Regulatory activism — The unique Israeli journey

Amid uncertainty around modernizing the timeworn Protection of Privacy Law, the Israeli privacy regulator has emerged as a dominant driving force. In a series of guidelines and recommendations, the Protection of Privacy Authority aims to fill the void with EU General Data Protection Regulation-like concepts and assumes an unprecedented active role in shaping the privacy regime.

At the same time, Israeli privacy laws demand more than other data protection laws, especially in relation to cybersecurity. As a result, Israeli privacy laws gradually take after the GDPR, but require much more.

Beyond the law

In early January 2021, Clalit Health Services, the largest health care provider in Israel, appointed a new data protection officer. Months earlier, in late October 2020, the PPA introduced recommendations to appoint DPOs which may have catalyzed the Clalit decision and will likely affect additional companies and organizations.

The PPA’s recommendations were not a trivial move. Not only that Israeli privacy laws do not mandate an appointment of a DPO, but they require two other positions — an information security officer and a database manager. Both positions differ from the DPO and focus mainly on the operational and administrative aspects of securing personal data. Clearly, by publishing these recommendations, the PPA went further than ever before with its activist approach by recommending a position that the law does not require.

A PPA’s recommendation is not a binding statutory instrument. However, the PPA has stated in the past that its guidelines reflect its interpretation of Israeli privacy laws and that the PPA will rely on these interpretations when conducting supervision and enforcement activities. Therefore, as a best practice, an organization should follow these guidelines, unless it has a substantiated reason to act otherwise.

The PPA may declare a violation of the law and impose sanctions (such as a suspension of data processing activities and complete deletion of a violating database) if the company fails to follow the PPA’s guidelines. A declaration of law violation may also expose the company to civil action, including class actions.

The recommendations to appoint a DPO follows a series of similar papers published by the PPA. Other guidelines that went beyond the explicit provisions of the Protection of Privacy Law, established the following concepts:

• Data protection impact assessments.
• Data protection by design and by default.
• Withdrawal of consent.
• Enhancements to the privacy notice, including an obligation to notify the individual about the right of access.
• A duty to exercise the right of access by sending the requesting data subject digital copies of the data.

Merging into a digital economy strategy — The data portability case

On Jan. 3, 2021, the Israeli privacy, consumer protection and competition regulators

The PPA has been increasingly active in COVID-19-related legislation and regulation. As a result, during 2020, the level of awareness to the PPA in government ministries and in the Israeli public has increased and may have incentivized the PPA to become even more active.

Currently, the PPA has little enforcement powers. As a result, in 2018 and 2019, the PPA took a different regulatory approach by proactively conducting mass supervision activities, which resulted mainly with orders to close compliance gaps, rather than the imposition of fines, or indictments. The various published guidelines have contributed to the PPA’s innovative supervision approach, as evident in the PPA’s campaign reports which reference their guidelines.

What lies ahead?

The Israeli privacy landscape is going through a transition period. It will take some time until a modern framework of the law is established. Until then, it is likely companies that do business in Israel will need to attend to a mixture of outdated laws alongside innovative regulatory guidance.

With the past record of guiding the Israeli market into modern privacy concepts, it will not be a surprise if the PPA would advocate additional rights, such as the rights to be forgotten and to object to automated decision making.

The portability right position paper is the first published paper of the joint consumer protection, privacy and competition digital economy task force. It will be interesting to follow their future publications, potentially about connected devices and artificial intelligence, following the OECD Digital Economy Outlook 2020.

Takeaways

Israel is "GDPRising" its privacy laws, in a unique, semi-formal manner. Alongside, Israeli laws include requirements that go beyond the GDPR. These include, for example, the duty to appoint an information security officer; the obligation on an outsourcing service provider to submit an annual compliance report to the data controller; and the requirement to retain security logs and other security-related data for 24 months.

Our takeaways at this point:

• Stay tuned for further developments.
• Be prepared for non-standard requirements from your Israeli clients and business partners, mainly related to cybersecurity.
• Make sure that you are aware of the entire statutory and regulatory landscape which applies to your activities in the Israeli market.

Photo by Cole Keister on Unsplash