2022 was an interesting year on the privacy front; it was characterized by significant privacy developments in Israel and worldwide.
In honor of Data Privacy Day, below is a high-level overview of key privacy developments that occurred during 2022.
“Do not call” registry – As of January 1st, 2023 Israeli, companies seeking to directly contact consumers by phone with a marketing offer must first ensure that a consumer’s Israeli phone number is not registered in the “Do not call” registry.
Regulations for Data originating in the European Economic Area (EEA). – Draft regulations were introduced which apply selectively to personal data transferred to Israel from the EEA, with exception of the personal data directly transferred by the data subject.
The draft regulations include obligations regarding data deletion, data accuracy, data minimization and notification obligations.
The draft regulations aim to ensure that Israel maintains its position on the European Union “White List” as a country having an adequate level of protection (for GDPR purposes) for personal data transferred from the EEA to Israel.
Principles and Ethics relating to Artificial Intelligence (AI) – The Ministry of Innovation, Science and Technology published a paper addressing guidelines for use of AI and ethical issues that relate to such use.
The paper addresses the following issues, among others: the challenge of complying with the purpose limitation principle when using personal data for AI, explainability, non-discrimination, transparency, and data anonymization.
Guidelines of the Israeli Protection of Privacy Authority 2022 – The Protection of Privacy Authority (PPA) published a series of guidelines, including guidelines relating to the appointment and duties of a Data Protection Officer, and guidelines regarding data protection impact assessments (DPIA) with detailed recommendation on how to conduct a DPIA.
The PPA also restated its position regarding the timing for reporting severe data breaches; instead of reporting a data breach within 24 to 72 hours as was previously recommended, the PPA now takes the position that data breaches are to be reported immediately without undue delay.
Draft amendment No. 14 of the Israeli Privacy Protection Law – Draft amendment No. 14 of the Israeli Privacy Protection Law was introduced. The draft amendment aimed to bring certain aspects of Israeli privacy laws in line with international privacy standards.
The proposal included significant amendments, such as the expansion of supervision and enforcement capabilities of the authorities, data processing/ usage restrictions, and the requirement to appoint of a DPO under certain circumstances.
In addition, the draft amendment updated certain key definitions under the Protection of Privacy Law, proposed a newly expanded definition of “personal information”, and introduced definitions for data controller and processor.
Amendment No. 14 had been introduced to the Israeli Parliament a number of times in various iterations; in each case the amendment failed to be enacted as law due to disbanding of the Israeli Parliament.
In the current instance, passage of reforms proposed in the draft amendment was again postponed due to the disbanding of Parliament.
EU-U.S. Data Privacy Framework – Draft adequacy decision European Commission – Following the Executive Order signed by US President Biden, a proposal for a US adequacy decision has been provided to the European Data Protection Board for its opinion.
Should the decision be adopted by the European Commission organizations will be able to transfer personal data from the EEA to the US, without any further conditions or requirements.
Digital Markets Act and the Digital Services Act – Under the European Union’s Strategy for Data, which aims to promote European values and rights in the digital space, the Digital Markets Act and the Digital Services Act were both adopted during 2022.
While the DMA generally creates obligations for big technology platforms to create a fairer environment for business and to ensure consumers have access to better services, the DSA addresses the digital sphere, which will need to be more transparent.
International transfer and updated Standard Contractual Clauses following the Schrems II decision – The Standard Contractual Clauses (SCCs), a standard agreement approved by the European Commission, are used as a basis for transfers of personal data from the EEA to third countries without an adequate level of data protection.
Following the Schrems II decision, the previously applicable SCCs were adapted, and as a result entities had to implement the new version.
There are some formal and substantive novelties, such as various version of the SCCs for different types of transfers and the requirement to conduct a Transfer Impact Assessment.
Enforcement – The second-and third-largest GDPR fines were issued in 2022 by the Irish Data Protection Authority, consisting of 405 million and 265 million euros against Instagram and Meta.
The first CCPA fine was issued, namely a $1.2 million settlement with Sephora.
What to expect in 2023
In the United States – US state privacy regulatory frameworks – Several regulatory frameworks regarding privacy protection will take effect in 2023, namely California (which amends the existing CPPA with the CPRA), Virginia, Colorado, Connecticut, and Utah.
Such frameworks reflect the US’ outlook on privacy. Many amendments can be highlighted regarding the CPRA, including the introduction of the California Privacy Protection Agency, the amendments of certain definitions, and consumer rights.
In Israel, we can expect the introduction of legal amendments to the Privacy Protection Law which aim to achieve the goals of Amendment 14, as well as other amendments which will bring Israeli law in synch with European Union data protection principles.
In addition, we can expect the PPA to continue to fill gaps left by existing laws by issuing interpretative guidance.