A Significant Legislative Change in the Israeli Privacy Law to Increase Enforcement and Additional Requirements

Amendment 13 to the Israeli Privacy Protection Law was approved by the Knesset on August 5, 2024, thereby bringing about the most significant reform in Israeli privacy law since it was first enacted in 1981.

The amendment to the law creates an updated framework for the protection of personal data and strengthens the right to privacy in Israel, bringing it closer to the approach adopted in the EU countries.

The amendment grants extensive supervisory and enforcement powers to the Privacy Protection Authority (PPA), eliminates outdated requirements that have been a burden on companies and businesses, including a dramatic reduction of the database registration requirements, and provides better tools to address current challenges of technology.

Our firm was significantly involved in the intensive legislative process, which included months of discussions in the Knesset’s Constitution Committee, and we intend to provide close guidance to our clients to assist them in meeting the new requirements and to provide optimized tools for this purpose. Among other things, we are expected to hold an in-depth workshop (please follow our publications).

Key Changes, Implications, and Next Steps

Following is a concise overview of the primary significant changes introduced by the amendments to the Israeli Privacy Law:

1. Validity:

The law will come into effect one year after its formal enactment, meaning August 6, 2025.

2. PPA’s Extended Authorities and Supervision Power

• The amendment significantly expands the powers of the Privacy Protection Authority (PPA), elevating it as a strong regulator with the ability to effectively oversee and enforce compliance on both private and public entities. It grants investigative powers, the authority to order the cessation of infringing processing, the ability to conduct administrative inquiries including the imposition of various types of administrative enforcement measures, and imposing severe financial sanctions (see below under the caption “Imposition of Substantial Financial Sanctions“), and more.
• The amendment grants the court authority to award punitive damages of up to 10,000 NIS, irrespective of actual harm. This may be applied in cases such as, among others, whereby the purpose limitation principle was violated, the right to access information was not fulfilled, or information was not deleted following an individual’s request.
• The PPA will be able to appoint inspectors on its behalf with extensive powers of investigation, such as demanding information and documents, presenting copies of computer material, entering premises under certain circumstances, and more.
• Additionally, the amendment establishes powers for initiating administrative inquiry proceedings, seizing objects, and allowing for these actions to be taken against public entities as well, and even security bodies) those entities will also be required to appoint a privacy inspector who will have reporting obligations to the PPA (.
• The amendment enables, for the first time, the PPA’s formal authority to conduct proactive audits and to utilize external experts on its behalf for such purposes.

3. Imposition of Substantial Financial Sanctions

• The law authorizes the head of the PPA, to impose significant administrative financial sanctions, for the first time, for violations of the law.
• Following is a summary of the criteria for the financial sanctions model:

• The sanction model is based on the following criteria principles:
• Types of violations, including individual violations that do not pertain to the entire database (such as refusal to grant the right of access); violations pertaining to the entire database (such as failure to appoint a privacy security officer or a data protection officer as required); violations against the authority; or violations of substantial rights of data subjects.
• Scope of violations.
• Number of subjects in the database.
• Whether the data is Specially Sensitive Information or not; and whether there are reductions for small or micro businesses based on annual turnover.

Sanctions can be imposed both on the controller and on the Holder who violated the law’s provisions.

4. Significant Reduction of the Database Registration Requirement:

Reduction of the registration obligation; adding a disclosure requirement.

For most entities, the amendment eliminates the requirement to register databases in the public registry, leaving the obligation to limited types of entities.

• Any of the following entities will be subject to a registration requirement:

1. Entities whose primary purpose is the collection of personal data for the purpose of transferring it to another as a business model (data brokers), including direct mailing services, and the database contains personal data of more than 10,000 individuals; or
2. If the controller is a public body.

• Entities subject to notification requirement:

Controllers who are not subject to the registration requirement as mentioned above, and who process Specially Sensitive Information concerning 100,000 data subjects or more, are required to submit notification to the PPA and to provide their contact details, including the identity of their DPO, as well as to submit a copy of their database definitions form (similar to ROPA). It is important to note that the amendment does not exempt data subjects who are not from Israel.

• Applicability concerning registered databases:

On the commencement date of the Amendment, a database currently registered will continue to be registered until the controller notifies that it may be deleted. It is important to note that no exemption instructions were given for Israeli controllers of a database containing only personal data of non-Israeli citizens.

5. Principles of Data Governance:

• Disclosure Requirements:

Entities processing data must comply with disclosure requirements towards data subjects, requiring them to provide data subjects with the following details when obtaining their consent:

• Whether there is a legal obligation to provide the information, or if the provision of information is voluntary;
• A description of the purpose for which the information is being collected;
• The name and contact details of the controller;
• Data transfers to third parties and their identity;
• The consequence of refusing to provide the information;
• Data subjects’ rights, including the access right and rectification right.
• Updated Purpose Limitation Principle:

In addition to establishing the substantive right to privacy, which states that information about a person’s private affairs cannot be used for purposes other than those for which it was provided, a new principle has been added. Pursuant to this principle, a person is prohibited from processing data for purposes other than those legally defined within the database’s objectives, processing without authorization from the controller or breaching such authorization, and prohibits any processing against the law.

6. Updated Terms and Definitions:

The amendment incorporated revisions to the definitions of key terms in privacy law to align them with contemporary global privacy legislation and to reflect current technological and societal developments. Here are some essential definitions:

• Instead of “data” – a broader definition of “personal data” has been adopted, according to which personal data includes any data relating to an identified or identifiable person; for the purpose of this definition, an “identifiable person” is someone who can be identified with reasonable effort, directly or indirectly, including via an identifying detail such as a name, identification number, biometric identifier, location data, online identifier, or one or more data points relating to the person’s physical, health, economic, social, or cultural status that allows for their identification even indirectly, such as location data and online identifiers.
• Instead of “Sensitive Information,” the definition of “Specially Sensitive Information” has been adopted. This includes types of information such as intimate, political opinions, religious beliefs, genetic information, biometric information, medical information, information about a person’s criminal record, location services, and it also includes categories unique to Israel, such as professional evaluations related to personality assessments (e.g., in connection with placement) or salary data.
• Instead of “database owner,” the definition of a “Database Controller” has been adopted, closely aligning with the term “Controller” as per the GDPR. This refers to someone who, alone or jointly with others, determines the purposes of processing the information in the database, or an entity or individual authorized by law to process information in a database.
• The definition of a “Holder” (=processor) has been expanded to include any external entity to the controller that processes information on its behalf, thereby aligning more closely with the term “Processor” as defined by the GDPR.
• “Processing” or “Use” – the main actions have been expanded and clarified to apply to any action involving personal data, such as transfer, review, disclosure, delivery, or granting access to personal data.
• The role of a “Database Administrator” and its actual duties have been abolished, and its legal and regulatory obligations have been transferred to the database controller.

7. Pre-Ruling Procedure

• As part of the amendment, both the Database Controller and the Holder, or any person who is likely to become any of them, will be eligible to approach the PPA with a request for a pre-ruling opinion regarding the compliance of the database with legal requirements or other provisions related to the processing of personal data by the database.
• This mechanism allows data processors to facilitate dialogue with the PPA enabling guidance on compliance before potential legal violations occur. It also promotes learning from the experiences of others and enhances regulatory clarity.
• The PPA is obligated to provide its opinion within 60 days from the application date or from the date of submission of the relevant documents, whichever is later.
• The PPA is permitted to publish its opinions subject to the consent of the applicant, and at the applicant’s request, to remove identifying details to maintain confidentiality.

8. Obligation to Appoint a Data Protection Officer (DPO)

As part of the amendment, certain organizations will be required to appoint a Data Protection Officer (DPO) who will serve as an authoritative professional expert for privacy matters within the organization. This new legal obligation is intended to enhance compliance with data protection and privacy within organizations.

Please note that this requirement emerged from the dialogue between legislative bodies and public representatives and was not initially included in the government bill.

Generally, the requirement to appoint a Data Protection Officer (DPO) is imposed on entities that process personal data on a significant scale, as follows:

Any of the following entities is required to appoint a Data Protection Officer (DPO):

1. A database controller that is a public body (excluding security bodies that are subject to specific provisions).
2. A database controller whose primary purpose is the collection of personal data for the purpose of transferring it to others (data brokers) and the database contains personal data of more than 10,000 individuals.
3. A database controller or a Holder whose main activities include data processing operations or are involved in such operations, which, due to their nature, scope, or purpose, require regular and systematic monitoring of individuals, including systematic monitoring of a person’s behavior, location, or actions on a large scale, such as tracking location data or an online search service provider whose main activity involves such tracking.
4. A database controller or a Holder that processes Specially Sensitive Information on a large scale, such as banking corporations, hospitals, healthcare organizations, and insurers.

It should be noted that the first two cases (1+2) are essentially the same organizations that are also required to register databases, while the third and fourth cases are subject to certain interpretations, similar to the corresponding section in the GDPR, without a concrete quantitative criteria (as initially proposed).

While the first two cases refer exclusively to database controllers, the third and fourth cases impose the appointment obligation also on Holders who meet the described criteria.

The third case refers to databases that include regular and systematic processing of data on a large scale, given the nature, purpose, or scope of the processing activity.

The fourth case refers to more clear-cut instances involving organizations processing of Specially Sensitive Information on a large scale, but it is only ancillary to the main activity of the organization, such as a hospital that processes a massive amount of health information, biometric data, genetic data, and more, but all of such processing is secondary to the hospital’s primary purpose of treating patients.

In the latter two cases, the examples provided are not intended to be an exhaustive list but rather illustrative, serving as examples for clarification only.

We recommend our clients to promptly examine whether circumstances exist that would require them to appoint a Data Protection Officer (DPO).

The powers and duties of the Data Protection Officer (DPO):

• The DPO will advise the management and employees of the organization in which they serve, prepare a training program, and supervise its implementation.
• The DPO will prepare a plan for ongoing monitoring of compliance with legal requirements, ensure its implementation by the controller or Holder, report findings to the organization’s management, and propose corrective measures for any deficiencies.
• The DPO will ensure the existence of an information security procedure and a database definition document.
• The DPO will ensure the handling of inquiries from individuals whose personal data is in the database regarding the processing of such data or the exercise of their rights.
• The DPO will act as the contact person between the organization and the relevant regulatory authority.

Qualifications and Independence of the DPO:

• The DPO must have a thorough understanding of privacy laws, adequate understanding of technology and information security, and familiarity with the activities of the organization they serve, considering the nature, circumstances, scope, and purposes of data processing.
• The DPO has a duty to report directly to the CEO or an employee who reports directly to the CEO (i.e., an executive officer). The DPO shall not hold any other position if doing so or the reporting structure may potentially place them in a conflict of interest in performing their duties.
• The DPO can be an external contractor, and therefore organizations may hire a service provider for such a role, such as external legal counsel.

9. Statute of Limitations:

• Extending the statute of limitations for civil claims under this law from two years to seven years.

10. Criminal Offenses:

• Amending the criminal offenses chapter, mostly to adhere to intentionally deceptive behaviors towards the PPA or to obtain information from a data subject on a deceptive basis.

The above does not constitute a legal advice.

For further information, please contact us and we will be happy to assist you!