The Israeli Privacy Protection Regulations (Data Security), 5777-2017 entered into force concurrently with the EU General Data Protection Regulation in May 2018. The regulations significantly expanded the privacy protection obligations that apply to most of the companies operating in Israel. This article answers five key questions relating to the year that has passed since the regulations came into effect.
What do the regulations require?
The regulations impose detailed information security requirements upon any organization that is in possession of a database containing personal data – including data relating to employees, candidates for new positions, consumers, etc. At the heart of the regulations lies the requirement to adopt (and implement) a written policy for protecting the organization’s personal data, while addressing aspects such as physical security, the management of access authorizations, network security and risk management. The regulations also require organizations to immediately report data breaches to the Privacy Protection Authority.
The company is required to map and document the types of personal data that are collected or kept by the company, the purposes of such collection of data, the people who have access to the data and more. Additionally, under certain circumstances, the regulations require a report be submitted to the Registrar of Databases accounting for any unauthorized access or harm to the integrity of personal data. The regulations also require the company to examine and to regulate — by way of an agreement— information security and privacy aspects in any engagement with a third party that receives access to personal data.
Essentially, the regulations have created a new and binding information security standard that applies to most companies operating in Israel, many of which have already taken or have begun to take measures for implementing the regulations.
How have the regulations affected commercial agreements?
In the year that has passed since the regulations came into effect, we have witnessed a significant increase in commercial agreements that contain information security and privacy protection requirements. In addition, we have identified an increase in the inclusion of data protection aspects in mergers and acquisitions transactions (as part of the due diligence process, in the representations and warranties, etc.).
Among others, this means a violation of the regulations would not only expose the violating company to sanctions imposed by the Privacy Protection Authority (as set forth below), but it may, in some circumstances, also expose the company to civil litigation for a breach of a contractual undertaking.
Does a company that has implemented the GDPR necessarily comply with the requirements of the regulations?
The GDPR sets forth general principles relating to securing personal data, while the regulations include specific and detailed provisions with respect to the security measures that a company is required to take for protecting such data. Accordingly, even though the GDPR is currently one of the world’s most comprehensive data protection laws, the regulations do indeed impose requirements that are not explicitly addressed in the GDPR.
What about enforcement?
The Privacy Protection Authority takes enforcement measures in connection with violations of the Protection of Privacy Law, 5741-1981 and the regulations. Among others, the Privacy Protection Authority established a new Supervision and Enforcement Unit in 2018, tasked, inter alia, with identifying breaches of the regulations. As part of its activity, the unit requires organizations to provide detailed information on the manner in which they implement the regulations. While the Privacy Protection Authority has not yet published statistics on the unit’s activities, we estimate that, as of July 2019, the unit has approached hundreds of companies.
In addition, based on the Privacy Protection Authority’s recent publications, since May 2018, the authority has conducted 146 enforcement actions connected to severe data breaches.
What are the possible sanctions?
For breach of the regulations, the Registrar of Databases is authorized to suspend or cancel the registration of the relevant database, in a manner that would practically prohibit use of the database. In addition, the Privacy Protection Authority may publicize its conclusion that the company had violated the Law of the Regulations. Beyond the possible damage this may cause to the company’s reputation, such publication could also expose the company to civil litigation in connection with the violation.
Of additional note, in early 2018, the government introduced a bill that would allow significant financial sanctions to be imposed for a violation of the regulations. It is reasonable to assume that the government will promote the bill after the forthcoming elections.
The regulations constitute an important milestone in Israel’s data protection laws and reflect the global trend of strengthening the protection of personal data.
A year after entering into effect, the regulations have indeed had an impact on companies and transactions in Israel. Companies should take steps to ensure that they are compliant with the regulations. Such compliance would not only reduce the company’s regulatory exposure, but may also contribute to its reputation and strengthen the trust that employees and customers have in the company.
Photo by Cole Keister on Unsplash