The US-Israel Legal Review 2019 5

to note, can apply to Israeli companies with

European data subjects). While companies that

adopt a comprehensive GDPR compliance program

may result in partial compliance with Israeli data

protection laws, additional actions must be taken

in order to be fully compliant.

For example, while the GDPR requires

controllers and processors to take appropriate

technical and organizational measures to ensure

the level of security that is appropriate to the level

of the risk, the Israeli Data Security Regulations

(2017) impose specific, granular requirements

with respect to personal data collected and

maintained in databases. These Israeli regulations

include detailed requirements for controlling,

monitoring and recording database access. They

also impose specific requirements and timeframes

for performing “proper penetration testing” and

rotating passwords.

In addition, while the GDPR permits, under

certain circumstances, the export of data outside

the EU to entitieswith adequate levels of protection,

Israeli law imposes additional conditions such as

specificconsentfromdatasubjectsoracommitment

from the data recipient to protect information in

accordance with the law. Israeli law can also be

stricter with respect to subsequent transfers of

data to sub-processors, and in its requirement to

appoint “data security officers” even in cases where

no comparable obligation exists under the GDPR. A

requirement to register certain types of databases

is also unique to Israeli law, as well as additional

terms that must be added to Israeli agreements for

the outsourcing of data processing activities.

The importance of educating foreign clients,

their general counsels and our partner-law firms

with these recent and dynamic privacy regulations,

is not only in the context of due diligence on Israeli

target companies, but also for ongoing operations

in Israel, as increased penalties for data protection

violations are likely to come into effect. If passed,

they will substantially increase the risk profile of

non-compliance, and random audits by the Israeli

authorities are expected to become a feature of the

new environment.

It should also be noted that Israel has very strict

export controls and license requirements for the

export of encrypted data, which is beyond the

scope of this article.

GOVERNMENT FUNDING

Many hi-tech companies in Israel receive

funding from the government through the Israel

Innovation Authority (formerly known as the

Office of the Chief Scientist), and there is no such

thing as a free lunch! Recently, the law has been

amended to provide a formula containing a ceiling

for compensating the Authority for transfers

outside of Israel of IP/technology/products whose

R&D was funded thereby. The IP transfer fee is

now capped at six times the amount of the grant

or, if the buyer will commit and maintains 75% of

such R&D operations in Israel for three years, the

multiple can be reduced to three times the amount.

We will focus the rest of this article on other

unique, but not necessarily new, issues involving an

Israeli target.

TAX WITHHOLDING

Tax planning and strategy is always a key element.

Israeli tax law imposes very broad tax withholding

obligations upon a buyer until the selling parties

provide tax exemption certificates issued by

the Israel Tax Authority. A non-Israeli company

managed and controlled from Israel or with

significant assets in Israel can be considered an

EZRA S. GROSS

PARTNER