Israeli start-ups could be affected by EU privacy rules

Even Israeli companies from Gett Taxi to Waze – whose smartphone apps are available to be downloaded by EU nationals – may possibly be subject to the regulations.

May 3, 2018 01:19
3 minute read.
Waze, an Israeli mobile satellite navigation application, has revolutionized driving

Waze, an Israeli mobile satellite navigation application, has revolutionized driving. (photo credit: REUTERS/NIR ELIAS)


Dear Reader,
As you can imagine, more people are reading The Jerusalem Post than ever before. Nevertheless, traditional business models are no longer sustainable and high-quality publications, like ours, are being forced to look for new ways to keep going. Unlike many other news organizations, we have not put up a paywall. We want to keep our journalism open and accessible and be able to keep providing you with news and analysis from the frontlines of Israel, the Middle East and the Jewish World.

As one of our loyal readers, we ask you to be our partner.

For $5 a month you will receive access to the following:

  • A user experience almost completely free of ads
  • Access to our Premium Section
  • Content from the award-winning Jerusalem Report and our monthly magazine to learn Hebrew - Ivrit
  • A brand new ePaper featuring the daily newspaper as it appears in print in Israel

Help us grow and continue telling Israel’s story to the world.

Thank you,

Ronit Hasin-Hochman, CEO, Jerusalem Post Group
Yaakov Katz, Editor-in-Chief


If you’re Israeli and you want to do business in Europe, pay attention.

On May 25, the European Union plans to adopt the General Data Protection Regulation (GDPR) – a sweeping set of rules governing how businesses handle consumer data and privacy.

Israeli digital start-ups and Israeli hi-tech that do business with EU nationals, companies or subsidiaries will need to brace for the new obstacles.

Even Israeli companies from Gett Taxi to Waze – whose smartphone apps are available to be downloaded by EU nationals – may possibly be subject to the regulations.

In short, the GDPR regulates companies that collect and process personal data online. It includes the “right to be forgotten,” or data erasure, along with the right to have inaccurate data corrected and the right of data portability to a new company.

While the new rules won’t significantly affect Israeli innovation and the speed at which breaking-edge digital products can enter the market, they could slow down new start-ups and force them to grapple with more government regulations.

“If you’re a small startup company and you want to have a customer in the EU, that customer won’t use your services unless you are, or you say that you are GDPR-compliant,” said Ella Tevet, a partner at the Tel Aviv GKH Law Offices and who heads the firm’s IP and privacy practice. “That may cause some delays because until you are GDPR complaint, you’ll have difficulties with EU clients.

Companies must demonstrate compliance with the GDPR or risk facing €20 million fines or 4% of annual revenue, whichever is higher.

To prepare, thousands of Israeli companies doing business in Europe should undergo an audit – either ad hoc, in-house or by a full-fledged law firm.

“What Israeli companies need to do is to hold a data mapping, to figure what data they collect, where they collect it, store it, transfer it to, what security measures they implement to safeguard such data,” Tevet added.

The other big change in GDPR is its emphasis on data minimization – barring companies from collecting data which isn’t necessary for the purpose for which you collected it.

Prior to GDPR, the European Union recognized Israel in 2011 as having adequacy protections regarding personal data – making it easier to transfer personal data and conduct business between the two entities without restrictions.

With the GDPR coming into effect, the EU is examining again its adequacy decision – since there are many GDPR obligations and restrictions which are not currently covered under the Israeli law.

Israel’s Privacy Protection Authority is now considering adopting new rules in order to retain the EU adequacy decision.

Separately, new Israeli privacy regulations took effect last May – with security rules and mandatory notifications of data breaches – measures quite similar to the GDPR.

The Knesset is also considering a bill which would tighten sanctions against Israeli companies that violate the privacy law.

As an attorney, Tevet recommends that more established corporations consult counsel. But for fledgling Tel Aviv start-ups that lack the deep pockets, Tevet says that companies can still take steps to not be infringing EU law.

“Small Israeli companies should do whatever they do to move towards compliance, rather than not doing nothing, Tevet said. “They can get someone inside the company to review the GDPR, to do what they can to reduce costs... Even though a lot of companies say, oh they won’t come after us, they’ll go after Facebook and big firms. Yehiye b’seder, it’ll be okay.”

What Tevet is seeing so far concerns her, possibly validating the rationale behind the GDPR to protect users’ privacy and data.

“Anecdotally, I can see from some of my clients – they don’t erase their data, they don’t know where the data is actually stored, they don’t have adequate agreements with their sub-processors who process on data on their behalf, but no agreements with that sub-processor to implement adequate security measures,” Tevet added.

Join Jerusalem Post Premium Plus now for just $5 and upgrade your experience with an ads-free website and exclusive content. Click here>>

Related Content

March 24, 2019
Netanyahu arrives in Washington DC on key campaign stop