The shockwaves of the EU Court’s ruling on privacy standards may topple Israel’s tech sector
Private data is the lifeblood of Israeli startups, the government’s failure to respect individual privacy is proving to be dangerous
The dramatic ruling by the European Union’s Court of Justice on Thursday is, on the surface, unrelated to Israel. The document doesn’t mention Israel once and deals with the Privacy Shield agreement between the EU and the U.S., or rather the nixing of it. Naturally, the ruling has a major impact on U.S. tech companies, in fact it will affect every American company that collects data on EU residents, even if it isn’t strictly speaking a tech company.
Although Israel is not a party to the decision, the ruling’s consequences are likely to have enormous and severe consequences for the Israeli economy, and particularly on its tech industry. “This is earth-shattering because the consequences may place a heavy burden on many companies,” Tehila Schwartz Altshuler from the Israel Democracy Institute told Calcalist. "If Israel fails to make necessary amendments to its privacy protection law, it would be a great pity. The government’s use of the Israel Security Agency, better known as the Shin Bet, in its fight against the spread of Covid-19 will put Israel in a very problematic place, especially in light of the new ruling. The ruling’s message extends far beyond just the U.S., and the question is how it is going to reverberate. It will definitely affect Israel."
Schwartz Altshuler is well acquainted with the topic. She has been deeply immersed in the privacy regulations between Israel and the European Union for the last two years, and especially as it relates to the question of the adequacy of the law in Israel to the new privacy law of the EU - the GDPR. The approval of adequacy, granted in 2011, allows Israeli companies to use the information on the EU’s residents in order to sell them information-based products. However, compliance was granted on the basis of the old privacy laws that were in force before the stricter GDPR laws were implemented.
GDPR. Photo: Depositphotos
The International Department of the State Attorney's Office is currently negotiating with the EU institutions over the renewal of its adequacy approval, but the principles set forth in the ruling suggest a real danger that Israel will not receive it.
The adequacy approval that is so important to Israel and the tribunal's decision regarding the agreement with the U.S. (or rather, the cancellation of that agreement) are intertwined because they deal with the same issues. “The court canceled the 2015 Privacy Shield agreement that allowed American companies to store and process data on EU residents on servers outside of its borders," Schwartz Altshuler explained. "The U.S. does not possess essential equivalence with the EU and the agreement allowed for companies to manage and secure data on EU residents by receiving specified permission as long as it met the EU’s privacy protection standards.”
However, the new ruling determined that the permission U.S. companies received was insufficient because they are known to hand over a lot of data to the authorities and due to the fact that a great deal of online surveillance is carried out by American law enforcement and intelligence agencies.
According to Schwartz Altshuler, the ruling is nothing short of an earthquake, and the consequences of the decision are expected to impose a heavy burden on many companies.
"One possible implication is that companies around the world will have to reopen their information processing policies, and re-sign privacy agreements with users," she explained. "They may have to re-sign contracts with vendors and amend all of the agreements. They must become fully compliant with the GDPR if they want to use information related to Europe. And it may even require them to move servers, or stop using cloud services of American companies.
"The large companies will be able to handle it, but for small companies, it's a major burden. Some believe it will hurt the willingness of European companies or EU research institutions to transfer data to the U.S. They have medical data that is worth a lot of money. If Google or a pharmaceutical company wants to gain access to the data, it may prove problematic. Google, Facebook, and similar companies have users who are citizens of the EU, and the question now is what are they allowed to do with the data they collect about them. After the GDPR went into effect, they moved some of the servers to the U.S., because the restrictions on information management are less stringent there. Some people believe this is not an earthquake and that business interests and money will prevail, that they will only make changes to the servers' location and mechanism."
What is important about the ruling?
"The EU Court of Justice is saying that it is not that there are insufficient privacy protections in the U.S. that allow for the invasion of privacy, rather that the issue concerns the transfer of private information to law enforcement agencies, that intelligence agencies monitor network traffic. This is what endangers the citizens of the EU and this is the reason for the cancellation of this agreement."
Why is that important?
“Because when a country requests adequacy from the EU, it examines all sorts of things like citizens’ data rights and how robust and independent its privacy protection authorities are. Among other things, it checks the level of authority that national security organizations are given to impede citizens’ privacy in each state. Canada, Japan, Australia, New Zealand, countries for whom adequacy to the EU’s requirements was important, were forced to alter regulations governing what their law enforcement agencies’ could do in terms of harming privacy, in order to align with the standard.“
“In the privacy bill I drafted, we addressed this issue, and talked about necessary amendments to the law to maintain compliance with Europe. We addressed that exact topic, and said that the sweeping exemption that Israeli law gives the Mossad, the police, the ISA and the army from liability for invasion of privacy should be reduced. Today, if the police wants to use private information to produce a crime prediction system, they are allowed to do so because they have no obligation to maintain privacy. It is impossible for a law to provide a sweeping exemption to the security authorities because that is the primary thing that will lead to the loss of adequacy.
"Israel was granted adequacy in 2011. We told all kinds of stories about oversight by the High Court and that it is preferable to an independent authority, we committed to legislative amendments. We did nothing of the sort. We do not know what the state of negotiations are between the International Department of the State Attorney's Office and the Europeans. We don’t know what picture was presented to them because they refuse to publish the documentation, even a freedom of information request was denied because they claimed it had to do with foreign relations. We do not know what the state said was happening and whether what it said is true. For 10 years, almost no amendment was made to the Privacy Protection Law, and the oversight powers of the authority that deals with privacy were not strengthened."
The danger of losing compatibility is particularly tangible in light of the use of the Shin Bet’s surveillance tools as part of the battle to curb the spread of Covid-19. "It was decided to activate the Shin Bet to carry out much wider surveillance than exists in any other democratic country. The EU Commission issued an opinion stating that it was forbidden to monitor and gather information about individuals in such a way and Israel went and did it anyway. We have constantly warned that this will lead to a loss of adequacy. The court's decision strengthens our claim, it says that the court pays attention to the extent of surveillance carried out by intelligence agencies in a particular country," said Schwartz Altshuler.
What are the risks of losing adequacy?
“It will harm organizations, companies, research. The entire tech sector is built on private data, from companies that deal with analyzing medical data to those who aim to maximize the impact of social media posts. Companies who want to track users’ actions on their sites, university researchers who want to conduct studies based on personal data on Europeans -- all of that can be significantly harmed,” Schwartz Altshuler concluded.
Israel is only at the start of an economic crisis that could prove to be one of the worst in its history. Europe is the country’s second most important export destination after the U.S., the tech sector is its main growth engine. Removing technology companies from the European market, will impose a huge blow on hundreds of startups and companies, at a time when they are already suffering from immense uncertainty and instability. The figures already indicate that the Shin Bet’s tracking tool is not the most effective tool in the war on Covid-19. Now, there is a fear that it is not only not beneficial to Israeli society, but it may also cause significant damage to its economy.