Do Israeli privacy laws mandate the appointment of a data protection officer? The simple answer is that currently, it is not entirely clear. Israel faces significant changes to its privacy laws and the duty to appoint a DPO may either become part of the law or remain a regulatory recommendation only.
On Jan. 25, the Protection of Privacy Authority released guidelines on the appointment of data protection officers, their roles and responsibilities. The guidelines set forth recommendations and requirements and is accompanied by a training kit on how to effectively instate this position within the organization.
In this article, we review the recently published guidelines on DPOs and a set of introduced bills to amend the Protection of Privacy Law and explain the interplay between them.
Three partial bills
The Israeli privacy landscape is going through a transition period. On Jan. 5, the government introduced Bill No. 14 (available here in Hebrew), a substantial amendment to the Protection of Privacy Law, 1981, encompassing previously proposed updates to the law with certain additions. Bill No. 14 predominantly focuses on the enhancement of the Protection of Privacy Authority supervision and enforcement powers. The Justice Department that authored Bill No. 14 commented the bill will be followed by Bill No. 15, which will introduce amendments to material elements of the law.
Two weeks later on Jan. 20, the government passed a resolution to support a non-governmental bill (available here in Hebrew) authored by Knesset (the Israeli Parliament) Member Michal Rozin with a self-explanatory title: “Class Actions Bill (Amendment — Class Action for Violation of Privacy), 2021.” According to the resolution, this bill will be added to a governmental bill addressing this subject.
Soon after, on Jan. 31, the chairman of the Constitution Law and Justice Committee in the Knesset, Gilad Kariv, introduced a third bill titled: “Strengthening and Protecting the Right to Privacy, 2022” (available here in Hebrew). This is a private, non-governmental bill, though Knesset Member Kariv is a member of the labor party, which is part of the government coalition. Whether the government will support this bill is yet to be seen.
Kariv’s bill focuses on provisions like the EU General Data Protection Regulation that are missing in the governmental Bill No. 14, presumably taking the edge off the forthcoming Bill No. 15. These include, for example, lawful grounds of processing, new data subject rights such as the right to be forgotten and the right to withdraw consent, and aligning definitions with the GDPR. The bill also establishes privacy violations as a cause of action under the Class Actions Law, 2006.
Statistically, non-governmental bills are rarely enacted. However, Kariv’s committee oversees the hearings on the governmental Bill No. 14 as part of the legislation process. Consequently, there are greater odds to the inclusion of Kariv’s non-governmental bill, or parts thereof, into the forthcoming amendment to the law. Additionally, the government has already expressed formal support to Knesset Member Rozin’s bill on privacy class actions. The outcome may be a combined update that will align the PPL with the GDPR and even go beyond.
Yet, none of the bills introduce an obligation to appoint a DPO. Presumably, the introduction of Bill No. 14 and the government’s support to Knesset Member Rozin’s bill have driven the PPA to release its finalized DPO recommendations. The lack of reference to DPO appointment in Knesset Member Kariv’s bill, published after the PPA released their DPO guidelines, adds to the importance of the PPA guidelines.
The PPA posted their draft DPO guidelines for public review in October 2020. The timing for publishing the final version of the guidelines in January 2022 appears as an effort by the PPA to establish the DPO role in organizations where the current law and bills fail to do so.
What do the DPO guidelines encompass?
The PPA indicates that appointing a DPO is a crucial element to enhance the level of data protection compliance. It promotes accountability, ensures the proportionality of privacy-harming activities and optimizes the protection of the right to privacy within the organization.
In the eyes of the PPA, the role, duties and responsibilities of the DPO are similar but not identical to the GDPR’s view.
Under the PPA guidelines, organizations need to appoint a DPO if they are large, if their core activities encompass processing of personal data, or if they are processing personal data on a large scale.
The DPO has 15 separate duties. These include, for example, drafting the organization’s privacy policy; implementing the privacy-by-design and by-default concept; overseeing the privacy procedures and policies; conducting impact assessments; ensuring the implementation of an information security risk assessment; handling complaints; preparing annual compliance plans; submitting annual reports to the management; training personnel and serving as the organization liaison to the PPA.
The PPA further provides that the DPO must be involved with all substantial matters related to personal data processing in the organization, from the very start of each process. The DPO should be knowledgeable and trained, equipped with sufficient resources and authority, professionally independent, and should not assume conflicting positions.
Interestingly, though the PPA has authority to impose the provisions of the PPL over public entities such as government ministries and municipalities, the PPA refrains from recommending the appointment of DPOs in these entities. This seems a major flaw in the guidelines because public entities hold some of the largest and most sensitive databases and are responsible for some of the most severe cases of unauthorized use of personal data.
‘GDPRing’ the law
The PPA’s move does not come as a surprise. During 2020 and 2021, the PPA released more than 40 guidelines, recommendations and opinions. In many of them, the PPA goes beyond mere interpretation of the law and recommends adopting EU data protection concepts that do not exist under current Israeli law.
These include, among other things, privacy impact assessments, implementing the privacy-by-design and by-default principles, setting up cookie consent management for digital payment services and adding disclosures in the privacy notice.
The DPO guidelines are another similar effort by the PPA that goes even one step further. The current law does not mandate an appointment of a DPO. Instead, it requires the appointment of two other positions. Both are not addressed by the GDPR and are different from the role of the DPO — an information security officer and a database manager. These positions focus mainly on the operational and administrative aspects of securing personal data.
The PPA tries to align the DPO role with these two positions by stating the DPO can also assume the position of the database manager and should instruct the information security officer on privacy-related matters.
Is it binding?
None of the PPA’s opinions and guidelines constitute a binding statutory instrument. However, much like with other DPAs, these regulatory documents reflect the regulator’s view on how to comply with the law. Accordingly, the PPA relies on its own published interpretations for supervision and enforcement activities.
Statistically, organizations tend not to challenge the PPA’s enforcement decisions in court, thereby making these decisions de facto law. However, enhancement of the PPA’s enforcement powers, as proposed in a forthcoming change to the Protection of Privacy Law in Bill No. 14, may entail a significant shift in how organizations view the PPA’s enforcement activities. Under the bill, the PPA will have substantial powers, including police-like investigative authority and the ability to impose hefty fines. Companies will likely have a stronger incentive to challenge the PPA in court, including the PPA’s interpretation of the law.
At this stage, the PPA recommendation to appoint a DPO, as clearly stated in the guidelines, is a best practice. An organization that does not appoint a DPO will not be subject to a sanction for failing to do so. However, without appointing a DPO, the PPA may view other violations of the law as more severe, and vice versa, appointing a DPO may lead to a more lenient approach by the PPA.
Key takeaway
If personal data processing plays a major role in the organization’s activities, appointing a DPO would be the best practice. This is probably the obvious advice in many other jurisdictions as well.
In practice, it is left for the organization’s discretion. While discretion enables better maneuvering of the compliance efforts with the organization’s business needs, it also entails a higher level of uncertainty.
A documented risk-based assessment, as the basis to decide whether to appoint a DPO or not, which will evaluate all relevant aspects, would be the right course of action.
Photo by Shai Pal on Unsplash