Global Data and Cyber Handbook

Israel

Select a Topic
Start Comparison
International Data Transfer
Are there restrictions on the transfer of personal data to third countries?

Last review date: January 24, 2025

Yes.

A third country means any country other than Israel. The Transfer Regulations prohibit the transfer of data from a database in Israel to a database located abroad, unless the receiving country ensures a level of protection of data that equals or exceeds the level of protection provided for under Israeli law.

Transfers of personal data to third countries are permissible only, if there is a legal basis for the processing/transfer and one of the following applies:

☒        derogations, such as consent, contract performance, necessity to establish, exercise or defend legal claims
☒        other solutions

Please see separate question for information on data localization provisions that are not restricted to personal data.

The Transfer Regulations do not specifically whitelist third countries to which personal data can be transferred, but they determine categories of countries to which personal data can be transferred. The Transfer Regulations lay down a number of principles that help determine whether or not a country provides an adequate level of protection, including principles which relate to the collecting and processing of the data, the storage, use and transfer of the data, the reliability and accuracy of the data, the right to access and request rectification of the data, as well as the obligation to take appropriate security measures in order to protect the data.

Notwithstanding the above, the Transfer Regulations lay down several conditions which - if any one of them is met - permit the transfer of data from a database in Israel to a database abroad, even if the law of the recipient country provides a level of protection which falls below that which is provided for under Israeli law. These include, inter alia:

  • the consent of the affected data subject
  • the data is being transferred to a corporation under the control of the owner of the Israeli database and it has ensured the protection of privacy following the transfer
  • the data is being transferred to someone who has undertaken in an agreement with the owner of the Israeli database to fulfil the conditions laid down in Israel for the processing and use of the data
  • the transfer of the data is necessary for the protection of public welfare or security or is obligatory under Israeli law
  • the data is being transferred to a database in a country which is a party to the European Convention for the Protection of Individuals with Regard to Automatic Processing of Sensitive Data or in a country that is recognized under the European data transfer rules as providing adequate protection

In addition to the above, the Transfer Regulations state that the owner of the database must ensure (by way of a written obligation from the recipient of the data), that the recipient is taking steps to ensure the privacy of the person to whom the data relates, and that the recipient undertakes that the data shall not be transferred to any person other than himself/herself, whether such person be in the same country or not. Having said that, in a position published by the PPA on 13 October 2024, the PPA noted that onward transfer would be permitted if: (i) it is agreed to within the contract by the data controller, (ii) the onward transferred complies with applicable laws as if it was performed within Israel; and (iii) the transfer of personal data to each onward recipient would have been approved under the Transfer Regulations. .Furthermore, it should be noted:

  • In a statement issued by the PPA on 1 July 2020, the PPA noted that transfer of personal data to EU member states shall be considered a transfer of personal data to a country which provides an adequate level of protection as required under Reg. 1 to the Transfer Regulations) i.e. and therefore personal data can be transferred to the EU., without satisfying any other condition set out under Reg. 2 to the Transfer Regulations.
  • On 1 July 2020, the PPA published an opinion according to which transfer of personal data from a database in Israel to a database located in the United Kingdom and Northern Ireland, post-Brexit, is still permitted, since these European countries are signatories to Convention 108 (and thus considered countries which provide an adequate level of protection of personal data). Therefore, personal data can be transferred to the UK, without satisfying any other condition set out under Reg. 2 to the Transfer Regulations.
  • On 29 September 2020, the PPA issued a statement regarding the transfer of personal data from Israel to the United States, based on the European Court of Justice's ruling finding "invalid" the E.U.-U.S. Privacy Shield framework for the transfer of personal data from Europe to the United States. The PPA clarified that the exception under the Transfer Regulations – on the sharing of personal data with an organization residing in a country that receives data from member states in the European Union under the same conditions of receipt – can no longer form the basis to transfer personal data from a database in Israel to U.S.-based organizations, even if those organizations are bound by the principles of the Privacy Shield framework. Therefore, currently, Israeli companies are advised by the PPA to implement, to the extent applicable, other alternatives available under the Transfer Regulations, to transfer personal data to the United States. The PPA has yet to opine on the transfer of personal data from Israel to the United States following the adaptation of the EU-US Data Privacy Framework ("DPF").
{{ $store.state.loadingScreen.message }} ...