For over a year the European Commission (EC), despite “urgent concern” about Israel’s data protection and conduct in Gaza, has ignored calls to reassess Israel’s data adequacy.
On April 2024, 17 civil society organizations coordinated by European Digital Rights signed an agreement. Open letter to express their concerns regarding the commission’s decision in January 2024 to uphold Israel’s rights. The adequacy designation (see the box) allows the free flow of data to continue between the EU and Israel on the basis that both have “essentially equivalent” standards for data protection.
Despite the groups’ requests for clarifications from the commission regarding “six crucial matters”including the rule-of-law in Israel, scope of its data-protection frameworks, intelligence agencies’ role, and the transfer of data outside Israel’s internationally recognized borders, they received no response. This led them to author an a Second open letter in June 2025
Since then [April 2024]Israel’s legal-political trajectory has only intensified our concerns. This includes the adoption of new legislation undermining independent supervision, the escalating violations of human rights in Gaza, and continued erosion of rule of law and independence,” they wrote.
The combination of unchecked access to intelligence and the operational deployments of EU-linked data for repressive practices further undermines Israel’s adequacy. According to a report by the Israel Innovation Authority (IIA) published in mid-2024, losing adequacy can have a profound impact on Israel’s economy.
According to the IIA, “from a global perspective high-tech is central to the Israeli economy. This is a unique phenomenon.” “Its share in the Israeli GDP is similar to the share of natural minerals like oil and gas, which are important for those countries that depend on them.” Changes in high-tech could have a significant impact on the economy, given its centrality.
Economic importance
According to a consultation launched by the Israeli Ministry of Justice on privacy laws in November 2022 which proposed a series of changes to Israel’s data protection framework specifically designed for Israel to retain its adequacy, data adequacy is “of broad economic importance to the Israeli economy as well as a great importance in aspects of State of Israel’s foreign relations”.
Similar MEPs from the European Parliament also raised concerns and asked the commission if “the continued use of personal data [by Israel] contrary to GDPR principles [General Data Protection Regulation] ” (including “large-scale monitoring” and “to “target individuals in Gaza”) meant it would reassess the adequacy decisions.
European commissioner Michael McGrath The commission respondedby saying that, based upon its evaluation, it does not believe that the decision should be modified or revoked. He said that the commission’s analysis included all relevant elements in the privacy framework, as well as the broader legal and institutional system. “The commission also negotiated an important strengthening of privacy safeguards in Israel to specifically apply to the data transferred from the EU. This was implemented in Israeli law prior to the Israel-Gaza conflict,” he added.
Israel has extended the application to data processed within the domestic context.
McGrath said that the commission closely monitors adequacy decision applications and “has the tools to react” if the protection afforded data transferred from the EU is weakened.
There was no response
EDRi confirmed that the commission has not responded to its second open letter sent on 24 June 2025.
According to Computer Weekly, the European Commission is aware of EDRi’s letters but has not responded. It also claims that it will not uphold its standards when it is politically inconvenient. A spokesperson for the commission said that, “In the context a GDPR adequacy determination, the commission must examine the protection of data transfers from the EU to commercial entities in other countries,”
As for any adequacy decisions, the commission closely monitors their application and has tools available to react if data transferred from the EU is not protected. The commission assessed Israel’s adequacy in 2024 in accordance with the GDPR regulations and concluded that the protection regime in place was adequate.
As is the case with all countries that have an adequacy determination in place, we monitor any changes to the legislative framework which may be relevant to ensuring an adequate level for data protection. We also have tools available to us to react in the event of a weakening of the protection afforded data transferred from the EU, including the option to propose an amendment, suspension, or repeal of the decision.
EDRi noted that since its last email, Israel’s actions in Gaza had intensified. The UN Special Committee on Gaza has also expressed concern about the commission’s commitment to upholding GDPR and fundamental human rights. confirming in November 2024 that its warfare methods were “consistent” with genocide.
They added that a number of technologies, including artificial intelligence systems and biometric databases, are used to “monitor and restrict Palestinian individuals in ways that raise questions about racial profiling, automated decision-making, and human oversight”.
These digital tools also contribute directly towards lethal military operations. AI-driven targeting system which processes vast amounts of data is being used to Create target lists to be used by the Israeli Defence Force.
They say that if the commission does not reassess Israel’s adequacy it will not only breach its own legal standards, but also risk “contributing towards the entrenchment an unlawful situation by providing digital infrastructure”.
They also highlighted that, as specified in In order to comply with the GDPR’s recitals, the commission is required to consider how a certain third country complies with international human rights standards and norms.
They said that reports indicate that data-driven targeted, biometric surveillance, and other digital technology are being used to facilitate abuses of human rights and systematic oppression. “These actions show how the unregulated data flow, facilitated by the EU’s decision on adequacy, contributes to continuing violations.”
Speaking to Computer Weekly, EDRi’s policy advisor Itxaso Dominicinguez de Olazbal said that it is “deeply worrying” that the commission ignores formal requests from the civil society to reassess Israel’s adequacy, despite mounting proof.
She said, “It’s been more than a year since our first alarm was raised, and despite escalating human rights violations and a growing number of international legal findings including those from the [International Court of Justice] ICJ the commission has not responded to our requests.”
Several members of the European Parliament have recently echoed this concern and called on the Commission to act. This is not just a case where bureaucratic delays are involved, but it signals a wider unwillingness to enforce the EU’s standards when they become politically unpalatable.
Adequacy Concerns
Explicating their concerns, civil society groups pointed out that the renewal of Israel’s adequacy could breach the EU’s international obligations as it would allow the use of personal information from the EU to further an “unlawful occupation”.
The groups added that, while the Although the initial 2011 adequacy rulingfor Israel limits the scope to its 1967 borders there is no effective way to ensure that this territorial limit is observed.
They highlighted that Israel’s control over the occupied Palestinian Territories (OPT) and other annexed lands is problematic, when considering its operational realities and surveillance infrastructure. They said that the Israeli police and the Ministry of the Interior have their headquarters in occupied East Jerusalem – a territory that is not recognized by the EU as being part of Israel.
“Israel’s national command and control center – which integrates AI-based monitoring and real-time data flow – is based at the Gilo settlement in the occupied West Bank.” They added that the fact that data-processing operations related to law enforcement, surveillance, and national security are located in illegally annexed territories undermines claims about the application of Israeli laws in these areas being legally neutral or administratively relevant.
In the absence of any territorial safeguards, it is possible that data from the EU could be accessed and processed in these facilities. This would implicate the EU as a party to the extension of Israeli sovereignty over occupied territories, and violate the non-recognition obligation.
Lack of protection.Other concerns revolve around Israel’s own data-protection framework, such as the lack of protection of data transferred from the EU that is accessed by intelligence agencies, and the legal amendments which reduce the powers of Israel’s data-protection authority during election seasons.
The European Commission’s continued inaction is unacceptable, they wrote. “The absence any meaningful response undermines the trust in the EU’s commitment to fundamental right and erodes its data protection framework.
We expect a comprehensive and timely response from the Commission on this issue. We will seek redress through the appropriate oversight mechanism, including the European Ombudsman, if that fails.
Independent experts in data protection have also expressed concerns about the EU and Israel data adequacy determination.
These include Douwe Korff an emeritus Professor of International Law at the London Metropolitan University who published a legal assessment arguing that Israel’s data protection laws did not provide “essentially equivalent protection” to the GDPR in April 2022, and Michael Veale an associate professor at University College London who stated on X May 2024 that “the commission’s reaffirmation of Israel’s data protection “adequacy
