Israel is known as a technological hub, providing innovative solutions to a wide range of industries globally. One such industry significantly affected by global and local developments in 2020, has been advertising. In 2020, the online advertising industry has been affected not only by legal developments and changes, such as the adoption of the data processing regulation (Lei Geral de Proteção de Dados or LGPD) in Brazil, but also market changes, such as a decrease in ad spending as a result of the global pandemic.
The Israeli adtech industry is prolific in generating solutions for online advertising. Israeli companies are providing both publishers and advertisers with products offered on a software as a service model. As a result, Israeli companies are processing large volumes of data that originates with users globally. This data is used to target website users, block fraudulent adverts, increase engagement and otherwise optimise advertisers' ad spend to maximise the revenue generated from their ads. Israeli adtech companies are serving brands and publishers worldwide on a daily basis.
This local industry has been significantly affected by global developments in 2020, both legal and otherwise. Such recent developments include brand accountability movements. Users holding brands accountable for the content on which they serve their ads and that content's effect on political and social discourse have pushed brands to seek solutions to monitor the content on which they are served more carefully. The effects of economic downturns on online ad spending at the same time as user engagement is increasing requires publishers to seek solutions for optimisation of the bids they receive for each user. At the same time, trends in data protection and privacy legislation have required both advertisers and publishers to re-examine their data collection practices.
One such development in data protection from 2020 has the potential to significantly affect this market, in Israel as well as globally: a decision by the Court of Justice of the European Union, published on July 16. The decision relates to a claim by Max Schrems, an Austria resident whose data is subject to the protections of the EU's General Data Protection Regulation (GDPR), against Facebook's Ireland subsidiary. Schrems sought to stop Facebook from transferring his data to Facebook's servers in the USA. The basis for this action was the claim that the limitations imposed by US federal laws on surveillance by public authorities in the USA does not guarantee him the same level of protection that his data would receive in the EU, where allegedly binding conventions and member state law impose stricter limitations on such government surveillance.
The European Parliament, in an effort to ensure that European residents are afforded the same level of protection when their data is transferred across borders as they are afforded in the EU, included a prohibition on such transfers in the GDPR. The GDPR does, however, provide for mechanisms allowing for such transfers, which mechanisms are designed to ensure the protection of the rights and freedoms of EU residents. The most commonly used mechanisms are (i) reliance on a decision by the European Commission that the legal framework in the country to which the data has been exported has sufficient measures in place to provide such protection (commonly referred to as an adequacy decision), and (ii) a data processing agreement in the form approved by the European Commission (commonly referred to as Standard Contractual Clauses or SCCs).
The transfer of data by Facebook Ireland to Facebook US, like the transfer to many other US companies, relied on the Privacy Shield. The Privacy Shield is a specifically tailored adequacy decision that was designed in mutual co-operation by the US government and the European Commission. It allows companies processing data in the USA to assume the obligations under the GDPR and submit to the regulation and enforcement of US authorities regarding such obligations, on a voluntary basis. In doing so, such companies commit to be bound by the principals of the GDPR.
The decision of the European Court of Justice in Schrems II invalidated the Privacy Shield on the basis that the framework, and US federal laws, do not provide adequate protection against government surveillance, equivalent to the protections provided in the European Union. The question of government surveillance is the first in the list of criteria set in the GDPR to determine adequacy. However, in reviewing the adequacy decisions of various jurisdictions published by the European Commission, it is interesting to note that government surveillance is not addressed by the European Commission. Rather the decisions focus on the second criterion noted by the GDPR: the existence of a supervisory authority with enforcement powers for assisting and advising the data subjects in exercising their rights.
Consequences in Israel
The invalidation of an adequacy decision on this basis has raised some significant concerns in the Israeli privacy professional community. This is because Israel is also subject to an adequacy decision by the European Commission, and the Israeli ministry of defence likewise has significant authority under Israeli law. Israeli adtech companies currently enjoy a simple and straightforward onboarding procedure for clients that process the data of EU residents, through reliance on this decision. The clients are required to conduct a due diligence process covering the adtech company's security controls and internal compliance policies; however, with the assurance of the adequacy decision, they are currently not required to review the jurisdiction and the protections provided by local legislation.
If Israel's adequacy decision is invalidated on the same basis as the US Privacy Shield, Israeli adtech companies will be forced to replace it with another transfer mechanism, likely SCCs. However, in the same Schrems II decision, the court noted that when SCCs are relied upon, the transferring controller is under an obligation to assess the protections provided by the relevant jurisdiction itself. Thus, the due diligence procedure is expanded beyond the review of the company with which the transferring entity wishes to contract, to include local laws.
This will not only complicate transfers of personal data from the European Union to Israel, but has the potential to push Israeli companies that process large volumes of data to set up operations in Europe, and conduct more of their EU-related activity entirely within the EU, to avoid complicated and costly onboarding procedures, as well as the potential liability for unlawful transfers.
It will be interesting to see how the Israeli legislature adapts to this new ruling. It is true that defence considerations have a significant effect on policy and legislation decisions in Israel. However, Israel, and the Israeli industry, has a history of adjusting to react to international developments that affect its positioning in the global economy though legislative changes.
This effect may be compounded by the Israeli economy's reliance on the technology sector, including the adtech industry. Especially in light of the global pandemic's effect on more traditional industries, such as manufacturing, tourism and agriculture.
Amendments to the Israeli Privacy Protection Law
Another, more local, development affecting the Israeli adtech industry, occurred just one week after the publication of the CJEU decision. On July 23, the Israeli Ministry of Justice published a proposed bill to amend Israel's Privacy Protection Law, 1981. While it is tempting to draw a connection between the two occurrences, the bill in fact amends some gaps in the Israeli law that privacy experts in Israel have long pushed to have addressed.
The bill put forth by the Israeli Ministry of Justice is entirely unrelated to the issues raised by the Schrems II decision. Rather, it addresses elements of data protection and the enforcement thereof by:
This bill is still undergoing the legislative process and will likely undergo further changes before (or if) it is finally adopted. However, it does point to the Ministry of Justice's willingness to adopt the novel position of the European data protection authorities towards data protection. In fact, in the explanatory notes to the bill, alignment with the GDPR is explicitly mentioned as one of the motivations for adopting the bill.
The bill amends the definition of personal data to include information that can reasonably be used to identify a person. It reduces bureaucracy by limiting registration obligations significantly. It broadens and clarifies the categories of data considered sensitive.
The bill reflects a recognition that a person's personality, and as a result their right to privacy and autonomy, is not limited to their name, physical address, medical and financial information. A person's online activity could contain information of a very personal nature. Large scale processing of such data could, and does, have significant effects on a person's activity in the non-virtual world, as well as on social norms and trends.
However, the bill maintains the original limitation: applying the obligations imposed by the bill on collections of data, and the use thereof, such that large scale processing that does not include the maintenance and aggregation of the data collected, will not be subject to the bill. This potentially enables avoiding scrutiny by processing the information on a session basis, maintaining only information that does not fall under the legal definition of personal data. Thus, the bill does not fully align the Israeli law with the GDPR principals of processing. It remains to be seen what changes will be made to the bill before it is passed into law, but this undertaking by the Ministry of Justice does indicate the global trend of viewing data as personal, even where it only has the potential to reveal the identity of the natural person behind it.