The European Commission (EC) has been ignoring calls to reassess Israel’s data adequacy status for over a year, despite “urgent concerns” about the country’s data protection framework and conduct in Gaza.
In April 2024, a coalition of 17 civil society groups coordinated by European Digital Rights (EDRi) signed an open letter voicing their concerns about the commission’s January 2024 decision to uphold Israel’s adequacy status (see box), which permits the continued free flow of data between the country and the European Union (EU) on the basis that each has “essentially equivalent” data protection standards.
Despite their calls for clarification from the commission on “six pivotal matters” – including the rule of law in Israel, the scope of its data protection frameworks, the role of intelligence agencies, and the onward transfer of data beyond Israel’s internationally recognised borders – the groups received no response, prompting them to author a second open letter in late June 2025.
“Since then [April 2024], Israel’s legal and political trajectory has only deepened our concerns, including the adoption of new laws undermining independent oversight, escalating human rights violations in Gaza, and the continued erosion of the rule of law and judicial independence,” they wrote.
“The combination of legal reforms, unchecked intelligence access and the operational deployment of EU-linked data in repressive practices further undermines the credibility of Israel’s adequacy status.”
Given the country’s tech sector accounts for 20% of its overall economic output and 53% of total exports, according to a mid-2024 report published by the Israel Innovation Authority (IIA), losing adequacy could have a profound effect on Israel’s overall economy.
“From a global perspective, high-tech’s centrality in the Israeli economy is a unique phenomenon,” the IIA said. “Its share of Israeli GDP … is similar to that of natural minerals such as oil and gas in the economies of those counters that rely on them. Considering the centrality of high-tech, changes in the sector may influence the entire economy.”
Economic significance
According to a consultation on privacy laws launched by the Israeli Ministry of Justice in November 2022 – which proposed a number of changes to Israel’s data protection framework specifically designed to retain Israel’s adequacy status – data adequacy “is of broad economic significance to the Israeli economy, as well as great importance in aspects of the State of Israel’s foreign relations”.
Similar concerns have also been raised by MEPs in the European Parliament, who asked the commission in January 2025 whether “the ongoing use of personal data [by Israel] in ways contrary to GDPR [General Data Protection Regulation] principles” (including for “large-scale surveillance” and “to target individuals in Gaza”) means it will reassess its adequacy decision.
European commissioner Michael McGrath responded that, based on its evaluation, the commission does not believe the decision needs to be modified or revoked.
“The commission’s analysis covered all relevant elements of the privacy framework and of the broader institutional and legal system … the commission also negotiated a significant strengthening of privacy safeguards and individual rights in Israel, developed to specifically apply to data transferred from the EU and implemented in Israeli law before the start of the Israel-Gaza war,” he said.
“Israel has then extended the application of these reinforced requirements also to data that is processed in a domestic context.”
McGrath added that the commission closely monitors the application adequacy decisions, and “has tools to react if the protection afforded to data transferred from the EU would be weakened, including the possibility to propose the amendment, suspension or repeal of the decision”.
No response
Despite its attempts to raise concerns, EDRi confirmed to Computer Weekly that, since sending the second open letter on 24 June 2025, there has been no response from the commission.
The European Commission told Computer Weekly it is aware of the EDRi’s open letters, but did not answer questions about why it had not responded, and claims it is unwilling to uphold its own standards when politically inconvenient.
“In the context of an adequacy finding under the GDPR, the commission is required to look at the protection of data transferred from the EU by commercial entities to commercial entities in third countries,” said a commission spokesperson.
“As for any adequacy decision, the commission closely monitors the application of this adequacy decision and has tools to react if the protection afforded to data transferred from the EU would be weakened,” they continued. “The commission evaluated in 2024 the adequacy decision for Israel in line with the GDPR regulation, and concluded, based on this assessment, that the protection regime was adequate.
“As is the case for all countries with an adequacy decision in place, we follow the situation as regards any changes in the legislative framework that may be relevant for ensuring an adequate level of data protection and have tools to react if the protection afforded to data transferred from the EU would be weakened, including the possibility to propose the amendment, suspension or repeal of the decision.”
According to the coalition, the commission’s “continued failure to engage” not only undermines transparency, but also raises serious questions about its commitment to upholding the GDPR and fundamental human rights.
EDRi also noted how since its last letter, Israel’s military actions in Gaza have only intensified, with the United Nations (UN) Special Committee confirming in November 2024 that its warfare methods are “consistent with the characteristics of genocide.”
The group added that a variety of technologies – including artificial intelligence (AI) systems and biometric databases – are used to “monitor, restrict and categorise Palestinian individuals, often in ways that raise concerns of racial profiling and automated decision-making without human oversight”.
Such digital tools also contribute directly to lethal military operations, with AI-driven targeting systems that process vast amounts of data being used to generate target lists for the Israeli Defence Force (IDF).
As a result, they say if the commission fails to reassess Israel’s adequacy, it will not only violate its own legal standards (particularly around the need for independent data protection oversight, adequate redress and effective limitations on national security access), but also risk “contributing to the entrenchment of an unlawful situation through the provision of digital infrastructure”.
The groups also highlighted how, as specified in recitals to the GDPR, the commission must take into account how a particular third country respects international human rights norms and standards.
“Reports indicate that data-driven targeting, biometric surveillance and other digital technologies are being used to facilitate human rights abuses and systematic oppression,” they said. “These actions demonstrate how the unregulated flow of data, facilitated in part by the EU’s adequacy decision, contributes to ongoing violations.”
Speaking with Computer Weekly, EDRi policy advisor Itxaso Domínguez de Olazábal said it is “deeply concerning” that the commission continues to ignore formal requests from civil society to reassess Israel’s adequacy status, despite mounting evidence.
“It has now been over a year since we first raised the alarm, and despite escalating rights violations and a growing body of international legal findings, including from the [International Court of Justice] ICJ, the commission hasn’t responded to our demands,” she said.
“Several members of the European Parliament recently echoed these concerns and called on the commission to act. This is not simply a case of bureaucratic delay, but signals a broader unwillingness to uphold the EU’s own standards when they become politically inconvenient.”
Adequacy concerns
Elaborating on their concerns, the civil society groups highlighted how the renewal of Israel’s adequacy status risks breaching the EU’s international obligations by enabling the use of personal data from the bloc to further an “unlawful occupation”.
They added that while the initial 2011 adequacy decision for Israel explicitly limits the scope of the agreement to its 1967 borders, there is no effective mechanism to ensure this territorial limit is observed in practice.
More specifically, they highlighted how Israel’s control of the occupied Palestinian Territories and other annexed land is problematic when considering the operational realities of its governance and surveillance infrastructure.
“For example, the headquarters of both the Israeli police and the Ministry of the Interior are located in occupied East Jerusalem, a territory not recognised by the EU as part of Israel,” they said.
“Similarly, Israel’s national surveillance command and control centre – which integrates facial recognition technologies, AI-based monitoring systems and real-time data flows – is based in the Gilo settlement, which is also located in occupied West Bank.”
They added the fact that data processing operations tied to law enforcement, biometric surveillance and national security are anchored in illegally annexed territory undermines claims the application of Israeli law in these areas is legally neutral or administratively irrelevant.
“In the absence of territorial safeguards, there is a tangible risk that personal data transferred from the EU may be accessed or processed within these facilities, thereby implicating the EU in the extension of Israeli jurisdiction over occupied territory and violating the obligation of non-recognition,” they said.
Lack of protection
Other concerns revolve around deficiencies in Israel’s own data protection framework, including the lack of protection for data transferred from the EU when being accessed by intelligence services, and legal amendments to reduce the powers of the country’s data protection authority during election periods.
“The European Commission’s continued silence in the face of these urgent concerns is untenable,” they wrote. “The absence of any meaningful response undermines trust in the EU’s commitment to fundamental rights and erodes confidence in its data protection framework.
“We therefore expect a swift and comprehensive response from the commission on this matter. Failing that, we will seek remedy through the appropriate oversight mechanisms, including the European Ombudsman.”
Independent data protection experts have also raised concerns about the EU-Israel data adequacy decision.
This includes Douwe Korff, an emeritus professor of international law at the London Metropolitan University, who published a legal analysis in April 2022 arguing that Israel’s data protection laws do not provide “essentially equivalent protection” to the GDPR, and Michael Veale, an associate professor at University College London, who said on X in May 2024 that the commission’s “re-affirmation of Israel’s data protection ‘adequacy’ status with little reporting or public analysis needs serious scrutiny”.