On July 25, 2024 the Constitution, Law and Justice Committee of the Israeli Parliament (“Knesset”) approved Amendment 13 to the Israeli Protection of Privacy Law -1981 (previously known as Amendment 14, the “Amendment”). The Amendment will need to pass a second and third reading in the Knesset, after which it is expected to become law.
The Amendment represents the most significant overhaul of the Protection of Privacy Law- 1981 (“Privacy Law”) since its enactment. Significantly, the Amendment accomplishes the following:
Update. The Amendment updates the outdated Privacy Law and brings it in line with Israeli judicial precedents, technological innovations and previously-released position papers of the Israeli Privacy Protection Authority (“PPA”).
Key Definitions. By amending key definitions, the Amendment, once adopted, will result in Israeli privacy and data protection law more closely resembling privacy laws of other countries, in particular the European Data Protection Regulation ((EU) 2016/679, “GDPR”). For example, what was previously referred to as “Information” and defined as a closed set of data types is now defined as “Personal Information” and includes “any data related to an identified or identifiable person; for the purpose of this definition, “Identifiable” – those who can be identified using reasonable effort, directly or indirectly, including through an identifier such as name, ID number, biometric identifier, location data, online identifier, or one or more data elements relating to his/her physical, health, economic, social or cultural status.” What was historically coined “Database Owner” is now referred a “Database Controller” (similar to GDPR parlance), which the Amendment defines as “a person who alone or with another determines the purposes of data processing in the database, or a body or officeholder thereof authorized by law to process data in a database.” In addition, “Database Holder”, the Israeli corollary to the EU “processor”, is defined as “an entity external to the Database Controller, processing data on its behalf.” The definition of “Sensitive Data,” now called “Data of Special Sensitivity“, has been revised and modernized to include new categories such as biometric and location data, while; certain categories, such as that of financial information, have been narrowed to include only personal data relating to salary and financial activity.
Mandatory Appointment of Data Protection Officer (“DPO”). Following the adoption of the Amendment, certain entities subject to the Privacy Law will, for the first time, be obligated to appoint a DPO. Among these companies are data brokers, i.e., Database Controllers of databases whose primary purpose is collecting Personal Information for transfer to another as a business model or for consideration, including direct mailing services, where the database includes Personal Information of more than 10,000 people; Database Controllers of certain databases that typically involve regular and systemic monitoring of individuals; and Database Controllers whose main activities involves processing Particularly Sensitive Information on a “significant scale”, including banks, insurance companies, hospitals and health funds. We further note that there would not be a separate role of database manager (currently existing) for private companies.
Reduced Scope of the Database Registration Obligation; Institution of Notification Obligation. The Amendment scales back the applicability of the obligation to register databases in Israel, as the database registration obligation was universally viewed as cumbersome and ineffective, since the PPA did not have the ability to enforce the registration obligation due to the sheer number of registerable databases. For the private sector, most databases do not require registration. Instead, the Amendment creates an obligation to notify the PPA regarding databases which do not require registration, yet contain Particularly Sensitive Information about more than 100,000 natural persons. In the notice, the Database Controller must provide basic information about the database and submit a copy of the internal Database Specification Document. The Database Controller must further notify the PPA of any change in the information provided; these notification obligations provide the PPA with supervisory tools regarding large and sensitive databases, without requiring their registration.
Enhanced Enforcement Tools. The Amendment substantially increases the PPA’s supervisory and enforcement powers. The Amendment establishes administrative enforcement mechanisms, including prior notices and monetary penalties, and for the first time vesting the PPA with the ability to assess financial penalties due to failure to comply with the Protection of Privacy Regulations (Data Security) -2017. Monetary penalties range from NIS 1,000 to NIS 320,000 (currently USD $270 to USD $183,730). However, in certain severe cases, the penalty may be doubled, reaching up to NIS 640,000 per offence (currently USD $171,500). Additionally, penalties can be cumulative, potentially totalling millions of NIS. The penalties vary according to the security level of the database, number of data subjects associated with the database and the duration of non-compliance. In addition, the Amendment establishes several criminal offences, all of misdemeanour status, such as: causing an interference to PPA personnel, intentionally misleading PPA personnel, providing misleading information to the data subject when requesting his or her Personal Information and the unauthorized processing of Personal Information. PPA personnel are granted enhanced investigatory rights; should a PPA investigator have reasonable suspicion of the existence of such criminal offences, the investigator may require information and documentation from any person involved, enter a place where there is a reasonable basis to believe that a database is being operated, conduct searches and seize related objects and information. The PPA also is required to publish the imposition of financial sanctions under certain circumstances.
As mentioned above, the Amendment is expected to become law following second and third reading in the Knesset. The Amendment is expected to become effective one year following its enactment.
We will provide further updates as Amendment progresses towards its enactment as law. Due to the far-reaching implications of the Amendment, clients are advised to consider the provisions of the Amendment as they structure data-heavy businesses and design and implement privacy and data protection practices.
This publication is provided as a service to our clients and colleagues, with explicit clarification that each specific case requires individual examination and discussion in writing.
The information presented here is of a general nature and is not intended to answer the unique circumstances of any individual or entity. Although we strive to provide accurate and available information, we cannot guarantee the accuracy of the information on the day it is received, nor that the information will continue to be accurate in the future. Do not act on the information presented without appropriate professional advice after a comprehensive and thorough examination of the specific situation.