Amid uncertainty around modernizing the timeworn Protection of Privacy Law, the Israeli privacy regulator has emerged as a dominant driving force. In a series of guidelines and recommendations, the Protection of Privacy Authority aims to fill the void with EU General Data Protection Regulation-like concepts and assumes an unprecedented active role in shaping the privacy regime.

At the same time, Israeli privacy laws demand more than other data protection laws, especially in relation to cybersecurity. As a result, Israeli privacy laws gradually take after the GDPR, but require much more.

Beyond the law

In early January 2021, Clalit Health Services, the largest health care provider in Israel, appointed a new data protection officer. Months earlier, in late October 2020, the PPA introduced recommendations to appoint DPOs which may have catalyzed the Clalit decision and will likely affect additional companies and organizations.

The PPA’s recommendations were not a trivial move. Not only that Israeli privacy laws do not mandate an appointment of a DPO, but they require two other positions — an information security officer and a database manager. Both positions differ from the DPO and focus mainly on the operational and administrative aspects of securing personal data. Clearly, by publishing these recommendations, the PPA went further than ever before with its activist approach by recommending a position that the law does not require.

A PPA’s recommendation is not a binding statutory instrument. However, the PPA has stated in the past that its guidelines reflect its interpretation of Israeli privacy laws and that the PPA will rely on these interpretations when conducting supervision and enforcement activities. Therefore, as a best practice, an organization should follow these guidelines, unless it has a substantiated reason to act otherwise.

The PPA may declare a violation of the law and impose sanctions (such as a suspension of data processing activities and complete deletion of a violating database) if the company fails to follow the PPA’s guidelines. A declaration of law violation may also expose the company to civil action, including class actions.

The recommendations to appoint a DPO follows a series of similar papers published by the PPA. Other guidelines that went beyond the explicit provisions of the Protection of Privacy Law, established the following concepts:

• Data protection impact assessments.
• Data protection by design and by default.
• Withdrawal of consent.
• Enhancements to the privacy notice, including an obligation to notify the individual about the right of access.
• A duty to exercise the right of access by sending the requesting data subject digital copies of the data.

Merging into a digital economy strategy — The data portability case

On Jan. 3, 2021, the Israeli privacy, consumer protection and competition regulators formally recommended in a joint draft policy paper, the enactment of the data portability right. These three authorities joined forces September 2019, as part of Israel’s effort to create a digital economy strategy and specifically confront the rising power of the social media networks and digital platforms.

In essence, the draft policy paper proposes as follows:

• The right of data portability should be enacted.
• The right will apply to digital personal information only, that the individual provides, or information obtained through observation (e.g., through online monitoring), but will not apply to inferred data.
• Data users must transfer the data securely to the individual or directly to a third party, at no cost, in a standard format.
• The right will not apply to entities that do not cross thresholds of activity volume and number of customers.
• Additional regulation is needed for specific sectors, e.g., the financial, communications and energy sectors, where the data portability right is particularly important.

The draft position paper differs from the PPA’s other guidelines. It is specifically aimed at the government, rather than the private market, with an express recommendation to enact the right of data portability, thus expressing another angle of the PPA’s activist approach.

Some may argue that the PPA has already established a de-facto portability right, in its 2017 guidelines on the right of access, which required controllers to send digital files to the requesting data subject in response to a data access request.

The origins of the PPA regulatory activism

Arguably, the PPA may have gone one step too far by assuming authority which is typically reserved to the legislator. However, the PPA receives support from those who look favorably at their efforts to adapt the law to the 21st century.

Five processes have likely shaped the PPA’s approach in recent years:

• For the past two years, Israel has suffered from political instability which affects the ability to advance substantial legislation. While the justice department has introduced two bills to amend the Protection of Privacy Law and is in the process of drafting a third bill, it is unclear what lies ahead from a legislative perspective.
• In its May 2019 report, the Israeli State Comptroller criticized the PPA for publishing only 15 guidelines in a decade.
• The EU is revisiting the 2011 adequacy recognition of Israel. Given the enactment of the GDPR in May 2018 and the July 2020 Court of Justice of the EU "Schrems II" decision, it is reasonable to assume that Israel invests efforts in convincing the Europeans to maintain the recognition. It is also likely that the PPA is taking an active role in this effort.
• The PPA has been increasingly active in COVID-19-related legislation and regulation. As a result, during 2020, the level of awareness to the PPA in government ministries and in the Israeli public has increased and may have incentivized the PPA to become even more active.
• Currently, the PPA has little enforcement powers. As a result, in 2018 and 2019, the PPA took a different regulatory approach by proactively conducting mass supervision activities, which resulted mainly with orders to close compliance gaps, rather than the imposition of fines, or indictments. The various published guidelines have contributed to the PPA’s innovative supervision approach, as evident in the PPA’s campaign reports which reference their guidelines.

What lies ahead?

The Israeli privacy landscape is going through a transition period. It will take some time until a modern framework of the law is established. Until then, it is likely companies that do business in Israel will need to attend to a mixture of outdated laws alongside innovative regulatory guidance.

With the past record of guiding the Israeli market into modern privacy concepts, it will not be a surprise if the PPA would advocate additional rights, such as the rights to be forgotten and to object to automated decision making.

The portability right position paper is the first published paper of the joint consumer protection, privacy and competition digital economy task force. It will be interesting to follow their future publications, potentially about connected devices and artificial intelligence, following the OECD Digital Economy Outlook 2020.

Takeaways

Israel is "GDPRising" its privacy laws, in a unique, semi-formal manner. Alongside, Israeli laws include requirements that go beyond the GDPR. These include, for example, the duty to appoint an information security officer; the obligation on an outsourcing service provider to submit an annual compliance report to the data controller; and the requirement to retain security logs and other security-related data for 24 months.

Our takeaways at this point:

• Stay tuned for further developments.
• Be prepared for non-standard requirements from your Israeli clients and business partners, mainly related to cybersecurity.
• Make sure that you are aware of the entire statutory and regulatory landscape which applies to your activities in the Israeli market.

Photo by Cole Keister on Unsplash