Israel is recognized around the world as an important technology hub. It is home to hundreds of large, multinational tech corporations operating substantial local research and development, sales, and management activities. It is the incubator for thousands of startups, dozens of which are publicly traded unicorns. And it boasts an environment where innovation is fostered, growth achieved and the commerce of modern industries flourishes on a global scale.
Because data is a core asset in many tech ventures, Israel is also a jurisdiction worth monitoring from a data protection perspective — and 2022 will likely be a turning point for privacy laws in Israel.
On Jan. 5, the Israeli government introduced a substantial amendment to the Protection of Privacy Law. The amendment, known as Bill No. 14 (available here in Hebrew), encompasses two sets of previously proposed updates to the law. When enacted, it will be the largest and most comprehensive update since 1996, when updated data processing provisions were incorporated into the law.
The proposed bill will align the PPL with the EU General Data Protection Regulation only in part. At the heart of the new amendment are new procedures and regulatory powers that portend a dramatic increase in risks associated with information security and purposeful processing violations.
Seven enhancements to the law
Bill No. 14 proposes an amendment to several substantial aspects of the PPL. Most, if not all, are likely to be discussed in the forthcoming parliamentary hearings over the bill and will be subject to public debate. What follows are the essence of Bill No. 14’s proposed changes, along with our analysis of their impact:
- An update to definitions to adapt terms to the modern era and align them, in part, with GDPR terms, such as: “data protection commissioner” instead of “databases registrar,” “database controller” instead of “database owner,” and GDPR-like definitions to “data” (the equivalent to “personal data” under the GDPR) and “data with special sensitivity.”
Additionally, the bill introduces new definitions such as “biometric identifier” and “processing,” which includes “collection” and “use” of data.
We note that the authors of the bill at the Justice Department offered only a partial alignment with GDPR definitions. Specifically, the bill does not remove the outdated reference to “databases” (as opposed to “data”), presumably to avoid additional considerable changes in the law.
- New criminal offenses: up to three years imprisonment for misleading a DPC supervisor or for receiving personal data fraudulently. These offenses join the already-existing criminal offenses under the current law, which include up to five years of imprisonment for willful confidentiality violations.
We note that to date the attorney general has indicted individuals for privacy violations in severe cases of willful breaches, mostly related to unlawful data trafficking. The new bill may result in an increase in indictments.
- New administrative fines of up to NIS 3,200,000 (about USD $1 million) for violations associated with a database of more than 1 million sensitive data records, and an additional NIS 64,000 (about USD $20,000) per day for continuous or repetitive violations. Processing data for non-consented purposes and unauthorized use of data constitute the most severe violations.
Additionally, the bill sets a price tag of up to NIS 320,000 (about USD $100,000) per violation of a provision under the 2017 Protection of Privacy Regulations (Data Security). Accordingly, the accumulated risk can go up to several USD millions. The DPC will have the authority to replace fines with a warning or a commitment to avoid further violations.
We note the proposed fines are significantly higher than the fines under the existing law, but are also significantly lower than the maximum fines under the GDPR. We expect a fierce battle over the fines’ rates, particularly because the general market enjoys a fairly limited degree of regulation and the new fine rates under the bill will likely be seen as an obstacle to continued innovation and growth.
- Far-reaching investigatory powers, including the authority, without a court order, to have a person identify themselves to a DPC supervisor, demand information, documents and computer data from every person, and access non-residential premises where a database is used.
We note that the new powers are similar to police powers, while lacking commensurate judicial due process, and further lack sufficient constraints on DPC powers to prevent “function creep” and ensure these powers are not used in an unproportionate manner.
- Appointment of data protection officers in law enforcement and national security agencies, who will report to the DPC. The DPOs (“privacy supervisors,” as referred to in the bill) will be appointed to one term of up to seven years. They will have the same investigatory powers as DPC supervisors have, but they will be subordinated to either the head of the agency or to a senior official who reports directly to the head of the agency.
The DPC will instruct the DPOs on professional matters and the DPOs are prohibited from assuming conflicting positions. The agency must provide the DPO with the “proper means” necessary for the DPO to function. The bill also sets out a job description that includes preparing an annual compliance plan and reports, review of the agency’s procedures and policies, handling complaints, preparing reports to the DPC, and training of personnel.
We note that the Protection of Privacy Council (disclosure: the author is a member of the council) has time and again advised the Justice Department to include a statutory obligation to appoint DPOs, in alignment with modern privacy legislation. The explanatory words accompanying the bill do not explain why only security agencies will need to appoint DPOs.
- A considerable reduction of mandatory database registrations. Fifteen years after a special committee produced the Shofman Report recommending reducing the duty to register databases with the databases registrar, Bill No. 14 will likely realize this recommendation.
The amended law will still require registration subject to specific criteria. These include the number of records (data on more than 500,000 individuals); sensitivity (data on more than 100,000 individuals will require a report to the DPC); collection method (data on more than 100,000 individuals that was not collected from them); and type of organization or activity (public entities and data brokers).
We note that the reduction of database registrations is meant to eliminate unwarranted bureaucracy while providing the DPC with the ability to focus on a limited number of high-risk databases. However, given the proposed thresholds under Bill No. 14, the number of registrations would be still considerably high, thereby failing to properly support the two purposes of this amendment.
- A special arrangement for violations during elections. The head of the Central Elections Committee must grant the DPC specific permission to impose a fine on or use its other enforcement powers against a political party during election time. Permission will be granted unless the DPC enforcement power will considerably harm the violating party’s election efforts and the public interest associated with the elections will outweigh the importance of the DPC’s administrative activities.
We note that this is a counterintuitive and potentially damaging arrangement. The DPC should have independent powers to stop a political party from gaining unethical and unlawful advantage during election time via violating individuals’ privacy. Such independence is not an obstacle, but rather crucial for proper democratic elections processes.
The bill lacks substantial provisions related, among other things, to enhancing data subject rights, expanding the lawful grounds of processing, appointing DPOs, requiring impact assessment procedures, and legislating the privacy-by-design and by-default principle.
The Justice Department publicly stated it intends to follow Bill No. 14 with Bill No. 15 to address these matters.
Dramatic increase in data security and purposeful processing risks
According to the Protection of Privacy Authority 2019 and 2020 report to the Knesset (the Israeli Parliament), 54% of enforcement actions — 105 out of 195 — were focused on data security violations, particularly violations of 2017 DSR provisions, with an additional 35% addressing violations of the purposeful processing obligation. Nearly 90% of enforcement activities, therefore, were focused on these two areas.
Under current law, the Protection of Privacy Authority does not have the authority to impose fines on data security violations. Similarly, the current law empowers the authority with very limited power to impose fines (up to about USD $8,000 per violation) on data use for non-consented purposes.
Bill No. 14 will change this risk dramatically, offering the DPC the authority to impose a USD $1 million fine for unauthorized use of data and for violating the purposeful processing principle, alongside up to USD $100,000 for every violation of a provision under the 2017 DSR. These may include violations of obligations related to access management, encryption, communication security, security audits, penetration tests, updates of IT systems and much more.
The bill will also provide the DPC with broad court order-free access to data and computer systems, thereby removing a judicial scrutiny barrier from the investigatory process.
It is reasonable to assume the DPC will continue its enforcement focus on data security and purposeful processing violations, but with much more power in its hands.
Key takeaways
The current main risk associated with privacy violations in Israel comes from class actions. This risk is on the rise because the number of privacy actions is rising.
Bill No. 14 will increase administrative and criminal risk substantially. Companies that do business in Israel should focus their compliance efforts first and foremost on cybersecurity measures and procedures in compliance with the 2017 DSR, on providing proper disclosures and on securing informed consent to the processing of the data.
Photo by Cole Keister on Unsplash