The Israeli Privacy Protection Authority (the “PPA”) has recently published a new draft guidance (the “Guidance” or the “draft Guidance”), outlining the role and responsibilities of boards of directors in fulfilling organizations’ obligations according to the Protection of Privacy Regulations (Data Security) 5777-2017 (the “Protection of Privacy Regulations” or the “Regulations”).
As the PPA explains, the Regulations stipulate obligations and actions that a database controller, its processor and its manager are required to perform in order to fulfill their responsibilities under the Privacy Protection Law, 5741-1981 regarding the security of the data in the database.
Per the PPA, although the Regulations do not explicitly determine the organ responsible for carrying out the obligations imposed on the company, the PPA’s position is that considering corporate governance principles and the customary division of duties between the organs of a corporation, in general, in companies in which the processing of personal data is at the core of the activity or it is probable that their activity will create increased risk to privacy (i.e. due to the nature of the organization, such as companies specifically involved in data trading; or considering the sensitivity of the processed data; or the volume of the data or the number of authorized users), the performance of certain supervisory duties specified in the draft Guidance, imposed under the Regulations on a company as a database controller or processor – should be carried out by the company’s board of directors.
The PPA refers to several responsibilities the board of directors holds. This includes determining the organs within the organization responsible for carrying out the Regulations’ requirements, applying a mechanism for supervision, monitoring, compliance, reporting and updating on the fulfillment of the requirements under the Regulations by those responsible; and making policy decisions regarding the ways personal data are used by the organization, and other material decisions on data administration.
In addition, notwithstanding the generality of the above, according to the draft Guidance, it is suggested that the board of directors will carry out the following duties (which are of a “supervisory” nature, according to the PPA draft Guidance) mandated by the Regulations:
– Approval of the database definitions document.
– Approval of the main principles of the organization’s data security procedure.
– Holding a discussion on the results of the data security risk assessment and penetration test and approving the necessary corrective actions for the defects found.
– Holding a discussion on data breaches that occurred in the organization, once a year or quarterly, depending on the database security level.
– Holding a discussion on the periodical audit reports on compliance with the Regulations.
The draft Guidance stipulates that, in certain situations, taking into account the privacy risks involved, the board of directors may designate another organ within the organization, to be responsible for carrying out these duties, provided that the board still supervises their de-facto implementation. The draft Guidance emphasizes that the board of directors should adequately document its decision-making on this matter, as well as the implementation of other necessary actions under the Regulations.
The draft Guidance provides that neither does it exempt nor reduce the responsibilities of the organization’s CEO, the management of the organization, or any other organ authorized to carry out the duties imposed by the Regulations, under the organization’s articles of association or under any law.
According to the draft Guidance, the PPA’s position is based on a purposive interpretation of the Privacy Protection Law and the Regulations and is also in line with Israeli corporate law. The PPA notes that it is also in line with corporate case law in the United States, which is gaining traction in the rulings of the Israeli courts, and the PPA specifically refers to the Caremark case.
To sum up, it should be noted that the draft Guidance suggests that in certain circumstances (regarding companies that processing of personal data is at the core of their activity or when their operations pose an increased risk for privacy) concrete performance obligations shall be imposed on the board of directors itself, in connection with the Protection of Privacy Regulations.
As the draft Regulation had been open for public comments until December 2023, we have hosted a “Round Table” together with Israel Directors Union lately, to examine the draft Guidance from different perspectives, amongst them the scope of the directive’s applicability, as well as clarifying the roles of the board of directors and where the dividing line between supervisory duties and execution is to be drawn.
*The review was written by Vered Zlaikha, partner and the head of Cyber Affairs & Artificial Intelligence practice, Technology. Corporate. M&A Department.
This newsletter is provided for informational purposes only, is general in nature, does not constitute a legal opinion or legal advice and should not be relied on as such. If you are seeking legal advice, it is essential to review the specific facts of each case in detail with a qualified lawyer.