Israel will shortly be added to a list of countries deemed to have adequate data protection regimes. The effect of this decision is that Irish businesses will soon be able to transfer personal data to business partners in Israel without needing to sign EU-approved Model Contracts.
Data controllers must not transfer personal information outside of the EEA until confident that transferred data is adequately protected by the recipient. There are various methods through which this can be achieved including:
- transfer to a country with a data protection regime deemed adequate by the EU;
- transfer to a US company certified under the US “safe harbor” programme;
- transfer via an EU-approved Model Contract;
- transfer within a group of companies covered by approved Binding Corporate Rules; or
- transfer with the explicit consent of the data subject(s).
Israel will join a growing list of counties which have been declared adequate for European data protection law purposes including Argentina, Canada (for certain data), Switzerland, Guernsey, Jersey, the Isle of Man and the Faroe Islands.
With the increased outsourcing of business activities it is likely that data transfers to countries outside of the EEA will remain an important issue for Irish businesses. The inclusion of Israel in the list of countries with adequate data protection regimes facilitates the transfer of data. For countries whose data protection regimes are not currently deemed adequate there are other mechanisms through which data can be transferred in compliance with Irish and EU law.
For further information please contact Leo Moore or John Magee of our Technology & Commercial Contracts Department.
