0n August 5th, 2024, the Knesset (Israel Parliament) approved a significant amendment (Amendment No. 13) to the Protection of Privacy Law, 5741 – 1981 (“the Amendment“).
The Amendment is expected to have a substantial impact on many organizations and companies operating in Israel, and will significantly strengthen the powers of the Privacy Protection Authority and the enforcement mechanisms of obligations under the Protection of Privacy Law and data security regulations.
As noted by the Privacy Protection Authority in its public announcement upon the law’s approval, the Amendment aims to clarify existing legislation in the field, establish new arrangements in certain areas, and strengthen enforcement. It aims to adapt the legislation to the challenges of the digital age and current technological atmosphere, enhance the safeguards of privacy, and bolster the resilience in relation to increasing cyber threats. The Amendment is coherent with some significant developments in privacy regulations globally in recent years, and is also considered another step in aligning Israel Privacy law with EU data protection normative framework, taking into account EU Commission Adequacy decision (reaffirming Israel’s adequacy status regarding privacy and data protection) adopted in January 2024.
Adopting this amendment, Israel demonstrates its commitment to upholding the highest privacy and data protection standards.
Main components of the Amendment, considering the Privacy Protection Authority’s (“the PPA”) announcement, include the following:
- Significant Expansion of the PPA Supervisory and Enforcement Powers:
The Amendment significantly expands the supervisory and enforcement powers of the Privacy Protection Authority for infrigements of the law. For the first time, the law enshrines the PPA’s power to impose substantial financial sanctions for violations of the law and regulations thereof (including the Privacy Protection (Data Security) Regulations, 5777-2017).
It also formalizes the administrative enforcement powers and criminal investigation powers of the PPA. Furthermore, the PPA could act to seek a judicial order to cease processing of personal data, to stop infrigements of the law.
The Amendment also allows for requesting a pre-ruling opinion by the PPA in relation to compliance. - New Obligation to Appoint a Data Protection Officer (“DPO”):
For the first time, the legislation mandates the appointment of a DPO in certain organizations. In brief, at the private sector, that includes, inter alia, any organization whose primary business includes extensive processing of sensitive personal data such as banks and insurance companies. The amendment specifies the qualifications required for appointment to this position, as well as a range of responsibilities imposed on the DPO. - A regulatory relief in relation to the Obligation to Register Digital Databases:
Under the Amendment, the obligation imposed on private sector entities to register databases will almost entirely be abolished, with certain exceptions. Furthermore, if the number of individuals whose sensitive data is held in an unregistered database exceeds 100,000, an obligation to notify the PPA shall apply (regarding the identity of the controller, its address, contact details,as well as the identity of the DPO, if applicable).
The changes regarding the registration obligation do not derogate from other applicable substantive provisions. - Definitions’ adaptation to Technological, Social, and Economic Developments:
The Amendment adapts definitions to technological, social, and economic developments and modern privacy legislation, expanding or detailing the types of protected data and the range of uses, including an updated and detailed definition of types of personal data that constitutes “data of special sensitivity”, aligning this with international standards developed, including the EU’s General Data Protection Regulation (GDPR). - New Prohibitions on Processing Unlawful Collected Personal Data and New Criminal Offenses in Databases:
A dedicated chapter of criminal offenses in databases has been added, including processing data without the authorization of the database controller; intentionally misleading a person when contacting to obtain personal data; and a comprehensive prohibition on performing any action on personal data collected unlawfully.
Effective Date: the Amendment will come into effect within one year of its publication, i.e. on August 14th 2025.
To sum up, the Amendment reflects a major legislative development with implications for many organizations in the economy, as described only briefly above, and includes detailed provisions.
Organizations and companies should examine the implications of the Amendment, considering the types of data they process and nature of their business, and formulate mechanisms and procedures to comply with applicable legal requirements.
The Amendment is expected to further enhance Israel’s ability to engage in international trade and cooperation with countries that demand high privacy and data protection standards, in conjunction with the EU Adequacy Decision abovementioned.
As always, we will be glad to provide any legal assistance and guidance regarding the Amendment, and all related legal aspects thereof, as may be required.
To read the Privacy Protection Authority’s announcement regarding the amendment (Heb.).
The review was written by Adv. Vered Zlaikha, Partner and Head of Cyber Affairs & AI Practice.