Charting its own path — The new reform in Israeli data protection laws

As of 5 Aug., Israel enters a new era with a unique framework for data protection and governance, shielded by significant penalties.

Following the substantial facelift, the law will include administrative fines of up to 5% of annual turnover, statutory and exemplary damages in civil actions, severe criminal penalties, new definitions for foundational terms, enhanced notice requirements, mandatory appointments of chief information security officers and data protection officers, notification and submissions duties, registration and specific provisions for data brokers and special provisions for law enforcement and national security agencies.

It is a major reform to the Protection of Privacy Law, 5741-1981. Titled Bill No. 13, the reform takes effect a year following its enactment by the Israeli Parliament, the Knesset. It is primarily driven by the need to enhance the protection and security of personal data, especially considering the large increase in cyberattacks amid the current armed conflict in the region.

The new reform is expected to significantly impact the entire market, including public authorities. Everyone will be affected and will need to tune-up personal data practices.

One of the first laws — One of the last to face modernization

The history of privacy laws in Israel started in 1981. Soon after the Organisation for Economic Co-operation and Development published its first set of guidelines, Israel enacted the PPL. At that time, 43 years ago, it was one of the first global attempts to create a comprehensive statutory framework for privacy protection.

Eleven years later, Israel enshrined the right to privacy as a constitutional right in the Basic Law: Human Liberty and Dignity. Four years passed, and in 1996, a comprehensive chapter on data protection was added to the law.

There have since been very few and relatively minor amendments to the PPL. Over the past 12 years, Israel has made several reform attempts to the PPL, all of which failed until Bill No. 13's successful crossing of its final enactment line.

It took years for the government to advance the legislative process of the bill, and 20 extensive hearings at the Knesset's Constitutional Committee to finalize the bill and prepare it for the final voting session before the main plenary of the Knesset.

An active regulator receives a regulatory hammer

Israel has long grappled with an outdated law, ill-suited to modern challenges. However, two major developments have laid the foundation for the current regulatory structure and the introduction of the new reform.

The Protection of Privacy (Data Security) Regulations. In May 2018, while the world focused on the newly effective EU General Data Protection Regulation, Israel enacted the Data Security Regulations, taking a cybersecurity-oriented approach.

Unlike other sector-specific cybersecurity regulations, these regulations govern the entire private market and all public authorities. The regulations include a detailed, layered set of requirements for deploying specific security measures and establishing an appropriate information security management system.

Six years later, the new Bill No. 13 reform introduces hefty fines for violations of these regulations.

Emergence of the Privacy Protection Authority. Amid years of uncertainty around modernizing the outdated law, the PPA has become a dominant force, introducing GDPR-like concepts and AI ethics to fill the void.

Over a five-year period, despite weak enforcement powers, the PPA conducted wide-scale supervision campaigns and released 71 sets of guidelines, opinions, recommendations and market compliance reports.

These address modern data protection concepts such as privacy-by-design and privacy impact assessments. They also analyze and provide recommendations related to modern smart cities, autonomous drones, deepfakes, telemedicine and machine learning.

When the Bill No. 13 amendments take effect, the PPA will have immense powers, making it one of the most formidable regulators in the country. The PPA will use its power to enforce its interpretation of the law, as outlined in its published guidelines and directives.

Partial alignment with the GDPR

On 15 Jan., the European Commission concluded that Israel, along with 10 other countries, continues to provide an adequate level of protection for personal data transferred from the EU. While Israel has made significant efforts to maintain the adequacy recognition, its privacy laws differ in several keyways from the GDPR, including:

• Information security plays a dominant role, including detailed regulations, mandatory annual programs and management and mandatory appointment of information security officers.

• There are multiple rules for managing "databases," not just personal data, including registration and notification duties.

• In addition to engaging under data processing agreements, controllers must maintain a vendor management framework, including pre-engagement vetting procedures, ongoing monitoring and receiving annual vendors' reports.

• Mandatory appointment of privacy protection officers with different roles than the DPO under the GDPR.

• Mandatory notification requirements for controllers with large sensitive databases.

• Database registration obligations for data brokers and public entities.

• Mandatory periodic procedures, such as an annual evaluation of data retention, periodic cyber incidents review, updates to statutory asset management documentation and review of annual vendor reports.

The reform under Bill No. 13 brings the PPL closer to modern legal terminology, introducing GDPR-like definitions for personal data and processing. However, other definitions remain distinct.

For example, a "controller" (of a database) is the entity that determines the purposes of processing, without the need to determine the means of processing. This approach reflects better the reality of relationships between controllers and processors.

The term "data with special sensitivity," in addition to categories similar to those under Article 9 of the GDPR, includes additional data types such as payroll data, financial activities, professional personality reviews, intimate family matters, location data, and personal data subject to a legal duty of confidentiality.

Processing data with special sensitivity requires substantial information security controls, and violations involving such data are subject to higher fines. Controllers processing this data for at least 100,000 data subjects must submit a notice to the PPA, including details of the controller and the privacy officer, and a copy of the data definitions document — a mandatory documentation of the controller's processing activities.

Mandatory appointment of officers

A duty under a data protection law to appoint an information security officer is quite unique. It has been mandated by the PPL since 1996.

Bill No. 13 redefines this requirement and extends it to various entities including: controllers and processors of at least five databases subject to a registration obligation — public bodies and data brokers — or notification to the PPA — large sensitive databases; government ministries, authorities, municipalities and statutory corporations; data brokers; and banks, insurers and credit scoring service providers.

Bill No. 13 also mandates the appointment of Privacy Protection Officers (for simplicity, they will be referred to as DPOs). The terms mandating the appointment of a DPO are similar to those under the GDPR, with the additional requirement that data brokers must appoint one as well. Yet, all other provisions overlap only in part with those under the GDPR.

DPOs must be experts in privacy laws, but they also need to possess appropriate knowledge in technology and information security. Furthermore, the DPO's roles include:

• Ensuring compliance with all provisions of the PPL, including privacy protection requirements unrelated to personal data — such as a complaint against an employer for conducting a bag search at work.

• Preparing a plan for ongoing compliance control with the provisions of the PPL and verifying the plan's implementation.

• Ensuring that the mandatory information security policy follows the Data Security Regulations.

The law's emphasis on appointing professional officers underscores the importance of the synergy between data protection and data security management. It highlights the need for designated personnel to establish and maintain compliant corporate data governance, particularly focusing on entities and practices that pose a higher level of risk.

AI ethics enforcement

In its 13 Dec. 2023 policy paper on AI principles, regulation and ethics, the Israeli government opted to forgo formal artificial intelligence legislation. Instead, it established a strategic policy grounded in existing regulatory frameworks, "soft law," and globally accepted principles. This approach reflects an intent to align with international regulatory trends while avoiding overly burdensome local regulations.

The policy provides a foundation for local regulators to enforce the responsible development, deployment and use of AI systems within their respective regulatory boundaries.

More than a year earlier, on 18 July 2022, the PPA published its first AI-related opinion. Based on the interpretation of existing law, the PPA introduced enhanced transparency and disclosure duties associated with the use and development of AI systems for collecting personal data and for automated decision-making.

PPA officials have expressed a specific interest in the intersection of data protection and AI ethics, and it is expected the PPA will continue to publish additional opinions and guidelines on this matter. No doubt that with Bill No. 13 providing substantial enforcement powers, the PPA will enforce its published interpretation of the law on AI-related personal data processing.

Data subjects rights

Israeli privacy laws provide narrower rights to individuals compared to the GDPR. These include the right of access and rectification, and limited rights to deletion, objection to processing, and to data portability.

Access and rectification. Bill No. 13 introduces specific fines for violations of the existing rights of access and rectification, which will likely enhance awareness to the exercise of these rights. This is the only change related to data subjects' rights under the current reform.

Right to delete. The right to be forgotten is offered only in part. Published on 7 May 2023, the Privacy Protection Regulations (Instructions for Data Transferred to Israel from the European Economic Area), 5783-2023 were enacted to support Israel's efforts to maintain the EU Commission's adequacy recognition.

They set out enhanced protections for personal data originating in the EEA and processed in Israel. One such protection is the right to delete, which by 1 Jan. 2025 will apply to any personal data residing with EEA-originated data in the same database. Consequently, the right to delete will extend to a significant number of databases governed by Israeli laws.

Data portability rights. There is no general right to data portability under Israeli laws. However, specific laws created portability rights in certain contexts: The Financial Information Services Law, 5781-2021 establishes data portability for financial data as part of the open banking framework; The Medical Data Portability Law, 5784-2024, enacted 24 July, allows individuals to consent to the transfer of their medical information between health organizations of their choice; and, the Electricity Authority's Decision No. 61610 (13 Oct. 2021) provides data portability rights for electricity services data management.

Right to object. There is no general right to object to processing under Israeli laws. However, the Communications Law (Telecommunications and Broadcasting), 5742-1982 mandates an unsubscribe right from receiving "advertisement material" (spam) via email, text messages, fax and automated dialing systems. The PPL further provides individuals the right to demand the deletion of personal data from a database used for direct mailing.

It is yet to be seen if additional bills to amend the PPL will enhance the set of rights under the existing law.

A complex structure of fines, criminal procedures and other enforcement powers

Bill No. 13 introduces a complex structure of fines for various statutory obligations. Each obligation comes with a specific penalty, which the PPA may reduce by up to 70% based on certain considerations defined in the PPL, such as a first-time violation.

Examples of fines include:

Processing without permission. For example, a processor can be fined ILS40 million (about 10 million euros) for processing personal data without the controller's permission in a database with 5 million customers (ILS8 per customer). Similar fines apply to other violations, such as failing to provide a privacy notice or disobeying a PPA order to stop processing personal data.

Data Security Regulations violations. For example, violation of a provision under the Data Security Regulations will cost ILS320,000 (about 80,000 euros) if the database contains personal data about a million individuals. Reduced fines apply to smaller databases.

Small and micro businesses: Fines for small and micro businesses are capped at ILS140,000 (about 35,000 euros) per annum.

Maximum fine. All fines are capped at 5% of the business’ annual turnover.

The reform equips the PPA with additional substantial enforcement powers, including:

• Offering the violating entity to submit a written no-violation undertaking, with a bond.

• Ordering the cessation of violations.

• Issuing administrative warnings.

• Suspending or canceling database registrations.

• Conducting administrative inquiries.

• Seizing computer material under a court order.

• Conducting supervision campaigns on multiple entities in designated sectors.

• Providing prior consultations.

• Imposing immediate, complete deletion of a database under a court order.

Criminal offences under the PPL include:

Offences subject to three years imprisonment — Processing without the controller's permission, providing intentionally misleading information in the privacy notice and unauthorized disclosure of personal data from a public authority's database.

Other offences subject to penalties ranging from six months to five years imprisonment — A breach of confidentiality, certain intentional privacy violations, and interference with PPA officials' activities.

These enforcement measures reflect the comprehensive approach of Bill No. 13 in enhancing data protection in Israel.

Civil action and class actions

Israel is a highly litigious country. Privacy violations are subject to statutory and exemplary damages in civil actions, and to class actions.

Under the PPL, a privacy violation is considered a tort and can result in statutory damages of up to ILS100,000 (about 25,000 euroes), following a 2007 amendment to the law. Bill No. 13 introduces an additional layer of exemplary damages of up to ILS10,000 (about 2,500 euros) for database-related violations, such as: Failure to provide a privacy notice (subject to a 30-day warning); and failure to comply with requests to exercise the right of access and rectification.

Additionally, the reform extends the statute of limitations for civil actions to seven years, compared to the previous two years only.

Furthermore, in recent years, filing privacy class actions has become common practice. The current Class Actions Law, 5766-2006 does not explicitly include provisions under the PPL as grounds for filing a class action. As a result, claimants have used closely related laws, such as the Consumer Protection Law, 5741-1981, to file their claims.

However, a current bill to amend the Class Actions Law proposes adding explicitly violations of the PPL to the list of causes of action. Once enacted, privacy class actions will have a more solid statutory foundation which will likely increase the volume of such actions.

Looking ahead

The Ministry of Justice has already drafted a bill to further amend the PPL, aiming to continue aligning the law with modern laws such as the GDPR. The draft bill introduces, inter-alia, new lawful grounds for processing, expands data subject rights, and includes provisions for conducting privacy impact assessments and ensuring privacy by design.

It remains uncertain when or if the government will advance this bill, and if Israel will maintain its different regulatory scheme, or rather align it with the GDPR.

Takeaways

For years, privacy enforcement in Israel was limited. The recent reform makes a drastic change and requires greater attention to the processing of personal data, as the regulatory, civil and criminal risks become high.

GDPR compliance work does not cover all mandatory requirements under Israeli laws. It calls for a reassessment of data processing activities in Israel and for a reallocation of time and resources to be prepared for a new era of regulation.

There is no doubt that sensitive types of processing, mass-scale databases, and the use of personal data with advanced technologies, including AI systems, will be the top priorities for supervision, enforcement and litigation.

Dan Or-Hof, CIPP/E, CIPP/US, CIPM, FIP, is founder and owner of Or-Hof Law, and a founding member and owner of the Strand Alliance. As a member of the Privacy Protection Council, he took part in the Constitutional Committee's Bill No. 13 hearings and the preparation of the bill for enactment.