), 5783-2023. Israel also strengthened the requirements for data security by adopting Privacy Protection (Data Security) Regulations, 5777-2017 and consolidated the independence of its data protection supervisory authority in a binding government resolution.”

The Acknowledgment

In the Decision, the Commission acknowledges that European data subjects’ personal data transferred to Israel enjoys adequate data protection safeguards. Therefore, the adequacy decision from 2011 remains in power and personal data can continue to flow freely from the EEA to Israel without any special data transfer regime or special arrangement (like the Standard Contractual Clauses – SCC or Binding Corporate Rules – BCR).

In practice, the renewal of the adequacy status means that the transfer of personal data from Europe to Israel will remain materially the same as the transfer of personal data within the EEA.

Why is it important?

The adequacy status is important for the Israeli economy, especially with regards to trade or research relations with Europe. The convenient and simple flow of data to Israel makes it easier, from a legal and regulatory standpoint, for entities in Israel (including Israeli companies, businesses, hospitals, research institutions and public authorities) that receive personal data to do business in the EEA or with EEA based entities.

The adequacy status prevents the need for individual and resource-intensive mechanisms, for example detailed contractual arrangements, thereby reducing costs for businesses and organizations in Israel, reducing legal risks, and creating a competitive advantage for Israeli entities.

The Decision can be read here. The publication of the Privacy Protection Authority in the Ministry of Justice can be read here (in Hebrew).

The authors are Adv. Rotem Perelman-Farhi, head of the Technology, IP and Data Protection Department and Adv. Einat Goldstein, associate in the Department.

* This newsletter is provided for informational purposes only, is general in nature, does not constitute a legal opinion or legal advice and should not be relied on as such. If you are seeking legal advice, it is essential to review the specific facts of each case in detail with a qualified lawyer.

The French Data Protection Authority (CNIL) has published a draft guide on Transfer Impact Assessment (TIA). The draft guide outlines the procedures and considerations for conducting a TIA. This draft serves as a guideline for organisations that transfer personal data outside of the European Economic Area (EEA) and therefore must assess the level of data protection in the countries of destination.

Background

Under the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (GDPR), personal data transferred outside of the EEA (for example to a cloud service provider or when shared with a parent company or subsidiary) must receive the same protection as within the EEA. This is the case when personal data is transferred to countries with adequacy decisions (for example to Israel). In the absence of adequacy, data exporters (acting as controllers or processors) must adopt measures like Binding Corporate Rules (BCR) or Standard Contractual Clauses (SCCs) to compensate for deficiencies in the data protection laws of the third country (to which the personal data is being transferred).

In its “Schrems II” ruling from July 2020, the Court of Justice of the European Union (CJEU) emphasized that both data exporters and data importers are responsible to guarantee that personal data, when transferred outside of the EEA, is granted the same level of protection as set by the GDPR.

Requirement for Transfer Impact Assessment

Consequently, data exporters must verify whether the third-country legislation is essentially equivalent to EU protection levels, and implement additional measures where needed. If the transfer relies on a transfer tool under Art. 46 GDPR (as BCRs or SCCs), a TIA is required, conducted by the data exporter and importer together. Until now, organizations have mainly relied on the recommendations of the European Data Protection Board (EDPB) on additional measures supplementing the transfer instruments, published in June 2021, to carry out their TIAs.

In this context, the CNIL decided to draft a practical guide to “help data exporters carry out their TIAs.” The CNIL has released a draft of this guide for public consultation until February 12, 2024, with the final version expected to be published later in 2024.

The CNIL Guidelines

The CNIL guide constitutes a methodology which identifies the various elements to be considered when carrying out a TIA. The CNIL points out that the use of this guide is not obligatory; other elements can be considered, and other methodologies can be applied.

The guide provides a TIA template based on the six steps recommended by the EDPB for carrying out a TIA, which are as follows:

  1. Know your transfer;
  2. Document the transfer tool used;
  3. Evaluate the legislation and practices in the country of destination of the personal data and the effectiveness of the transfer tool;
  4. Identify and adopt supplementary measures
  5. Implement the supplementary measures and the necessary procedural steps;
  6. Re-evaluate at appropriate interval the level of data protection and monitor potential developments that may affect it.

It is worth noting that the CNIL specifies that in the case of onward transfers, a separate TIA should be carried out for each type of onward transfer.

Compared to the EDBP’s recommendations, the CNIL also increases the responsibilities of the data importer. The CNIL finds the data importer’s cooperation “essential for the TIA to be carried out” and goes on to state that if the data importer is a data processor, its cooperation obligation is part of the obligations under Art. 28 of the GDPR. Essentially, while the main burden of conducting the TIA is on the data exporter, in the CNIL’s opinion the data importer has significant information obligations.

Differences to the ICO’s Transfer Risk Assessment

The CNIL’s guideline follows the EDPB’s recommendations and as such differs from the United Kingdom’s Information Commissioner’s (ICO) transfer risk assessment tool, which may be used for transfers of personal data outside of the UK. The purpose of such transfer risk assessment (TRA) is to asses if a transfer increases privacy and rights risks compared to keeping data in the UK. If no significant extra risk is found, the transfer is permitted. The ICO’s TRA tool offers a more risk-based (and possibly more business-friendly) approach compared to the EDBP. The TRA tool focuses mainly on general human rights risks in the destination country, which include (i) risks associated with third-party access to data, especially by government and public bodies, and (ii) risks stemming from challenges in enforcing the Article 46 transfer mechanism.

For more information related to the transfer of personal data and on any other matters relating to privacy and data protection laws, please reach out to us at ERM.

Our partner, Adv. Rotem Perelman-Farhi, head of the Technology, IP and Data Protection Department and Adv. Einat Goldstein, LL.M, associate in the Department, share the essential information.

* This newsletter is provided for informational purposes only, is general in nature, does not constitute a legal opinion or legal advice and should not be relied on as such. If you are seeking legal advice, it is essential to review the specific facts of each case in detail with a qualified lawyer.

ERM Advised our client, Azorim, on the signing of a significant agreement with the majority of property rights holders of a property in the city of Ramat Gan.

The deal is another example of the growing recognition of the importance of new and speedier construction starts, needed to meet market demand and safe building development.

Partners Aharon Shimon and Yoav Zahavi from ERM’s Real Estate and Urban Renewal Department advised Azorim.

For the full article in Hebrew click here.

Though we – as humans, as lawyers, as a firm and as a country – are still reeling from the horrendous attack we faced on 7 October, the economy and Israel’s energy sector specifically, remain of paramount importance. We are therefore thrilled to congratulate our client, Phoenix Insurance Company, for their agreement to invest an amount of up to NIS 700 million into Meshek Energy. This strategic investment will provide Meshek Energy with the capital needed as part of its bid to acquire the major Eshkol power station from the Israel Electric Corporation at a value of at least NIS 9 billion, and is a significant milestone in the energy sector.

Phoenix Insurance was represented by partners, Amnon Epstein and Ron Abelski, with senior associate Itamar Lev Eldar, and interns Roni Ghouila and Ronnie Kohn.

For the full article in Hebrew, click 

Congratulations to our client, Mekorot, Israel’s largest water company, for publishing the first tender for the design, finance, build and operate of a 75MW solar plant, including storage, over the Israeli National Water Carrier. This tender is the first of its kind in the novice coverage of the National Water Carrier (in Stage 1 over 1300 dunams in the Netofa area of the canal). This is the second large scale solar tender that Mekorot has initiated being in the forefront of Israeli governmental companies helping to achieve the goal of boosting the proportion of power generated from renewable sources in Israel to 30% of total power production by 2030.
Amnon Epstein, Founding Partner and head of ERM’s Energy & Infrastructure, together with Associate Tal Ishay, led the team and were assisted by interns Maya Shoshani and Roei Dayan.

ERM Advised Bank Leumi on the financial close of the NIS 510 facility agreement with Menorah Synergy, a subsidiary of TeraLight and Senergy Renewable Energy financing a portfolio of photo-voltaic power plants on roofs and reservoirs totalling approximately 124 megawatts.

Thank you to our partners Amnon Epstein, Chen Weiss, associates Nir Shaked and Ori Nehmad  from our energy department.

To read the full article in Hebrew click here.

 

ERM Advised Jerusalem Homes Group Ltd. of the Complex 06 project in the Katamonim neighborhood in Jerusalem. The project includes 700 housing units, 3,800 square meters of commercial space, and 2.8 dunams of public space.

Partners Aharon Shimon, Yoav Zahavi and associates Or Tzur, Golan Laihtam and Shoval Yaacov, all from the Real Estate and Urban Renewal Department advised Jerusalem Homes Group Ltd.

For the Hebrew article click here.

ERM partner and head of our German desk, Ron Abelski was interviewed in the leading German industry ‘Venture Capital Magazine’, about Israel’s start-up ecosystem and venture capital investments.

“In the last few years, I have also seen extensive investment activities by corporate venture capitalists – including many DAX30 and Mittelstand companies – searching for and investing in Israeli start-ups with the aim of utilizing these start-ups’ technologies in their products or companies.”

For the full article press here

We congratulate our client Prime Energy on the sale of 50% of its interest in the Tlamim project to Helios. The Tlamim project is a 14 megawatt (AC) land-based photovoltaic project, valued at approximately NIS 72.5 million.

The Epstein Rosenblum Maoz’s (ERM) team advising Prime Energy was led jointly by Amnon Epstein, founding partner and head of ERM’s Energy, Infrastructure, and Climate practice, and Chen Weiss, partner. Associate Tal Ishay also advised.

For the full article (in Hebrew) please click here

ERM Advised Paz Oil Company (TLV: PZOL), the largest Israeli fuels company, and Hagai Miller on reaching financial closing of its first renewable energy project.

Epstein Rosenblum Maoz’s (ERM) Energy Infrastructure and Climate practice group was proud to advise Paz once again following its acquisition of the 272MW PV project in Texas, US in 2021 together with Global Sun Israel.

The financial closing included non-recourse project finance from Nomura and Poalim, Tax Equity finance from a leading US investment bank and equity finance from Menora Mivtachim Group.

Partner Asaf Rimon led the ERM team, together with Amnon Epstein, Galit Heller Farkash, Tal Ishay and Lin Nanikashvili

For the full article in Hebrew click here.