Amendment No. 13 to the Israeli Privacy Protection Law
5 August 2024
Dear Clients and Colleagues,
On August 5th, 2024, the Israeli Parliament has officially approved Amendment No. 13 to the Privacy Protection Law, 5741-1981 (hereinafter: the “Amendment” and the “Law“, respectively). The Amendment includes substantial changes to the Israeli privacy legislation, and its main objectives are to adapt the outdated privacy legislation to current challenges in relation to the protection of personal data in databases, while improving the enforcement powers granted to the relevant organs responsible to enforce the Law, and aligning the Law to the modern data protection arrangements prevailing in leading countries worldwide, primarily the General Data Protection Regulation (GDPR) of the European Union.
The Amendment will enter into effect a year as of its publication (i.e., in August, 2025).
We would like to inform you of several key changes introduced by the Amendment, as detailed below:
1.Fundamental Definitions: The Amendment introduces significant changes to the definitions of various terms within the Law. For instance, the term “Data” has been replaced with “Personal Data“, which now includes a broad definition encompassing any data relating to an identified or identifiable individual, where an “identifiable individual” is defined as one who can be identified by reasonable effort, directly or indirectly, including by an identifiers such as an ID number, location data, etc.
Additionally, the definition of “Sensitive Data” has been replaced with “Highly Sensitive Data“, which now includes various types of personal data such as private affairs, sexual orientation, medical data, genetic data, political opinions, religious beliefs, criminal records, location data, biometric identifiers, ethnicity, personality assessments, salary and financial activity, and personal data subject to a statutory confidentiality obligation.
Further, the Amendment adds a definition for the term “Controller” and a revised definition for the term “Holder“. These terms are now defined similarly to their corresponding terms under foreign privacy legislation, in accordance with their nature. Consequently, a “Controller” will be an entity that determines alone or jointly with another the purposes of data processing in the database, and a “Holder” will be an external entity to the data controller that processes information on its behalf.
2.Reduction of the Obligation to Register Databases: The Amendment significantly minimizes the scope of the obligation to register databases with the Privacy Protection Authority (the “PPA“), by requiring such registration with respect to only the following types of databases:
a.Databases for the Commercialization of Personal Data: Databases containing information on more than 10,000 individuals, primarily intended for collecting personal data for transferring it to third parties by way of occupation or for the purpose of receiving consideration (including direct mailing services).
b.Databases of Public Bodies: Databases whose controllers are public bodies as defined under the Law, such as government institutions and entities performing public functions by law or certain entities specified in an order issued under the Law (excluding employees’ databases of such public bodies).
3.Reporting Obligation of Databases with Highly Sensitive Data: The Amendment introduces a new obligation, in addition to the reduced mandatory registration obligation as outlined above, which is the reporting obligation. According to such obligation, controllers of databases that are not subject to registration obligation but contain Highly Sensitive Data (as newly defined in the Amendment as detailed in Section 1 above) on more than 100,000 individuals must report to the PPA within 30 days as of meeting such conditions, and such report shall include the following details: (a) the identity of the controller, its address, and contact details; (b) the identity of the data privacy officer (if its appointment is legally required) and its contact details; and (c) a copy of the database definition document prepared in accordance with the Protection of Privacy Regulations (Data Security), 5777 – 2017 (the “Data Security Regulations“).
Any changes to the above reported details or the cessation of operation of the database must be reported by the controller to the PPA within 30 days as well.
4.Expansion of the Notification to Data Subjects: Prior to the Amendment, Section 11 of the Law determined that any request to a person to obtain personal data for the purpose of retention or use in a database must be accompanied by a notice detailing whether such person is legally obligated to provide the data or if its provision depends on his/her own will and consent; the purpose for which the data is requested; and to whom will the data be transferred and for what purposes.
Following the Amendment, the transparency requirement towards data subjects has been expended, and the notification to data subject must also include the consequences of refusing to provide the data, the name of the database’s controller and its contact details, as well as the data subject’s rights of access and correction under the Law in connection with his/her personal data.
5.Mandatory Appointment of a Data Protection Officer: The Amendment requires, for the first time, appointing a data protection officer, and details his/her duties and qualifications (before the Amendment, the appointment of a data protection officer was voluntary according to non-binding recommendations document published by the PPA).
Controllers of databases of certain entities will be obligated under the Amendment to appoint a data protection officer, and these entities are: (a) controllers of databases required to be registered with the PPA as detailed in Section 2 above; (b) controllers or holders whose main activities involve data processing or require such processing, which due to their nature, scope, or purposes necessitate regular and systematic monitoring of individuals, including significant tracking or surveillance of behavior, location, or actions to a significant scale; and (c) controllers or processors primarily involved in processing highly sensitive data on a significant scale, including banking corporations, insurers, hospitals, and health funds.
“Significant Scale Data Processing” under the Amendment will be determined based on, among other things, the number of data subjects whose data is being processed, their proportion in a specified population, the data volume, the range of data types, the duration and frequency of processing activities, retention period, and the geographical area of processing activities.
The data protection officer will be responsible for ensuring compliance with the Law’s provisions by the controller or holder of the database, promoting privacy protection and information security in the database, and, to serve as a professional authority and knowledge center for the entity in which they were appointed, prepare a plan for ongoing monitoring of compliance with the Law’s provisions, ensure the implementation of such plan and report on it to the entity’s management, serve as the point of contact for the PPA, ensure the existence of a data security procedure and a database definitions document as required under the Data Security Regulations, handle data subject requests’, etc.
6.Revocation of Certain Obligations of Holders: Prior to the Amendment, the Law imposed certain obligations on holders of five databases or more that require mandatory registration e.g., such holders were obligated to submit an annual report to the PPA regarding such databases, and this obligation has been abolished as part of the Amendment.
7.Preliminary Opinions: The Amendment establishes, for the first time, the possibility for controllers or holders of databases to request preliminary opinions from the PPA regarding the compliance of their databases or data processing practices with the Law. This includes establishing timelines for issuing the preliminary opinion or notifying of a refusal to issue such opinion, the PPA’s right to publish the opinion, and specifying circumstances where an opinion will not be provided, such as theoretical or academic requests.
8.Enforcement and Supervision Powers: The Amendment significantly expands the PPA’s powers and establishes various tools for effective enforcement of the Law.
For example, the Amendment regulates the sectorial audits that the PPA already conducts, as well as the PPA’s ability to enlist the assistance of external parties and experts. Additionally, the Amendment includes comprehensive provisions regarding supervision and administrative sanctions in Security Bodies.
The Commissioner of the PPA has been granted authority to use various tools for administrative enforcement, such as issuing orders to cease violations of the Law in certain cases, imposing financial penalties for violating the Law and/or the Data Security Regulations. The amount of the penalty varies based on the type of violation, the number of data subjects as respect to whom data is included in the database, repeated or ongoing violations, etc., with the financial penalties potentially reaching high sums of hundreds of thousands of NIS (or even millions of NIS in certain circumstances); to issue administrative warnings instead of financial penalties, detailing the violation and warning that non-cessation of the act will lead to a financial penalty, and requiring a written commitment to cease the violation, which may include submission of a deposit; seeking a court order for the cessation of certain data processing activities or deletion of personal data in case of suspected violation, and more.
The Amendment also extends the investigative powers granted to the PPA’s employees and adds additional penal offenses beyond those currently stipulated by the Law.
9.Statutory Damages: Prior to the Amendment, the court’s authority to award statutory damages without proof of damage was limited to cases of infringement of privacy and did not include the possibility to award statutory damages for violations of the Law concerning databases and data processing practices. According to the Amendment, the court may award statutory damages without proof of damage also for causes related to databases and data processing as well, up to an amount of NIS 10,000.
Amendment No. 13 to the Law marks a significant reform in Israeli privacy legislation, requiring appropriate preparations by all entities processing personal data in databases, including entities that have previously examined their compliance with the Law. Such preparations should include, among others, a thorough review of the obligation to register databases or file reports regarding them to the PPA; the content of notices given to data subjects; compliance with the Law’s provisions regarding data subjects’ rights to access and correct their personal data; compliance with the Data Security Regulations; the need to appoint a data protection officer and more.
We will be happy to assist you with any questions or clarification.
Kind Regards,
Regulation Team – Commercial Department