The Privacy Protection Authority activity report for the years 2019-2020
3 August 2021
We would like to draw your attention that on July 21, 2021, the Israeli Protection of Privacy Authority (the “PPA“) has published a biennial report summarizing its activities for the years 2019-2020 (the “Report“). In the Report, the PPA notes that 2020 was a record year in the history of the PPA, during which the PPA has issued a large number of guidelines, recommendations and policy documents, on a wide range of significant issues and engaged in various enforcement activities.
In the Report, the PPA underlines its following activities:
- Legislation, professional publications, policy documents, etc. – during the past two years, the PPA has published about 32 different publications with respect to privacy and data security, participated in various Israel Parliament (i.e. the Knesset) committees and government meetings, and worked to promote an extensive and comprehensive reform of the privacy legislation.
- Administrative enforcement – in 2020, the PPA has initiated 107 administrative enforcement proceedings, 35 of which have been completed. The Report demonstrates that the number of administrative enforcement proceedings which were initiated has increased in 2020 by about 22%, compared to 2019. The PPA notes in the Report, that it has initiated 54 administrative supervision proceedings following severe security incidents occurred in various sectors, including the technology sector which includes technology companies, R&D companies, etc., the health sector and the finance sector. Most of the administrative oversight procedures in the field of data security following severe security incidents have occurred in technology companies and in internet and communications companies.
- Criminal enforcement – as part of the criminal enforcement activity, the PPA investigated various cases, including suspicions about prohibited uses of personal data from voters’ databases, municipal databases and voters’ registries, granting access rights to sensitive data to employees outside the organization who are not authorized to receive, various suspicions regarding prohibited ways in which private investigators were exposed to sensitive data from databases without proper permissions, suspicion of “sting” regarding financial information in the framework of granting loans and suspicion of prohibited use of sensitive information by insurance agents.
- Supervision procedures – during 2020, the PPA has completed hundreds of supervision procedures in sectors defined by the PPA as high-risk sectors with respect of invasion of privacy. The PPA approached bodies in various sectors, including local authorities, nursing home companies, companies providing nursing services, companies providing medical rights exercise services, insurance agencies, corporations belonging to the sewerage, water and gas corporations, companies providing call center services, companies which manage customer clubs (and which process data on more than 100,000 data subjects), food, fuel and retail companies, human resource companies, clinics and entities that provide surgery and medical cosmetics services, insurance funds and dedicated provident funds.
The PPA’s Report highlights the need for bodies that manage and process personal data to fully implement the requirements of the Privacy Protection Law and regulations enacted thereunder, with respect to the protection of data privacy, implementation of information security requirements, internal controls, database management, etc.
Herzog Fox and Neeman