Israel’s Privacy Laws Dawdling Will Be Catastrophic, Says Law Researcher
CTech – Last week, the US Federal Trade Commission (FTC) slapped Facebook with a $5 billion fine for failing to adhere to user privacy regulations in the now infamous Cambridge Analytica case. Media response since then has fallen into two main categories: those who concentrated on the inadequacy of the fine, and those who used the platform to champion new privacy regulations in the US.
The US regulator is particularly lenient when it comes to user privacy violations, and many unlawful companies go unscathed, especially on their first offense. US privacy laws are still a distance behind European Union laws, lacking crucial defense mechanisms such as the obligatory report of database breaches and the investigations of public complaints. The FTC’s failure to hold Facebook extensively accountable for what could be considered this decade’s most outrageous privacy scandal illustrates just how problematic US privacy regulation is. With the EU leading the way with its General Data Protection Regulation (GDPR), effective as of last year, it is clear the rest of the world needs to shape up and develop new comprehensive and easy ways to enforce privacy laws.
Israel is also struggling to keep its privacy policies updated, despite its global position as a small but noteworthy tech hub and a leading developer of data storage and data processing technologies. The country’s current privacy laws are embarrassingly outdated: Israel’s privacy protection law has received very few amendments since 1981, and few lawmakers are interested in promoting legislation on the matter. This situation is making it hard for the state to protect citizens against invasions of privacy, which could explain why Israelis get so heavily spammed with marketing text messages and emails. In Israel today, there is no effective way to prevent businesses from trading in people’s information.
Failure to catch up to the rest of the world’s privacy standards holds a special risk for the Israeli tech sector. Today, Israel enjoys an adequate status of privacy protection according to the EU’s standards. Granted in 2011, this standard allows Israeli tech companies to use the information of European citizens and sell them data-based products and services. But this status, awarded before the age of GDPR, is now under review in light of the new regulations, and there is a real threat that the gap between Israel’s outdated laws and the EU’s top of the line regulation would prove too wide.
“The real talk in the industry and among privacy experts is that the adequacy status will likely not carry over,” Tehilla Shwartz Altshuler, senior fellow at the Israel Democracy Institute, told Calcalist in a recent interview. Shwartz Altshuler heads the institute’s Media Reform and Democracy in the Information Age programs. As the Startup Nation, Israel makes much use of private information and trade with Europe in a lot of data-based products. Losing this EU-sanctioned status will hurt the tech industry, she said. “We are really on the verge of a catastrophe the size of which decision-makers do not comprehend.”
Eran Shir, CEO of Autotech startup Nexar Ltd., echoed Shwartz Altshuler’s message. “It is a big headache and we need to set things straight,” he told Calcalist in a recent interview, adding that “Europe is a big market for Israel.”
Jonathan Rouach, CEO of blockchain privacy startup QED-it Systems Ltd. (QEDIT), told Calcalist that losing the adequacy status would likely affect younger, smaller companies much more. “New startups still not familiar in the European market will no longer be able to lean on Israel’s reputation,” he said. “Companies will have to make an effort to prove they are GDPR-compliant, and it could cost them business.”
These days, Shwartz Altshuler is leading a multi-system push to update Israel’s privacy laws. At the front of this effort is a new privacy bill designed to replace the existing law and completely change Israel’s treatment of digital privacy.
The bill is spearheaded by Shwartz Altshuler and her IDI colleague Rachel Aridor-Hershkovitz, a researcher at the institute’s media reform program, and backed by Israeli lawyers and members of academia. According to Shwartz Altshuler, the main problem with the existing law lies with the fact that it was put in place years before the internet. It does not reference any data processing scenarios, she said.
Israeli advocate Jonathan Klinger, who serves as a legal advisor for nonprofit organization Digital Rights Movement, assisted in drafting the new bill. He recently told Calcalist that he believes the existing law has bigger issues than simply not being on par with technology. “The current law promotes bureaucracy at the expense of the right to privacy,” he said. Instead of protecting privacy, the law imposes a lot of technical and bureaucratic obligations on those who hold information, without forbidding them from using the information, he explained. According to him, companies that collect private data are required by law to demonstrate that they are protecting the data from cyber attacks, but the law does not stop them from using it to target people or keep their information without their consent.
According to Nexar’s Shir, outdated laws mean Israelis don’t get the same access to emerging technologies, even those developed in-country. “The primary market for Israeli startups is not Israel,” he said. “Local companies are focused on US and EU regulation because that is where the market is. When Israel does what it wants as far as regulation, it becomes difficult to adapt local technologies to the local market.”
According to Shwartz Altshuler, the legal vacuum that currently exists due to insufficient legislation could be prolonged intentionally. According to her, some government offices enjoy this gray area as they practice some form of digital monitoring. The Ministry of Defense, Ministry of Diaspora Affairs, and Ministry of Strategic Affairs all have in place systems for monitoring content on social media, Shwartz Altshuler said.
Drawing inspiration from the GDPR, the new bill includes references to new technologies that make use of personal data and discusses the collection, analysis, and processing of personal information. More than requiring tech companies to receive consent for collecting data, it defines ways users can demand to review their data and request it be corrected, moved to a different database, or erased.
The new bill also sets its sights on Israeli security agencies, which currently enjoy a sweeping exemption when it comes to digital privacy.
The need to adjust to global regulation has made it so that the interests of the business and tech sectors and of human rights organizations align, Shwartz Altshuler said. According to her, this offers a legislative opportunity.