In The Shadow of Brexit:
GDPR Impact for Israeli Businesses
Israeli businesses collecting and processing information about individuals resident inside the European Union will have long become familiar with the need to comply with the requirements of the General Data Protection Regulation (“GDPR”) when that information is collected then transferred to Israel and stored or processed in Israel.
Likewise, anyone with a passing interest in questions of current affairs will have found narratives of the Brexit process in the United Kingdom impossible to avoid. Much of the related GDPR discussion has questioned the future of data transfers between the UK and the EU - however comparatively little has been written about the question of how this might impact operators in third countries like Israel who collect and process the data of Europeans including the British.
At present with the ‘Transition Period’ whilst the UK formally left the EU at the end of January, EU Law including the GDPR remains in effect in the UK without change until the end of 2020. However, as of the 1st January 2021 the Transition Period will end, and this arrangement will change. The exact framework which will exist after this date is at the moment unknown to us. It is itself subject to ongoing bilateral negotiations between the UK and the EU.
We do however already know that the UK envisages the current GDPR rules being turned into a domestic ‘UK GDPR’ which is no longer a part of the pan-European framework. This is especially important in the context of the UK Government indicating its intent to seek a future without significant in-principle alignment between the UK and the EU. This creates several known risks for Israeli businesses collecting information in both the UK and the EU, each a result of the likely need to comply with two separate regimes.
There are also a number of risk management issues which Israeli businesses operating in both the UK and the EU will need to prepare for and monitor in the months ahead:
a) The risk that over time the ‘EU GDPR’ and the ‘UK GDPR’ drift apart and contain different rules and two different shifting compliance burdens that Israeli businesses operating in both places need to monitor.
b) The risk that the EU and the UK will each issue separate and different “adequacy decisions” about third countries such as Israel which are authorised to receive, process, and store data from each jurisdiction.
c) Give rise to a new need to communicate with and make representations to multiple regulators.
As regulations change it is important that businesses remain fully aware of obligations impacting them from overseas and comply with them to avoid financial or other penalties. If at any time your business requires advice on how to deal with potential changes in the regulatory framework of data protection when you collect information in either the UK or the EU, please contact Aviv Lazar & Co. for first-rate up-to-date consultancy services tailored to most effectively protecting your business in this shifting legal landscape.