Privacy & Information Security Law Blog

On July 6, 2010, the Irish government formally objected to the adequacy procedure initiated by the European Commission that would have allowed the free flow of European personal data to Israel, over concerns of the possible use of the information by Israeli officials.  This political move follows recent revelations regarding forgery of European passports, including several from Ireland, and their alleged use by Israel’s intelligence services.

Under the EU Data Protection Directive, the transfer of personal data outside Europe is prohibited unless the recipient country is considered by the European Commission to provide an “adequate” level of data protection, or if the data controller has implemented a proper mechanism to ensure an adequate level of protection (e.g., model contracts or binding corporate rules).

The adequacy procedure was launched by the European Commission after the Article 29 Working Party’s Opinion 6/2009 (issued in December 2009), which found Israel’s data protection law to be adequate.  Notwithstanding that Opinion, however, the European Commission must make an official decision regarding Israeli adequacy for purposes of compliance with the Directive.

Earlier this week, the European Commission sought to move ahead with issuing its adequacy decision through a written procedure that would lead to the automatic adoption of the decision if no Member State objected.  As a result of Ireland’s objection, the Commission now must undertake a full “comitology procedure” in accordance with Article 31 of the EU Data Protection Directive.  The adequacy decision will be subject to a full debate in a committee composed of representatives of all Member States (the Article 31 Committee), followed by a vote.  It remains to be seen whether the Member States will concur with the Article 29 Working Party’s Opinion that Israel provides an adequate level of data protection.

To date, the European Commission has recognized Argentina, Faeroe Islands, Guernsey, Jersey, the Isle of Man, Switzerland, the Canadian Personal Information Protection and Electronic Documents Act and the U.S. Department of Commerce Safe Harbor Privacy Principles, as providing adequate protection.