Significant reforms to Israel’s Privacy Law will take effect on August 14, 2025, introducing new requirements that will reshape privacy compliance for organizations operating in Israel. As previously detailed in our comprehensive client update here, these changes bring Israeli standards into closer alignment with international best practices and establish a strengthened framework for regulatory oversight. With the effective date quickly approaching, we are highlighting a few key changes and recommended actions to help ensure your organization is prepared for compliance, continuity, and ongoing success in an evolving privacy landscape.
Key Developments to Note:
Expanded Enforcement Authority: The Privacy Protection Authority (PPA) will have extensive new powers to investigate, audit, and enforce compliance with the law. The PPA will be able to impose substantial administrative fines for violations, with monetary penalties for non-compliance increasing dramatically. In cases involving large-scale or sensitive data processing, organizations may face aggregate exposure reaching millions of NIS. The PPA will also have the authority to publicize enforcement actions, further increasing potential reputational risk.
Board of Directors Oversight Obligations: The PPA has issued a directive (Directive 1/2024, available here), that sets out specific responsibilities for boards of directors regarding privacy and data security compliance. In organizations where personal data processing is a core activity or poses increased privacy risks, the board is required to establish, approve, and oversee the implementation of comprehensive privacy and data protection policies. The board must also ensure ongoing supervision, regular review of compliance measures, and proper documentation of all compliance activities.
Obligation to Appoint Data Protection Officers: For the first time, a broad range of organizations, including data brokers, entities engaged in systematic monitoring of data subject, as well as organizations processing sensitive information on a significant scale, will be required to appoint a Data Protection Officer (DPO). The DPO will serve as a central point of accountability and privacy law expertise within the organization.
Revised Database Registration and Notification Requirements: The traditional requirement to register databases has been significantly narrowed. However, new notification obligations apply to controllers of databases including particularly sensitive data on many data subjects, requiring timely and accurate reporting to the PPA. Organizations must also proactively delete the registration of databases that no longer fall within the scope of the registration requirement.
Enhanced Transparency and Disclosure: The new law expands the types of information that must be provided to data subjects at the point of collection, necessitating a thorough review and update of privacy notices, internal policies, and data handling procedures.
New Criminal and Civil Liabilities: The updated law introduces additional criminal offenses, including unauthorized processing of personal data and providing misleading information to individuals or regulators. It also expands the scope for civil claims, allowing for statutory damages even in the absence of proven harm. These developments significantly increase both regulatory and litigation risks for organizations that do not comply with the new requirements.
Recommended Actions:
With the new framework set to take effect in a matter of weeks, organizations should:
- Review and update privacy policies, notices, and internal compliance protocols;
- Assess whether the DPO appointment requirement applies and designate a qualified individual if needed;
- Re-evaluate the status of all registered databases and ensure compliance with revised registration and notification obligations;
- Ensure alignment with the Privacy Protection (Data Security) Regulations, 2017, and regulatory guidance;
- Review and update board of directors’ oversight procedures to ensure compliance with the new PPA directive, including adoption of appropriate security policies, ongoing supervision, and proper documentation;
Assess and strengthen compliance measures in anticipation of increased regulatory enforcement and potential privacy-related litigation.
This publication is provided as a service to our clients and colleagues, with explicit clarification that each specific case requires individual examination and discussion in writing.
The information presented here is of a general nature and is not intended to answer the unique circumstances of any individual or entity. Although we strive to provide accurate and available information, we cannot guarantee the accuracy of the information on the day it is received, nor that the information will continue to be accurate in the future. Do not act on the information presented without appropriate professional advice after a comprehensive and thorough examination of the specific situation.
