Rights Groups: Israel's Data Protection Regime Needs Serious EC Review

This is the second letter urging the EC to act, the groups wrote. They noted they initially voiced concerns when the EC confirmed Israel's adequacy status in January 2024.

"Since then, Israel's legal and political trajectory has only deepened our concerns, including the adoption of new laws undermining independent oversight, escalating human rights violations in Gaza, and the continued erosion of the rule of law and judicial independence," the letter said. "The combination of legal reforms, unchecked intelligence access, and the operational deployment of EU-linked data in repressive practices further undermines the credibility of Israel's adequacy status."

The EC's failure to engage on the issue raises questions about its commitment to upholding the General Data Protection Regulation and protecting human rights, the groups argued.

The letter names six areas where, they said, Israel's legal and institutional framework fails to meet the GDPR's requirement that data protections in Israel be essentially equivalent to those in the EU.

Israel has further centralized executive power and eroded judicial independence, undermining the foundations of rights protections, they wrote. The country's data-protection regime "remains far from GDPR-aligned," and hasn't been comprehensively updated since it was enacted in 1981; in fact, the law has regressed by placing restrictions on the Privacy Protection Authority's power during elections and broad exemptions for security agencies.

Moreover, the country's security bodies are exempt from meaningful oversight, contradicting core GDPR principles such as proportionality, necessity and access to redress, the groups said. In addition, the law is applied extraterritorially to the Occupied Palestinian Territory, in breach of international law and EU policy.

The letter accused the EC of carrying out an inadequate adequacy review process and of failing to involve affected communities or independent experts, a situation that, the groups noted, was emphasized in a Dec. 6, 2024, letter to McGrath from the European Data Protection Board.

The EDPB, which commented on the methodology of the 11 adequacy decisions the EC approved in January 2024, pointed to "certain aspects that could have been described in more detail in the report" and deserve close monitoring.

The civil society groups also argued that data flows are continuing in the context of human rights violations and without respect for international law.

Israel's digital sector accounts for around 20% of its economy, and a wide range of companies operating in the country process EU personal data across multiple sectors, the groups noted.

Consumer-facing platforms such as Waze (navigation), MyHeritage (genetic testing) and AppsFlyer (mobile marketing) handle sensitive personal data from EU users, such as geolocation, biometric and genetic information, the letter noted. "The issue is not that these companies exist, but that Israel's legal framework does not provide enforceable protections equivalent to those in the EU."

There's no guarantee that data processed by such companies will be shielded from access by Israeli security series, and surveillance technology firms operate within the same regulatory ecosystem and have close ties with the Israeli state, the groups said.

EDRi joined other civil society organizations in a letter to McGrath earlier this month urging the EC to gauge whether changes to the U.K. data-protection law arising from the newly adopted Data Use (and Access) Act should affect Britain's adequacy decision (see Ref:2506100003]).

On June 24, the EC formally extended the U.K.'s adequacy decision to Dec. 27, giving itself more time to review new regulations.