Written by Yoheved Novogroder-Shoshan and Tamar Tavory
The protection of medical data has long been a cornerstone of privacy regulation, with such information consistently classified as data of special sensitivity requiring enhanced protections. The recent amendment to Israeli privacy law creates new challenges and obligations for companies handling medical data. This article examines the practical implications of these changes for life science companies- including biotech, pharmaceutical and digital health companies- operating in or serving the Israeli market.
Legislative Background and Timeline
On August 5, 2024, the Knesset approved a significant amendment to the Protection of Privacy Law, 5741-1981 (the “Privacy Law”). This amendment represents the most substantial revision to Israel’s privacy framework since the law’s initial enactment over four decades ago. Companies have until August 14, 2025, to achieve compliance with the new requirements.
Territorial Scope and Application
Understanding the amendment’s scope is crucial for life science companies. The law’s application extends beyond Israel’s borders in several key ways:
First, Israeli companies processing medical data must comply regardless of whether they process data domestically or abroad, and irrespective of the data subjects’ nationality. Second, foreign companies processing medical data of Israeli citizens or utilizing Israeli-based processors can fall within the law’s scope. Third, database controllers and holders managing medical data are subject to specific obligations under the framework.
This broad territorial reach creates particular challenges for international life science companies and research organizations operating across multiple jurisdictions.
Medical Data: Enhanced Definitions and Protections
The amendment introduces more nuanced definitions of protected data categories, with significant implications for the life science sector:
“Personal Information” now explicitly includes any data relating to an identified or identifiable person. Notably, this encompasses identifiers such as biometric data, location data, and online identifiers. The definition’s scope means that even encoded patient data maintained by medical institutions qualifies as personal information, as the encoding systems can render the data identifiable.
“Data of Special Sensitivity” specifically includes medical, genetic, and biometric data. This classification triggers enhanced protection requirements and stricter compliance obligations.
Key Compliance Challenges for Life Science Companies
Database Registration Requirements
The amendment maintains but modifies Israel’s unique database registration regime. Data brokers processing sensitive information about more than 10,000 individuals must register their databases with the Privacy Protection Authority (PPA). Entities that registered databases under the prior regime but are no longer required to register must actively de-register those databases by filing with the database authority. In many cases the registration obligation will be replaced by a notification obligation. For example, data controllers must notify the PPA regarding the existence of non-registrable databases containing genetic or health data about more than 100,000 data subjects.
Data Protection Officer Appointment
Similar to the GDPR, the amendment requires certain organizations to appoint a Data Protection Officer (DPO). This requirement applies to entities processing particularly sensitive information on a significant scale. However, the law provides limited guidance on what constitutes “significant scale” in the life science context, creating uncertainty for medium-sized research operations.
Enhanced Enforcement Framework
The amendment significantly expands the PPA’s enforcement capabilities:
Administrative fines now range from NIS 1,000 to NIS 320,000 (approximately USD $270 to $86,700) per violation. These fines can double for severe violations, reaching NIS 640,000 (Approximately USD $173,000). Importantly, fines can accumulate based on the number of affected data subjects and the duration of non-compliance, potentially resulting in substantial aggregate penalties. For example, collecting personal data from individuals without providing the legally required notice under the Privacy Law can result in a monetary penalty of NIS 50 (approximately USD $13) per individual. If the data collected includes medical or genetic data, which is deemed data of special sensitivity under the amended law, the penalty increases to NIS 100 (approximately USD $27) per individual. Thus, in large databases containing data of special sensitivity on millions of individuals, the total penalty can easily escalate to tens of millions of NIS. We note that privacy notice obligations in Israel differ from those under the GDPR, and so even an entity fully compliant under the GDPR may be exposed to fines.
The law also maintains criminal sanctions for specific violations, including obstruction of PPA investigations and unauthorized data processing.
Practical Challenges and Open Questions
Clinical Trial Regulations
A significant challenge emerges from the interaction between the amended Privacy Law and Israel’s clinical trial regulations. The clinical trial framework, based on the 1981 People’s Health Regulations, contains provisions that potentially conflict with the new privacy requirements, particularly regarding consent exemptions for research. This regulatory tension requires careful navigation by life science companies involved in clinical trials.
International Data Transfers
While the amendment does not modify existing data transfer rules, increased enforcement attention to cross-border transfers seems likely. This has particular relevance for biotech or pharma companies participating in international research collaborations or multi-center clinical trials.
AI and Medical Data Processing
The amendment’s impact on AI applications in healthcare merits special attention. Though Israel lacks a comprehensive AI regulatory framework, companies using medical data for AI development and deployment must ensure compliance with the enhanced privacy requirements. This becomes particularly relevant as global AI regulations evolve and investors increasingly scrutinize AI-related privacy practices during due diligence.
GDPR Compliance Interface
Organizations that have implemented GDPR compliance programs should not assume automatic compliance with Israeli requirements. Notable differences exist, particularly regarding privacy notice obligations and the scope of data subject rights. Life Science companies must carefully assess these divergences and adapt their compliance programs accordingly.
Conclusion
The amendment marks a significant evolution in Israel’s privacy landscape, with particular implications for the life science sector. As enforcement activities intensify, organizations must proactively evaluate their compliance posture, especially regarding sensitive medical data handling. Success will require careful attention to both technical compliance requirements and practical implementation challenges.
This publication is provided as a service to our clients and colleagues, with explicit clarification that each specific case requires individual examination and discussion in writing.
The information presented here is of a general nature and is not intended to answer the unique circumstances of any individual or entity. Although we strive to provide accurate and available information, we cannot guarantee the accuracy of the information on the day it is received, nor that the information will continue to be accurate in the future. Do not act on the information presented without appropriate professional advice after a comprehensive and thorough examination of the specific situation.
