Data flows and digital repression: Civil society urges EU to reassess Israel’s adequacy status

One year of silence, one year of escalation

Today, EDRi, Access Now and a coalition of civil society organisations issued a second open letter to the European Commission calling for an urgent reassessment of Israel’s status as an ‘adequate’ country under the General Data Protection Regulation (GDPR). The letter follows a first intervention in April 2024, and is made public the day after the EU foreign policy chief presents to European foreign ministers a document affirming “…indications that Israel would be in breach of its human rights obligations under article 2 of the EU-Israel association agreement”. The EU’s inaction in the face of such a compelling finding ignores civil society calls to suspend the EU-Israel Association Agreement, and aligns with broader demands to reassess the entirety of the EU’s relationship with Israel in light of its escalating human rights violations and disregard for international law.

Despite repeated warnings from civil society, the Commission has neither responded to these concerns nor reconsidered its position. In the meantime, Israel has escalated military operations in Gaza, expanded biometric and algorithmic surveillance across the occupied Palestinian territories (oPt), and passed laws that weaken data protection oversight. These are not isolated developments: they form a digital infrastructure of repression in which personal data play a central role.

Six reasons adequacy must be reassessed

The letter identifies six areas where Israel’s legal and institutional framework fails to meet the GDPR’s standard of ‘essential equivalence’:

• Rule of law: Israel has further centralised executive power and eroded judicial independence, undermining the foundational conditions for rights protection.
• Insufficient legal framework for data protection: Israel’s data protection regime remains far from GDPR-aligned. The 1981 law has not been comprehensively updated, and Amendment 13, passed in August 2024, introduced serious regressions, including restrictions on the Privacy Protection Authority’s powers during election periods and broad exemptions for security agencies. These changes directly undermine the requirement for an independent supervisory authority with effective powers, widening the gap with the GDPR rather than closing it.
• National security and surveillance exemptions: Israeli security bodies are exempt from meaningful oversight, contradicting core GDPR principles such as proportionality, necessity, and access to redress.
• Territorial scope and onward transfers: Israeli law is applied extra-territorially to the oPt, defying international law and EU policy. This creates serious legal uncertainty and undermines the protection of EU personal data.
• Inadequate review process: The Commission’s review lacked transparency and failed to involve affected communities or independent experts, as emphasised in a letter from the European Data Protection Board (EDPB).
• Respect for international law: Continued data flows occur in the context of ongoing human rights violations and a binding obligation under international law not to assist in the maintenance of unlawful situations.

Surveillance, repression, and the role of EU-linked data

The open letter documents how Israeli companies process sensitive personal data from EU users, including biometric, geolocation, financial and behavioural information. These actors operate within a legal and political environment in which national security interests override privacy rights and where structural safeguards are absent.

Surveillance firms such as Cellebrite and NSO Group also benefit from the adequacy framework, while developing and exporting technologies used for mass surveillance and repression. In this environment, there are no enforceable guarantees that EU personal data is shielded from intelligence access, nor mechanisms to prevent its repurposing for law enforcement or military use.

Digital infrastructure of occupation

The inadequacy of Israel’s framework is also territorial. Israeli authorities apply their domestic data protection law to areas beyond its internationally recognised borders, including East Jerusalem and West Bank settlements. Surveillance and policing infrastructure – such as the national command centre in Gilo – are based in occupied territory, and EU personal data may be processed in these facilities.

This violates the EU’s own differentiation policy and creates a legal fiction that normalises the annexation of occupied land. The Commission has not provided any mechanism to ensure that the territorial scope of the adequacy decision is observed in practice.

Gaza: AI, data, and the ICJ’s genocide ruling

In January 2024, the International Court of Justice (ICJ) issued provisional measures in the case brought by South Africa, finding that Israel’s actions in Gaza plausibly amount to genocide. In July 2024, its Advisory Opinion reaffirmed the unlawfulness of Israel’s occupation and clarified that third states, including the EU, are obliged not to aid or assisting maintaining this situation.

The role of digital technologies in these violations is well documented. AI-driven targeting systems such as Gospel and Lavender have been used to automate the identification of targets in Gaza. These systems rely on massive datasets that may include personal data sourced from both commercial and intelligence domains. Facial recognition, biometric surveillance and geolocation tracking are routinely deployed in Gaza and the West Bank. In this context, data is not just a by-product of repression but its enabler.

Upholding the GDPR means reassessing adequacy

The letter calls on the European Commission to:

• Clarify the legal and factual basis for Israel’s continued adequacy status;
• Launch a new, comprehensive reassessment in line with Article 45 GDPR and the Charter of Fundamental Rights;
• Ensure that EU-Israel data transfers do not contribute to repression or surveillance;
• Establish a transparent, inclusive consultation process involving civil society and independent experts.

Maintaining Israel’s adequacy status without confronting these structural problems undermines the credibility of the EU’s data protection framework and risks entangling the Union in serious violations of international law. Adequacy must be more than a legal label. It must ensure that EU data does not fuel human rights abuses.

What’s next

EDRi, Access Now and the other signatories will continue to advocate for a rights-based and legally sound approach to cross-border data transfers. The GDPR’s adequacy mechanism must remain a tool of accountability, not a vector of digital complicity.