Israel Revokes U.S. Data Transfer Authorization in Wake of EU Safe Harbor Invalidation

By Joseph D. McClendon

The Israeli Law, Information and Technology Authority (ILITA) revoked authorization for businesses that previously relied on the EU’s Safe Harbor exception to transfer data from Israel to the United States. 

Under Israel’s 2001 Privacy Protection Regulations, moving data from inside Israel to a database outside of Israel was permitted provided that the transferee country had laws regulating data protection that were at least as protective of data as Israeli law. 

The Privacy Protection Regulations provided an exception for companies that are located in countries that do not have adequate data protection laws by allowing data transfer out of Israel to countries that the EU permits data transfers. In practice, this meant that businesses in the United States could transfer data out of the EU (and Israel) as long as they were Safe Harbor compliant.

Closing this exception for data transfers out of Israel is a continuation of the ripple effect that invalidating Safe Harbor has created. While not an official member of the so-called “Euro Data Zone,” Israel obtained an exception in 2011 under the EU Data Protection Directive to be one of a small number of countries where data could be transferred out of the EU to Israel without requiring companies to use standard contractual clauses or binding corporate rules.

With Safe Harbor no longer an option, U.S. businesses now must rely on other legal strategies, such as standard contractual clauses or binding corporate rules, in order to transfer data out of the EU, and as of this week, Israel.