Israeli start-ups could be affected by EU privacy rules

Even Israeli companies from Gett Taxi to Waze – whose smartphone apps are available to be downloaded by EU nationals – may possibly be subject to the regulations.

By MAX SCHINDLER
Updated: MAY 3, 2018 08:18
Waze, an Israeli mobile satellite navigation application, has revolutionized driving (photo credit: REUTERS/NIR ELIAS)
Waze, an Israeli mobile satellite navigation application, has revolutionized driving
(photo credit: REUTERS/NIR ELIAS)
If you’re Israeli and you want to do business in Europe, pay attention.
On May 25, the European Union plans to adopt the General Data Protection Regulation (GDPR) – a sweeping set of rules governing how businesses handle consumer data and privacy.
Israeli digital start-ups and Israeli hi-tech that do business with EU nationals, companies or subsidiaries will need to brace for the new obstacles.
Even Israeli companies from Gett Taxi to Waze – whose smartphone apps are available to be downloaded by EU nationals – may possibly be subject to the regulations.
In short, the GDPR regulates companies that collect and process personal data online. It includes the “right to be forgotten,” or data erasure, along with the right to have inaccurate data corrected and the right of data portability to a new company.
While the new rules won’t significantly affect Israeli innovation and the speed at which breaking-edge digital products can enter the market, they could slow down new start-ups and force them to grapple with more government regulations.
“If you’re a small startup company and you want to have a customer in the EU, that customer won’t use your services unless you are, or you say that you are GDPR-compliant,” said Ella Tevet, a partner at the Tel Aviv GKH Law Offices and who heads the firm’s IP and privacy practice. “That may cause some delays because until you are GDPR complaint, you’ll have difficulties with EU clients.
Companies must demonstrate compliance with the GDPR or risk facing €20 million fines or 4% of annual revenue, whichever is higher.
To prepare, thousands of Israeli companies doing business in Europe should undergo an audit – either ad hoc, in-house or by a full-fledged law firm.
“What Israeli companies need to do is to hold a data mapping, to figure what data they collect, where they collect it, store it, transfer it to, what security measures they implement to safeguard such data,” Tevet added.
The other big change in GDPR is its emphasis on data minimization – barring companies from collecting data which isn’t necessary for the purpose for which you collected it.
Prior to GDPR, the European Union recognized Israel in 2011 as having adequacy protections regarding personal data – making it easier to transfer personal data and conduct business between the two entities without restrictions.
With the GDPR coming into effect, the EU is examining again its adequacy decision – since there are many GDPR obligations and restrictions which are not currently covered under the Israeli law.
Israel’s Privacy Protection Authority is now considering adopting new rules in order to retain the EU adequacy decision.
Separately, new Israeli privacy regulations took effect last May – with security rules and mandatory notifications of data breaches – measures quite similar to the GDPR.
The Knesset is also considering a bill which would tighten sanctions against Israeli companies that violate the privacy law.
As an attorney, Tevet recommends that more established corporations consult counsel. But for fledgling Tel Aviv start-ups that lack the deep pockets, Tevet says that companies can still take steps to not be infringing EU law.
“Small Israeli companies should do whatever they do to move towards compliance, rather than not doing nothing, Tevet said. “They can get someone inside the company to review the GDPR, to do what they can to reduce costs... Even though a lot of companies say, oh they won’t come after us, they’ll go after Facebook and big firms. Yehiye b’seder, it’ll be okay.”
What Tevet is seeing so far concerns her, possibly validating the rationale behind the GDPR to protect users’ privacy and data.
“Anecdotally, I can see from some of my clients – they don’t erase their data, they don’t know where the data is actually stored, they don’t have adequate agreements with their sub-processors who process on data on their behalf, but no agreements with that sub-processor to implement adequate security measures,” Tevet added.