The European Union Court of Justice has recently shocked Europe and the U.S., sending the giant tech firms to rethink its information gathering and processing policy in the Continent. This decision is liable to impede Israel, which do far has failed to modernize its privacy laws unlike other countries, and adversely affect start-up companies aiming to act in the EU arena.

By: Idan Ben-Yacov, Adv.

Information, including user identities, mode of service use, preferences, areas of interest, etc., or simply put – Data – is today’s hottest and most consumed commodity in the world of technology. All our technological activity, all data appearing about us (whether created by us or by others), anything we’ve searched, written, copied, stored and/or saved in the Cloud – is all exposed to the company we use to search or save the data. They use it for their own purposes, including by processing it, issuing data and user patterns and in most cases selling it to third parties, all as part of the terms of use and business model (in exchange for “free” services like storage and use of the platform ).

GDPR Rules and Regulations

ICQ, the first online instant messaging program (or by today’s standards, the first online messaging Application) was first created in Israel in the 90’s [and our firm was privileged to advise one of its young founders], and later of course Google, were among the first to identify the potential of collecting and merchandising personal data. Thanks to advanced processing and sophisticated algorithms, Google has succeeded time and again to match the results we search for, even before we realize what we want.

The European Union, aware of the sensitivity of such data – stemming not just from the raw data, but primarily from the insights and sensitive data that can be extracted – established the GDPR ground rules. These rules apply to every entity operating or providing service or product in an EU member country (even if only as a transmission point for the data), to either a European resident or citizen, and applies to every entity and/or individual that processes data of an EU resident or citizen. In other words, the rules effectively apply to most of the world (obligating the different countries to adapt their laws to the GDPR rules, in one way or another, should they wish to operate within Europe’s cybernetic sphere).

GDPR rules and regulations relate to the entirety of activity using the private data we create that is saved in the Cloud, including inter alia ‘the right to be forgotten’ – namely, the right NOT to be indexed in the various search engine services, and to obligate them to erase all your data according to the user’s demand (with certain limitations).

The General Data Protection Regulation is actually a compendium of laws and regulations applicable to the data collector, processor, the company storing the data and the user himself, who has provided the data or being the subject of data that has been gathered. Israel, as a significant EU trade partner and part of the EMEA region, has adapted and subjected itself de facto to the guiding principles of the GDPR protocol, by enacting and adapting the State’s laws to create a network of mediation and compatibility agreements.

These agreements relate to a range of privacy issues, while being adapted to the Israeli market and its unique requirements. An interesting aspect in this context is Israel’s General Security Service’s electronic tracking of citizens in order to locate those infected with Corona.

Shock to Business Models

But we’re just a drop in the ocean. The agreements between the U.S. and Europe regulating processing, storage and management of data collected by technology firms, and the means by which they transfer the data between Europe and the U.S., are collectively referred to as “Privacy Protection.”

The European Court of Justice’s recent decision from July 2020 determined that the laws of the U.S. are incompatible with many countries’ GDPR regulations, including the government’s ability to demand and receive private, personal information regarding various users. Therefore, the “Privacy Protection” arrangements that until now had enabled (inter alia) transmission of data collected in Europe and/or regarding European citizens for the purpose of actual processing on American soil – are invalid. This decision essentially forbids American companies to store data in servers outside Europe, data collected in the Continent or that relates to its residents and citizens.

The result was that the Court sent shockwaves through global companies’ business models (like Google and Facebook), regarding any transfer of information between Europe and the U.S. Without exaggerating, one might say that this decision indirectly forbids the transfer of information world-wide.

It might seem that this is another legal battle to be resolved by legal advisers, but that is not the case. The world of technology is based on decentralization and international cooperation. For example, WAZE, Israel’s global pride, is liable to find itself restricted in its ability to provide services to European users – since its data is stored and processed (inter alia) by Israeli servers, even if “produced” by European car drivers.

Israel’s Lawmakers Must Sit Up and Take Notice

In their decision the Court ruled that the U.S. has not done enough to protect its citizens’ privacy, and therefore cannot be trusted to do so for data pertaining to Europe’s residents. And if the U.S. is not sufficiently advanced and up to date, where does Israel stand? As of today, Israel is still considered a “safe” country, but will not remain safe for much longer. An up-to-date example of how far Israel lags behind the rest of the world in Privacy Protection matters can be seen in the case of data breaches that occurred in “Elector”.

In that case, information has leaked from the App before the elections to the Israeli Parliament from a sensitive data base of all voters. If we recall that no one was brought to trial, and the case was closed with just the threat of a fine – we can understand how far behind Israel is vis-à-vis the world and the European privacy laws, and primarily in its ability to deter regulation and rule-breakers. More important, the European Court is expected by the end of 2020 to relate to the standing of Israel’s privacy laws, by ruling whether the latter meet the required European standard.

However, the above examples deal primarily with mega companies. What will start-ups do in their initial phase? Where will they store the data they mine from their users? Israel’s lawmakers must understand that this is an actual threat to the Start-up Nation. Without sharing data created in Europe or processing data, Israeli hi-tech cannot survive. No company in the world will work with a start-up from a country that is a non-signatory to privacy protection agreements customary in Europe that restrict the capacity to process data, which is today the company’s most valuable resource. Israel’s lawmakers must wake up and attract parliamentary attention and ability to update Israeli privacy laws, to bring them up to par with the most advanced countries on this issue around the world.

From the consumer’s viewpoint, the information is transparent. It is accessible anywhere with an internet connection, and the consumer is unaware of where the data is stored, or the type of security by which it is protected. The lawmaker’s role is to assure Israel’s place in the forefront of privacy protection for users and data, since for Israeli high-tech, being disconnected from the European cloud could be devastating .

The writer, lawyer at Ben-Yacov Law Firm, specializes in all aspects of commercial law, with emphasis on hi-tech, fundraising from venture capital funds and angel investors, establishing companies, guiding start-ups at various stages, investments, founders’ agreements, protection of intellectual property, representing entrepreneurs, due diligence and drawing up a wide range of agreements.