A database owner in Israel decides to take advantage of a ceasefire between Israel and Iran and transfer information from the database in Israel to servers located in a slightly (in his opinion) less perilous area. Possibly with the new friends in Beirut or Hungary, or maybe he is thinking outside the box (and the missile range) and comparing quotes in Micronesia. But wait! Is the planned transfer even legal!?
The Israeli Privacy Protection (Transfer of Data to Databases Outside the State Borders) Regulations, 2001 establish a sweeping prohibition on the transfer of information outside of Israel. Excluded from this rule are transfers to jurisdictions that guarantee a level of protection no less than that in Israel. Note that this applies to information from registered and unregistered databases alike. Hence the leniencies regarding database registration implemented in Amendment 13 to the Israeli Privacy Protection Law, 1981 do not diminish this prohibition. Similar to the European GDPR, this too is European legislation absorbed into Israeli law. Thus, the Hungarian option will indeed work, but is that a reason to pass up the lucrative offers received from Micronesia?
In a nutshell (or maybe a shell of a (Micronesian coconut), the answer is - not necessarily. The regulations list a series of exceptions regarding the transfer of data to jurisdictions that do not meet the requirements of the aforementioned exception. The only exception that does not depend on the type of information or the data subjects is stipulated in Regulation 2(4) and permits the transfer of information subject to the transferee's contractual undertaking to comply with the conditions for holding and using information that apply to a database in Israel, mutatis mutandis (with the necessary changes). Given that identical laws is not a realistic requirement, and in order to maintain the rule that the phrase "mutatis mutandis" is not a magic spell granting unlimited deviation from the original framework, the Israeli Privacy Protection Authority sought to clarify the limits of those changes, and did so in a March, 2026, published opinion. Thus, for example, the transferee's non-compliance with the obligations to register a database or notify the Authority of its existence will be considered a "mutatis mutandis" if no similar obligation exists in the destination country.
The Authority clarifies that the permitted "mutatis mutandis" refers to the obligations of the holder abroad and does not exempt the database owner in Israel from its own duties as such. Furthermore, these are not changes required due to the subjective circumstances of the transferee, but rather due to differences between Israeli law and local law. Additionally, in accordance with the principle of non-deviation from the original framework, the Authority lists obligations that must be included in the agreement with the transferee, including: (a) a prohibition on using the personal information for any purpose other than that for which it was provided to the database controller in Israel; (b) an undertaking to grant the right of review to the data subject; (c) the data subject's right to request the correction or deletion of their personal information; (d) maintaining the confidentiality of the personal information; (e) securing the personal information in accordance with the Israeli Information Security Regulations or in accordance with the ISO/IEC 27001 standard and the Authority's guidelines[6], and in the future in accordance with the provisions of the Cyber Defence Law. However, it should be noted that although the transfer of information from that transferee to an additional transferee abroad is conditional upon the consent of the database owner in Israel, the obligations under Regulation 2(4) do not apply to this consent.
What, then, should a database owner in Israel do when seeking to transfer information abroad? First, it is recommended to consult in advance with an attorney with expertise in the field, and specifically an attorney who is a member of an international network of law firms. This allows one to receive the complex and comprehensive perspective and knowledge required to understand the applicable exceptions and the relevant laws in the transferee's jurisdiction, and to determine the need for an agreement and the exact content of the agreement with each transferee, taking into account the provisions of the Israeli Privacy Protection Law, the regulations, and their updated interpretation by the Authority on the one hand, but also the relevant foreign law on the other.