Culminating more than six years of back and forth negotiations, the Israeli Parliament approved extensive, far-reaching data security regulations March 21, setting forth detailed requirements for a broad swath of data controllers and processors in Israel’s public and private sectors. Israel Minister of Justice Ayelet Shaked succeeded in advancing the Privacy Protection Regulations (Data Security), 5777-2017, in the face of intense lobbying by regulators, government agencies and businesses, some of which tried to exempt their operations from the scope of the new requirements.
"The approval of the Regulations is a landmark in the protection of personal data and privacy,” Shaked said.
Israel’s data protection regulator, Alon Bachar, head of the Israeli Law, Information and Technology Authority (ILITA), whose powers were expanded by the regulations, added, “this is an important step in the strengthening of data security and enforcement of the Privacy Protection Act.” The regulations set forth a long list of requirements practically unprecedented around the world for their scope, level of detail, and legal effect. While not specifying sanctions, the regulations detail the data security requirement in Section 17 of the Privacy Protection Act, violation of which can constitute a criminal offense or a civil tort.
The new regulations include, for the first time under Israeli law, a security breach notification obligation to ILITA and, in some instances, to data subjects. They impose substantive data minimization provisions and require organizations to appoint an information security officer and enroll staff in privacy and data security training. They include provisions on outsourcing, encryption, audits, penetration testing, documentation, backup and recovery, and more.
The provisions are sometimes strikingly granular — for example, requiring multi-factor user authentication and rotation of passwords after a period no longer than six months.
The regulations are modular, applying different rules to “regular” personal databases; to databases subject to a medium level of security, including, for example, databases containing medical, genetic, biometric or financial data, criminal records or communications metadata; and to databases subject to a high level of security, including those “medium-level databases” that include information of more than 100,000 data subjects or provide authorized access to more than 100 individuals. The regulations will phase-in over a period ranging from 30 days, for some provisions, to one year for others.
The passage of the regulations comes as Israel’s privacy regime, deemed “adequate” under European data protection law, comes under the scrutiny of European policymakers, in light of the Schrems decision in the Court of Justice of the European Union and the passage of the General Data Protection Regulation. One area that will likely attract attention is the extent of lawful government access to data in Israel, which has a strong security apparatus (see overview of the state of play in Israel in a piece I wrote in 2012).
The regulations will add to existing layers of data security obligations under Israeli law. For example, all outsourcing transactions of personal data are subject to Database Registrar Instruction 2-2011 on the Use of Outsourcing Services for Data Processing, which sets forth detailed security requirements. In addition, sector-specific provisions apply, for example, to the banking industry, under the Supervisor of Banks Proper Conduct of Banking Business Directive 357 on Information Technology Management and Directive 361 on Cyber Defense Management. On June 29, 2015, the Supervisor of Banks added specific data security requirements for the cloud in a letter to bank CEOs concerning Risk Management in a Cloud Computing Environment.
Widely considered a global cyber power, Israel established in 2011 the National Cyber Bureau in the Office of the Prime Minister and created a National Cyber Defense Authority in 2015 as well as a National Cyber Event Readiness Team (CERT-IL). Under the Regulations, in certain data breach cases, ILITA is required to consult with the Cyber Authority.
These new regulations will surely pose a significant compliance task for companies operating within Israel and may affect global multinationals and regional companies collecting the data of Israeli citizens.
Photo credit: Israel Flag via photopin (license)