In The Shadow of Brexit:
GDPR Impact for Israeli Businesses
Israeli businesses collecting and processing information about individuals residing in the European Union should be well aware of the General Data Protection Regulation (“GDPR”), especially when that information is collected and transferred to, stored, or processed in Israel.
Likewise, anyone lightly involved with current affairs will be all too familiar with Brexit narratives in the United Kingdom. Much of the related GDPR discussion has questioned the future of data transfers between the UK and the EU - however comparatively little has been written about how this might impact operators in third countries like Israel who collect and process the data of European countries.
At the present ‘Transition Period’ in the UK, having formally left the EU at the end of January, EU Law, including the GDPR, remains in effect without change until the end of 2020. However, as of the 1st January 2021, the Transition Period will end, and this arrangement will change, but it is unknown how: the changes are subject to ongoing bilateral negotiations between the UK and the EU.
We do, however, already know that the UK expects the current GDPR rules to evolve into a domestic ‘UK GDPR,’ no longer a part of the pan-European framework. This is especially important because it indicates that the UK Government is intent on a future without significant in-principle alignment between the UK and the EU. This creates several risks for Israeli businesses collecting information in both the UK and the EU, each a result of the likely need to comply with two separate regimes.
There are also a number of risk management issues which Israeli businesses operating in the UK or the EU will need to prepare for and monitor in the coming months:
a) The risk that over time the ‘EU GDPR’ and the ‘UK GDPR’ will drift apart and contain different rules and shifting compliance burdens that Israeli businesses operating in both places need to monitor.
b) The risk that the EU and the UK will each issue separate and different “adequacy decisions” about third countries such as Israel which are authorized to receive, process, and store data from each jurisdiction.
c) Give rise to a new need to communicate with and make representations to multiple regulators.
As regulations change, it's important for businesses to remain fully aware of obligations impacting them from overseas and to comply with them to avoid financial or other penalties. If at any time your business requires advice on how to deal with potential changes in the regulatory framework of data protection when collecting information in either the UK or the EU, please contact Aviv Lazar & Co. for first-rate, up-to-date, consultancy services tailored to most effectively protect your business in this shifting legal landscape.