Israeli Privacy Authority Extends Period for Comment on Draft Guidance on AI Systems

Written by Yoheved Novogroder-Shoshan, Miriam Friedmann and Tamar Tavory

Overview
On April 28, 2025, the Israeli Privacy Protection Authority (PPA) published draft guidance outlining the application of Israel’s Privacy Protection Law to artificial intelligence (AI) systems. This comprehensive guidance addresses privacy considerations throughout the entire lifecycle of AI systems- from training to deployment.

The PPA recently extended the period for public comment on the draft until July 6, 2025.

The draft guidance can be found here.

Key Provisions of the Draft Guidance

Application of Privacy Law to AI Systems

The guidance clarifies that Israel’s Privacy Protection Law applies not only to personal information input into AI systems, but also to information that AI systems infer or derive from that data. 

Legal Basis for Processing

The guidance emphasizes that organizations must establish a valid legal basis for processing personal data at each stage of an AI system’s lifecycle, including development/training and operational use.   In many cases, data subject consent will be required to establish legal basis for processing personal data in AI systems.

Informed Consent and Transparency

The guidance sets forth detailed requirements for providing proper notice and obtaining consent, if needed, when using AI systems.   In order to meet notice obligations and rely on consent as a basis for processing, the following requirements must be met:

• organizations must provide sufficient explanation of how AI systems operate, including reliability and technical limitations.  
• Users must be explicitly informed when interacting with an AI system rather than a human.
• The specific types of data used by AI systems must be disclosed
• Each purpose for which data are used must be explained, including algorithm training
• More complex or unexpected uses require more detailed explanations and explicit consent, including by means of an opt-in

Web Scraping Limitations

The guidance places significant restrictions on scraping personal information from the internet for purposes of AI training:

• Informed consent (for example, where a social network’s terms do not restrict data use or other purposes and the data subject has not restricted data access) is required for scraping personal data for AI training
• Publishing information online does not automatically imply consent for its use in AI training
• Social media platforms and digital services must implement measures to prevent unauthorized scraping
• Unauthorized scraping constitutes a “severe security incident” requiring immediate reporting to the PPA. 

The guidance regarding scraping represents a new development not previously expressly addressed in Israeli privacy legislation, and should be noted by entities that would be impacted.

Right to Correction

The guidance confirms that individuals have the right to request correction or deletion of inaccurate personal information in databases. For AI systems, this right may extend to correcting the algorithm that generated the inaccurate information.  The PPA intends to increase enforcement of data subjects review and correction rights.

Accountability Requirements

The guidance emphasizes the importance of accountability frameworks, particularly for AI technologies due to their potential privacy risks and the inherent difficulty in identifying future risks. Key accountability measures include:

• Appointing a data protection officer (DPO)
• Conducting privacy impact assessments before implementing AI systems
• Implementing appropriate corporate governance structures, including the involvement of the Board of Directors
• Applying privacy by design principles

Data Security

The guidance addresses specific security risks associated with AI systems, including:

• Inference attacks that may extract personal data remnants from algorithms
• Requirements for implementing appropriate security measures, as well as for data minimization
• Guidelines for organizational use of external AI services like ChatGPT

Implications for Organizations

Regardless of whether the draft guidance is enacted in final form, the draft represents the current view of the PPA on privacy implications of AI systems.  Therefore, organizations developing or using AI systems that are subject to Israeli law in Israel are advised to do the following:

1. Review AI development and deployment practices to ensure that they comply with the draft guidance;
2. Implement appropriate consent and notice mechanisms;
3. Conduct privacy impact assessments for AI systems;
4. Establish clear policies for organizational use of external AI services; and
5. Ensure that appropriate security measures are in place.

Next Steps
The PPA is accepting public comments on the draft guidance until July 6, 2025.

Kindly contact our privacy team if your organization is interested in submitting feedback or requires assistance in understanding how the draft guidance may impact your operations. 

This publication is provided as a service to our clients and colleagues, with explicit clarification that each specific case requires individual examination and discussion in writing.
 
The information presented here is of a general nature and is not intended to answer the unique circumstances of any individual or entity. Although we strive to provide accurate and available information, we cannot guarantee the accuracy of the information on the day it is received, nor that the information will continue to be accurate in the future. Do not act on the information presented without appropriate professional advice after a comprehensive and thorough examination of the specific situation.