High Court of Justice 69668-02-26 AIDA The Association of International Development Agencies N’ Inter-Ministerial Team Responsible for International Humanitarian Organizations Registration - part 3

From here, we turn to examine the petitioners' arguments regarding the violation of the right to privacy and their prohibitions from acting in accordance with the procedure, which stems, according to them, from the regulation of theGDPR The European Conference.

The right to privacy and GDPR regulation

27. As a starting point for the discussion, if only for the sake of good order, it is appropriate to put things in place: The State of Israel is a sovereign state, and its powers are derived from Israeli law and not from EU law. The GDPR regulation, with all its importance and prestige on the international level, is not part of the internal law of the State of Israel, does not bind it at the level of international law, and in any case cannot bind the hands of the government in exercising its powers in matters of national security.  Therefore, even if we had assumed, in accordance with the position of the petitioners, and contrary to the conclusion below, that there is an insoluble conflict of law between the procedure and the European regulation, and it was clarified that I do not believe so, this would still not have changed the legal outcome.  The claim of the normative trap does not establish grounds for judicial intervention in the legality of a procedure that meets the requirements of Israeli law.
28. Against the background of these words, and before we examine the fabric of the laws themselves, we must consider a factual aspect that casts doubt on the claim of the "catch". According to data provided in the Respondents' Notice of Clarification dated February 26, 2026 (which they reiterated in paragraph 49 of their preliminary response), at least 41 aid organizations, including 14 aid organizations from European Union countries, have already provided the Respondents, in full or in part, with the information required in Section 5.1(8) of the Procedure for the purpose of examining their requests.  There is substance to the respondents' argument that this fact undermines the claim of the normative trap raised by the petitioners, and at the very least, substantially challenges their argument regarding their impossibility of responding to the request for information.  I shall now turn to the examination of the substance of things.
29. On the constitutional level, the right to privacy is enshrined in section 7 of the Basic Law: Human Dignity and Liberty as a right of the first order. Fundamentally, and in the light of the petitions before us, the right to privacy expresses the right of the individual to control the personal information relating to him, and it constitutes an essential element in maintaining personal autonomy vis-à-vis the power of the government (see, for example: Criminal Appeals Authority 4743/20 Leibel v.  State of Israel, para.  18 [Nevo] (July 21, 2022) (hereinafter: the Leibel case); Michael Birnhack "Public Privacy Engineering: The Case of transferring information from the population registry to political parties," Din Ve-Devarim 12:15, 50-51 (2019)).  However, we held that the right to privacy, like any protected constitutional right, is not an absolute right but a relative right, the scope of whose protection is derived from a balance against conflicting public interests (Criminal Appeal 4988/08 Farhi v.  State of Israel, IsrSC 65(1) 626, 649 (2011); High Court of Justice 5207/04 Appel v.  Attorney General, para.  8 [Nevo] (May 20, 2010)).  In our case, the alleged violation of privacy should not be examined in a vacuum, but rather in the concrete and unique context in which it occurs - the regulation of the activities of aid organizations in areas of security tension.  In this context, the individual's right to privacy is liable to withdraw, to the appropriate extent and no more, in the face of the vital public need to protect public peace and national security (and for the importance of these considerations, see, for example: High Court of Justice 9593/04 Morar v.  Commander of IDF Forces in Judea and Samaria, IsrSC 61(1) 844, 864 (2006)); A need that imposes an active duty on the state to ensure that civilian and humanitarian infrastructure is not abused by terrorist actors.
30. At the heart of their arguments is the claim of a normative "catch-22". According to them, the demand for information places them between the Israeli hammer and the European anvil: compliance with the provision of Article 5.1(8) of the procedure will, in their view, lead to a violation of the GDPR regulations and their exposure to legal sanctions in Europe.  However, an examination of the international data flow regime shows that this trap is, in essence, imaginary.  The starting point for its solution lies in the unique status of the State of Israel, which has been awarded an "Adequacy Decision" by the European Commission, which recognizes that Israeli law provides an adequate and equitable level of protection for personal information (Birnhack and Rahum-Twig, at p.  87).  In this context, the Petitioners' argument, which was argued in support of the foreign opinions that were attached, that the compliance does not apply on a territorial basis since it is limited to the territory of the State of Israel, and on the grounds that the information is processed in a way to which the compliance decision does not apply.  First, the information is provided directly to the computer systems of government ministries within the State of Israel, which are under the supervision of the Privacy Protection Authority and to which Israeli privacy protection laws apply; Second, the compliance decision expressly applies to the transfer of information intended for automated processing of the type requested in Section 5.1(8) of the Procedure.  Once the requested information is transferred to the authorities of a country recognized by the European Union as providing adequate protection of information transmitted by electronic means, and once it is stored in regulated government computer systems, it is covered by the essential definitions of the Compliance Decision (Commission Decision of 31 January 2011 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the State of Israel with regard to automated processing of personal data (2011/61/EU), Articles 1(1), 2(2)).  Therefore, the petitioners' arguments should be rejected - both on the level of the territorial barrier and on the level of the type of processing.
31. More than necessary, and without exhausting the discussion, I have found it appropriate to address the fabric of checks and balances enshrined in the GDPR regulation. This requirement has a dual purpose: first, to clarify that national security goals and the need to balance them with the right to privacy are not alien to this regulation.  Second, to illustrate the great fundamental similarity between the European arrangement and Israeli law - a similarity that underlies the "conformity decision" that we discussed above.  An examination of European law shows that employee consent is not the sole route that allows the transfer of information.  Indeed, there is a real difficulty in processing information based on consent, especially in situations characterized by built-in power disparities, such as employment relations, and it is not for nothing that data protection laws tend to treat such consent as "suspicious consent" (Michael Birnhack, Constitutional Privacy 383 (2023); and see also High Court of Justice 8298/22 Public Defender's Office v.  Attorney General, para.  42 [Nevo] (August 31, 2025); Privacy Protection Authority: Statement of Consent in Privacy Protection Laws (February 25, 2026)).  However, the GDPR establishes, in appropriate cases, alternative routes that enable the transfer of data without the individual's consent.  Thus, for example, section 6(1)(e) of the Regulation allows the processing of data necessary for the performance of a task of public interest or for the exercise of governmental authority (it should be noted that section 49(1)(d) of the Regulation permits, even in the absence of compliance status, the transfer of information to a third country where it is necessary for important reasons of public interest; see: Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679).  This is further strengthened by Article 23 of the GDPR, which explicitly recognizes the right of member states to restrict the rights of data subjects when it constitutes a necessary and proportionate measure in a democratic society to safeguard [...] national security").  We will return to these conditions - that the measure will be necessary and proportionate - which have also been explicitly anchored in Israeli law.
32. This is the place to refer to the position papers on behalf of the European data protection authorities, on which the petitioners place their trust. A review of the position papers shows that they also gave their opinion - beyond the aforementioned clauses - to Article 6(1)(f) of the GDPR, which allows the processing of information by virtue of a "legitimate interest".  Thus, the Norwegian Data Protection Authority noted that the processing of the information as set out in the procedure failed the "balancing test" set out in this section, since in its view, the state's requirement constitutes "excessive collection of personal data, including sensitive data, for purposes that appear to include security vetting and political screening") - and therefore, the risk to the rights of the employees outweighs the interest in the transfer of the information (see similarly the position paper of the Dutch Authority).  However, with all due respect, this legal conclusion rests on a fundamentally different factual basis than the one before us.  The position papers that were attached encapsulate in one breath the minimal information requested in the first stage (registering the organization in accordance with section 5.1 of the procedure), and the additional information required in the second stage (submitting an application for a positive recommendation to a foreign worker) - even though in the case of the latter, no argument was raised in the petitions before us, and while ignoring the fact that it is based on an application for a stay and work visa.  Since the petitions in question attack only section 5.1(8), which suffices with providing only basic formal identifying details, the argument regarding excessive collection lacks basis.  When the factual basis for this argument is omitted, the result of the balancing test also changes: in the face of the limited and limited violation of the privacy of the workers in the first stage, there is a legitimate and weighty interest in ensuring that humanitarian aid infrastructure is not used, God forbid, by terrorist organizations.  It seems that even the petitioners do not deny this need in practice, and the importance and legitimacy of Israel's security concerns, and the need for increased supervision, can be learned from the European Commission's letter attached by the petitioners themselves ("The EU acknowledges Israel's legitimate security concerns and the need for heightened scrutiny").  In this balance, the scales are clearly tilted in favor of the transfer of identifying information.

We have learned that the built-in fabric of balances OnGDPR itself allows the transfer of information in circumstances similar to our case, and dismantles the claim of the alleged trap.  As we will see right away, Israeli law is quite similar.  The conformity decision, which constitutes a normative bridge that shifts the weight to Israeli law, was given precisely on the basis of this similarity and on the basis of confidence in the ability of local law to protect the right to privacy and to strike the right balance between privacy and security.  Therefore, we must now turn to examining how these principles are applied in the realm of domestic law, first and foremost the regulations that regulate the handling of information received from the European Union.

33. The Protection of Privacy Regulations (Provisions Regarding Information Transferred to Israel from the European Economic Area), 5783-2023 (hereinafter: the Mediation Regulations), which apply to the transfer of information from EU countries to a database in Israel, were enacted as an integral part of the process of ratifying the status of compliance with the European Union (Birnhack and Rahum-Twig, at pp. 280-281).  Their purpose was to bridge the gaps between Israeli and European law.  These provide for an explicit exception in Regulation 2(b)(2), according to which the duties set forth therein will not apply to "the use of information required for the purpose of protecting national security or law enforcement, to the extent necessary and proportionate to ensure these purposes." This provision is, in effect, the normative reflection of Israel in the fabric of security checks and balances enshrined in the GDPR; it provides the respondents with the legal infrastructure required for the processing of information for security purposes, while ensuring that the Authority's action remains firmly rooted in the European standard for data protection and the requirements of Israeli law.  The application of this exception therefore requires a double and rigorous examination: first we must examine whether the information requirement does indeed serve a security purpose; Afterwards, it is necessary to ensure that the violation of privacy involved is necessary and proportionate to achieve it.  I will now move on to this exam.
34. As for the first test, it is clear that the information requirement serves a clear security purpose. As the respondents clarified in writing and orally, the purpose of the transfer of the information is to maintain access control and security checks, inter alia, in order to prevent activity that endangers national security and the leakage of humanitarian aid to terrorist organizations, whether the aid organizations know it or not.  The events of October 7, 2023, and the war that ensued, illustrated the critical need for state supervision, and the government's obligation to prevent the infiltration of terrorist elements into the ranks of humanitarian aid organizations.  This danger is not theoretical at all; Recently, however, my colleague President   Amit insisted that the terrorist organizations in the Gaza Strip "sought to take control of humanitarian aid shipments for the purpose of military and economic buildup, while abandoning the civilian population to which the aid was intended" (see: High Court of Justice 2280/24 Gisha Center for the Protection of the Right to Move v.  Government of Israel, paragraph 3 of the judgment of President Amit [Nevo] (March 27, 2025)).  As my colleague Vice-President N.  Sohlberg also noted in the same case, a situation in which aid falls into the hands of a terrorist organization prevents the fighting from reaching its end, so that this aid "does not bring with it a message of peace, but rather perpetuates pain and suffering" (ibid., at paragraph 7 of his opinion).  These statements illustrate well why the existence of a security vetting mechanism is not only legitimate, but constitutes an indispensable necessity that serves an extremely important interest of national security and the protection of human life.
35. Since we have determined that the demand for information serves a proper purpose, we must move on to examining the necessity of the means (which is the test of the means whose harm is less. See, for example: High Court of Justice 2705/20 Smadar v.  Prime Minister, para.  14 [Nevo] (April 27, 2020)).  This test examines whether the state has chosen a means whose infringement of the right to privacy is the least possible of the means that achieve the security purpose in a prudent manner.  In our case, the application of Section 5.1(8) of the Procedure indicates that the State has chosen to act in light of the principle of "data minimization" (see: Section 5(1)(c) of the GDPR; Birnhack and Rahum-Twig, at p.  214).  Section 5.1(8) suffices with formal identification data and contact methods only.  This reduction illustrates that the state has moderated the intensity of the violation of employees' privacy.
36. But beyond that, consideration must be given to the self-filtering alternative proposed by the petitioners. According to the organizations, it is possible to suffice with the internal due diligence system carried out by them, as an alternative means of achieving the goal of less violating privacy.  In this framework, the petitioners laid out a wide range of control actions and efforts taken by them before hiring an employee into their ranks, including: conducting rigorous in-depth interviews, examining employment background and collecting recommendations, as well as checking and cross-checking the names of candidates against terrorist lists and international sanctions (such as those managed by the United Nations and the European Union).  Despite the appreciation for these efforts and the resources invested in them, I cannot accept the petitioners' argument that self-filtering can be sufficed as a substitute for the transfer of information.  A well-established rule is that the necessity test requires a means that achieves the purpose in a manner equivalent to the means chosen (High Court of Justice 2056/04 Beit Sourik Village Council v.  Government of Israel, IsrSC 58(5) 807, 849 (2004); the Al-Naqwa case, at para.  53; High Court of Justice 7952/21 Greenblatt v.  Minister of Environmental Protection, para.  43 [Nevo] (July 24, 2023)).  It is clear that conducting a screening and inspection process for the purpose of maintaining security is one of the government's core powers, and that self-examination of aid organizations against open databases cannot be an equivalent alternative to a security check conducted by the state.  Therefore, the said proceeding does not constitute an effective alternative that is less harmful.
37. The final stage of the examination is the test of proportionality in the narrow sense, which examines the equilibrium between the benefit that arises from the procedure and the severity of the infringement of the right to privacy that it entails (see the Al-Naqwa case, at para. 50; High Court of Justice 6942/19 Chabano v.  Minister of the Interior, para.  69 [Nevo] (July 12, 2023);High Court of Justice 8425/13 Eitan Israeli Immigration Policy v.  Government of Israel, paragraph 24 of the opinion of Justice   Vogelman [Nevo] (September 22, 2014)).  In this case, the scales are clearly tilted in favor of governmental action.  As detailed above, at stake is the supreme interest of national security and the protection of human life, an interest that has been sharpened even more strongly in light of the attempts by terrorist organizations to integrate into the humanitarian aid mechanisms.  On the other hand, at stake is a requirement to provide only basic identification and contact data.  Without diminishing the harm involved in the very provision of identifying information, it is necessary to be precise in its nature: the provision of Article 5.1(8) of the Procedure is not concerned with the collection of "sensitive information" in the legal sense, but only with formal identification data (while names, identity numbers and contact methods constitute personal data, as defined in Article 4(1) of the GDPR, they do not at all fall within the scope of special categories of data).  defined in Article 9(1) of the GDPR.  Article 9(1) regulates the processing of sensitive data such as religion, ethnicity, political opinions, genetic or biometric data, data relating to health, sex life and sexual orientation; See also the definitions of "personal information" and "information of special sensitivity" in section 3 ofthe Protection of Privacy Law, 5741-1981; and for a distinction between the hard core of privacy and the periphery of this right in Israeli law, see: Civil Appeal 8954/11 Anonymous v.  Anonymous, IsrSC 66(3) 691, 733-736, 771-770 (2014); Aharon Barak, Basic Law: Human Dignity and Liberty and the Basic Law: Freedom of Occupation - Volume 3 - Constitutional Rights 1559 (2023)).
38. Beyond that, and this is another layer in reducing the intensity of the infringement, as declared by the respondents, the Ministry of Diaspora Affairs contacted the Privacy Protection Authority in order to establish the database and register it legally. The issue is currently being dealt with in an orderly manner, after the Authority has submitted its professional comments.  This supervision procedure is an additional guarantee that the data retention and security will be carried out in accordance with the standards set by law and under the supervision of the professional regulator in this regard, which minimizes the risk of information leakage or misuse.
39. To summarize this chapter: The petitioners' arguments regarding the violation of privacy should not be accepted. Beyond the conclusion that the GDPR includes similar security mechanisms, which enable compliance with the state's requirements for reasons of public interest and national security, no basis has been laid for the argument that the European Compliance Decision does not apply in the circumstances of our case.  Once we have found that the information requirement as it appears in section 5.1(8) of the procedure meets the tests of purpose, necessity and proportionality, there is no longer room for the claim that the section imposes a violation of foreign law on the organizations.  The information requirement in Article 5.1(8) is a limited and proportionate step, deriving from the state's basic duty to protect its security and the security of its residents, while allowing for the continuation of humanitarian activity by international aid organizations.

International Law

40. The third level on which the petitioners base their arguments is the realm of international law. The petitioners argue that the parties to the conflict are obligated to allow the free passage of humanitarian aid.  At the center of their argument is the claim of a violation of Article 63 of the Fourth Geneva Convention relative to the Protection of Civilian Persons in Time of War (hereinafter: the Convention).  This provision states that, except for the use of temporary and exceptional measures required for urgent security reasons, the occupying power may not demand changes in the personnel or organizational structure of the aid organizations, which may endanger their activities ("The Occupying Power may not require any changes in the personnel or structure of these societies, which would prejudice the aforesaid activities"), according to the petitioners, Based on the interpretation of the International Committee of the Red Cross (ICRC), the purpose of this provision is to prevent the creation of an affinity between aid organizations and governance and enforcement mechanisms, and to preserve the independence and neutrality of aid organizations.
41. I did not find any basis for the claim of violation of international law. It should be clarified at the outset that the question of the applicability of the Convention to the territories of the Gaza Strip during hostilities is an issue that has not yet been decided (see: The Issue of Access, in paragraph 17 of the opinion of President   Amit, where the State agreed that its activity in the Gaza Strip would be examined in the light of Article 23 of the Geneva Convention, by virtue of customary international law, without deciding the question of the applicability of the Convention to its activity in the Gaza Strip; see also: High Court of Justice 9132/07 Albasiouni v.  Prime Minister, paragraphs 13-14 [Nevo] (January 30, 2008); and compare: High Court of Justice 201/09 Physicians for Human Rights v.  Prime Minister, IsrSC 36(1) 521, 536-537 (2009)).  However, the state does not dispute its obligation under international law, as a party to the belligerence, to allow and facilitate the entry of necessary humanitarian aid to the civilian population, alongside its right to supervise the aid, including those seeking to transfer it, in order to ensure that it is indeed humanitarian and neutral.
42. In fact, there is no dispute about the need to maintain the neutrality of aid organizations. However, the petitioners did not show how an administrative requirement to provide basic identification data about their employees, which is intended for security purposes, amounts to coercing a change in the organizational structure or the composition of the organization's manpower, let alone harming its activity.  The claim that the provision of information will indirectly lead to a male exchange is a vague claim that lacks support.  Moreover, it is clear that if a request for registration in respect of a specific employee is unlawfully rejected, the organization has the way to obtain it on the individual level, and this alone does not constitute a reason for disqualifying the information requirement.
43. In any event, and contrary to the petitioners' position, the said provision does not negate the state's authority to ensure that the organization does not abuse the delivery of humanitarian aid. As provided in the Gijah Issue and in accordance with the provisions of the Fourth Geneva Convention: "Each party to the Convention is obliged to allow the free passage of various humanitarian goods for civilians, subject to certain conditions, including the right of the State facilitating the passage of aid to make the necessary technical arrangements; and also subject to the fact that that country has been convinced that there is no real reason to fear that the aid will be diverted from its destination...; that supervision may not be effective; Or it could yield a clear advantage...  to the military effort or to the economy of the enemy, due to its ability to use aid instead of producing and supplying various goods itself" (paragraph 16).  In fact, this authority does not violate the principle of neutrality, but is intended to serve it.

Conclusion

44. In light of all of the above, I would suggest to my colleagues that the petitions be dismissed. Beyond the letter of the law, and in order to enable the petitioners to register as international aid organizations, I propose that the petitioners be given an extension of 30 days from today to submit a full application in accordance with the provisions of the procedure, and to the extent that such a request has been submitted, to complete it in accordance with the provisions of section 5.1(8) of the procedure.  The temporary order issued will remain in effect during this period.