Overview
On August 5, 2024, the Israeli Parliament (“Knesset”) definitively approved Amendment 13 to the Israeli Protection of Privacy Law -1981 (previously known as Amendment 14, the “Amendment”). The Amendment represents the most significant overhaul of the Protection of Privacy Law- 1981 (“Privacy Law”) since its enactment. The Amendment will come into effect on August 14, 2025.
Certain Key Changes
Significantly, the Amendment accomplishes the following:
Update. The Amendment updates the outdated Privacy Law and makes it consistent with Israeli judicial precedents, technological innovations and previously-released position papers of the Israeli Privacy Protection Authority (“PPA”).
Key Definitions. By amending key definitions, the Amendment brings Israeli privacy and data protection law more closely in line with privacy laws of other countries, in particular the European Data Protection Regulation ((EU) 2016/679, “GDPR”). For example:
- What was previously referred under Israeli law to as “Information” and defined as a closed set of data types is now defined as “Personal Information” and includes “any data related to an identified or identifiable person”, with “identifiable” defined as those who can be identified using reasonable effort, directly or indirectly, including through an identifier such as name, ID number, biometric identifier, location data, online identifier, or one or more data elements relating to his/her physical, health, economic, social or cultural status.”
- What was historically coined “Database Owner” is now referred a “Database Controller” (similar to GDPR parlance), which the Amendment defines as “a person who alone or with another determines the purposes of data processing in the database, or a body or officeholder thereof authorized by law to process data in a database.”
- “Database Holder”, the Israeli corollary to the EU “processor”, is newly defined as “an entity external to the Database Controller, processing data on its behalf.”
- The definition of “Sensitive Data,” now called “Data of Special Sensitivity“, has been revised and modernized to include new categories such as biometric and location data, while certain categories, such as that of financial information, have been narrowed to include only personal data relating to salary and financial activity.
Mandatory Appointment of Data Protection Officer (“DPO”). Following the adoption of the Amendment, certain entities subject to the Privacy Law will, for the first time, be obligated to appoint a DPO, including:
- Data brokers (i.e., Database Controllers of databases whose primary purpose is collecting Personal Information for transfer to another as a business model or for consideration, including direct mailing services, where the database includes Personal Information of more than 10,000 people);
- Database Controllers and Database Holders of certain databases that typically involve regular and systemic monitoring of individuals;
- Database Controllers and Database Holders whose main activities involves processing Particularly Sensitive Information on a “significant scale”, including banks, insurance companies, hospitals and health funds; and
- Public bodies, or Database Controllers processing data on their behalf.
In addition, certain entities are obligated to appoint an Information Security Officer; this obligation applies to a larger class of entities than existed prior to the Amendment.
Reduced Scope of the Database Registration Obligation; Institution of Notification Obligation. The broad obligation to register databases that existed under the pre-Amendment regime has been universally viewed as cumbersome and ineffective since the PPA did not have the ability to enforce the registration obligation due to the sheer number of registerable databases. The Amendment significantly scales back the applicability of the obligation to register databases in Israel. Public entities and certain data brokers holding databases that contain Personal Information of more than 10,000 data subjects must register databases. Notably, the de-registration of databases that no longer require registration is not automatic; Database Controllers must submit an affirmative request to the PPA to de-register databases that no longer require registration under the new framework.
Most databases controlled by private entities will not require registration under the Amendment. For certain databases, the Amendment replaces the widespread registration requirement with a notification obligation; Data Controllers must notify the PPA regarding the existence of non-registrable databases containing Particularly Sensitive Information about more than 100,000 natural persons. In the notice, the Database Controller must provide basic information about the database and submit a copy of the internal Database Specification Document. The Database Controller must further notify the PPA of any change in the information provided. These notification obligations provide the PPA with supervisory tools regarding large and sensitive databases, without requiring their registration.
Enhanced Enforcement Tools. The Amendment substantially increases the PPA’s supervisory and enforcement powers. The Amendment establishes enhanced administrative enforcement mechanisms, including warning notices and significant monetary penalties, and for the first time vests the PPA with the ability to assess substantial financial penalties due to failure to comply with the Protection of Privacy Regulations (Data Security) -2017.
Monetary fines vary according to the security level of the database, number of data subjects associated with the database and the duration of non-compliance and range from NIS 1,000 to NIS 320,000 (currently USD $270 to USD $183,730). However, in certain severe cases, the penalty may be doubled, reaching up to NIS 640,000 per offense (currently USD $171,500). Additionally, some penalties are determined with reference to the number of data subjects affected, and penalties can be cumulative. Thus, aggregate penalties assessed may potentially reach millions of NIS. This represents a significant increase over penalties available under the prior regime. For example, collecting personal data from individuals without providing the legally required notice under the Privacy Law can result in a monetary penalty of NIS 50 (approximately USD 13) per individual. If the data collected qualifies as Data of Special Sensitivity, the penalty increases to NIS 100 (approximately USD 27) per individual. Thus, in large databases containing sensitive personal information on millions of individuals, the total penalty can easily escalate to tens of millions of NIS. We note that privacy notice obligations in Israel differ from those under the GDPR, and so even an entity fully compliant under the GDPR may be exposed to fines.
The monetary fine may increase further through a mechanism akin to the accrual of interest, designed to incentivize prompt compliance and to ensure that extended violations result in progressively higher financial consequences.
Penalties are capped at 5% of annual turnover. In addition, the PPA may, under certain circumstances, reduce the total penalty amount; however, its authority to reduce is limited to a certain amount and a specific percentage of the original penalty. Businesses with an annual turnover of less than NIS 10 million may request a further limited reduction in penalty amounts.
In addition to enhanced penalties, the Amendment establishes several criminal offences, including interfering with the activity of PPA personnel, intentionally misleading PPA personnel, intentionally providing misleading information to the data subject when requesting his or her Personal Information and the unauthorized processing of Personal Information. PPA personnel are granted enhanced investigatory rights; should a PPA investigator have reasonable suspicion of the existence of such criminal offences, the investigator may require information and documentation from any person involved, enter a place where there is a reasonable basis to believe that a database is being operated, conduct searches and seize related objects and information. The PPA also is required to publish the imposition of financial sanctions under certain circumstances. The Amendment also expands the types of grounds that may be used by courts to award damages without proof of damages, including, for example, in connection with insufficient disclosure in a privacy notice.
Actions Required
All entities that control or process personal data will be required to make substantial changes to their privacy compliance activities prior to August 14, 2025, in order to be compliant with the Amendment.
For example, existing privacy policies of most organizations must be revised to reflect additional disclosure requirements, many entities will need to appoint a Data Protection Officer, entities no longer required to register databases will need to file for de-registration and organizations required to submit privacy notifications will need to be appropriately prepared. In addition, entities that have not yet fully complied with obligations under the Protection of Privacy Regulations (Data Security) -2017 will need to achieve compliance by August 14, 2025, in order to avoid the imposition of substantial financial penalties.
These changes will take time, and clients are urged to commence compliance efforts promptly.
Please feel free to reach out to members of our Privacy and Data Protection team for assistance.
This publication is provided as a service to our clients and colleagues, with explicit clarification that each specific case requires individual examination and discussion in writing.
The information presented here is of a general nature and is not intended to answer the unique circumstances of any individual or entity. Although we strive to provide accurate and available information, we cannot guarantee the accuracy of the information on the day it is received, nor that the information will continue to be accurate in the future. Do not act on the information presented without appropriate professional advice after a comprehensive and thorough examination of the specific situation.
