On Thursday, July 23, 2020, the Israeli Ministry of Justice published for public comment the draft Protection of Privacy Bill (Amendment) (Definitions and Limiting Registration Obligations), 2020 (in Hebrew, here). The draft bill aims to reduce, but not eliminate, the obsolete duty to register databases containing personal information. At the same time, it seeks to update important definitions in the statute, including by broadening the definition of “information” for consistency with other modern laws around the world.
The government plans to subsequently introduce two additional draft bills to revamp Israel’s 1981 Privacy Protection Law (unofficial translation available here). Bundled with the current draft bill, the three bills would constitute a genuine reform to the outdated law:
- One other draft bill would seek to enhance the supervisory and enforcement powers granted to the Israeli Protection of Privacy Authority. This legislative measure has failed twice in the past. It was introduced in 2011 (Legislative Amendment no. 12, in Hebrew, here) and then again in 2018(Legislative Amendment no. 13, in Hebrew, here). Each of these failed to advance past the hurdle of the first reading at the Knesset, the Israeli legislature.
- Another draft bill would seek to effectuate the “substantive amendments needed to update the existing law and adjust it to today’s modernity. This amendment is expected to include substantive matters such as expanding the legal bases for data processing beyond mere consent and statutory obligation, broader and up-to-date data subject rights and arrangements reflecting the accountability of data controllers and data processors”.
The Reform’s Structure
Thursday’s draft bill indicates that the Israeli Ministry of Justice does not plan to supplant the existing statute with a completely new one. This approach has its practical advantages amid Israeli politics and also legal benefits – but it certainly has drawbacks.
- On the one hand, the law’s foundations and many of its definitions would remain unchanged. This promotes legal certainty and the ability to rely on some of the existing Israeli case-law on privacy. It also appears that the Ministry of Justice is not planning to amend Chapter One of the law, which addresses traditional notions of privacy. Instead, it plans to focus only on automated processing of personal data, to bring the 1981 law closer to the EU GDPR which governs ‘data protection’.
- On the other hand, the foundations of the outdated law affect the modernization of at least two matters. First, it appears that the law’s quintessential element remains “database” rather than “information”. The view on this will become clearer as the subsequent draft bills are published. Second, the Ministry of Justice opts to not eliminate the obsolete duty to register databases, but only to downscale it.
Growing Fear for the Revocation of Israel’s Adequacy Status
The draft bill was published one week after the European Court of Justice’s decision in the Schrems II case, which invalidated the Privacy Shield program as a mechanism for transferring personal data from the EU to the US. The draft bill’s publication at this timing suggests a growing concern at the Ministry of Justice that the EU Commission will repeal Israel’s recognition as an “adequate” jurisdiction to which personal data of EU data subjects can be transferred seamlessly.
Since the adoption of the GDPR, the EU Commission has reevaluated Israel’s adequacy status and its findings are due to be published later this year. Last week, we alerted to the risk that the reevaluation of Israel could lead to the revocation of Israel’s status for reasons similar to those explained in the European Court’s judgment invalidating the US-EU Privacy Shield program.
If Israel’s adequacy is rescinded, thousands of Israeli organizations that process personal data of EU data subjects generally will not be able to do so unless they adopt a mechanism called “Standard Contractual Clauses”, which also entail difficulties. Affected Israeli organizations may include, among others, financial institutions, pharmaceutical companies conducting clinical trials in the EU, service providers that provide services in the EU, providers of tourism services to visitors from the EU, universities and research institutions that collaborate with institutions in the EU, etc.
Downscaling the Compulsory Registration Regime
The new draft bill recognizes the limited public benefit of a compulsory database registration regime and that it bears little relevance given today’s technological reality and the ubiquitous nature of databases. Per the draft bill, “the experience gained at the Protection of Privacy Authority indicates that the existing registration regime is ineffective”.
However, the draft bill stops short of following the footsteps of modern data protection legislation such as the GDPR and the elimination of the duty to register. The draft bill’s explanatory notes mention the “importance of preserving a limited scope of the duty in a way that balances its certain advantages against the lighter regulatory burden achievable in its elimination. This balance is struck in the proposed arrangement, whereby the duty would apply only to databases that give rise to the greatest privacy risk”.
The draft bill, therefore, proposes to downscale the compulsory database registration regime so that it would only apply to databases that meet both of the following criteria:
- The database covers 100,000 data subjects or more; and
- One or more of the following apply:
- The primary purpose of the database is the collection of data to be shared with others, as a matter of business, including direct marketing services;
- The database includes information of particular sensitivity. “Information of particular sensitivity” overlaps with the types of data enumerated in the Protection of Privacy Regulations (Data Security), 2017 (unofficial translation, here) which render a database subject to the intermediate, rather than basic, level of required data security. These are data about a person’s intimate affairs; physical or mental health; genetic data; data concerning a person’s political opinions; geolocation and telecom meta-data; biometric data; data concerning a person’s racial or ethnic origin; information about a person’s assets, obligations or financial status; information about a person’s consumption habits; and other types of information so declared by the Minister of Justice;
- The information was not provided to the database in question by the data subjects themselves, on their behalf or with their consent. Thus, if data subjects publicly post the information, such as on a social network, and that information is subsequently copied into a database, the database containing the copied data must be registered; or
- The database’s controller is a public agency.
In 2007, a public commission chaired by the deputy Attorney General at that time, Joshua Shofman, recommended a more drastic downscaling of the compulsory database registration regime (the commission’s report in Hebrew, is here). In 2012, the Ministry of Justice published a draft bill for this purpose (in Hebrew, here). What was true 13 years ago and then 8 years ago, is not necessarily true today. Since then, many of the world’s modern laws eliminated any outstanding reference to a compulsory database registration regime. Israel now opts not to follow those footsteps.
Notably, a database that initially rolled-out as one not required to be registered can evolve over time and rise to a level requiring its registration. The draft bill does not change the Israeli privacy regulator’s authority to decline to register a database or conditionally suspend its operation. The objective of the registration regime is to create an intersecting point between the controller and the regulator, to ensure the controller’s compliance with the law. Therefore, the regulator’s refusal to register a database can have a far-reaching impact on businesses that have already been operating for a while based on the information they have. In these circumstances, while the draft bill’s declared purpose is to downscale the registration regime – it actually amplifies the significance of registration for certain organizations.
Analogous to the GDPR
The draft bill also seeks to broaden the definition of “personal information”, which is the cornerstone of the registration regime. Presently, the Protection of Privacy Law enumerates a closed set of categories that comprise “personal information”. The draft bill seeks to amend that definition to a GDPR-analogous term: “data relating to an identified individual or to an individual that is directly or indirectly identifiable by using reasonable measures, including an ID number, biometric information, and any other uniquely identifying data”.
The definition of a “database” would also be amended, such that a collection of data covering names, addresses, and contact information would constitute a database subject to the law if additional information can be deduced from it. This amendment dovetails the Protection of Privacy Authority’s position from 2018 which opined that a collection of email addresses constitutes a database.
In our mind, the proposed amendments for a new compulsory registration regime would result in too many types of databases becoming subject to registration, and would even expand the registration regime to databases not currently subject to registration.
This is not the only definition that the draft bill proposes to amend as a corollary to the GDPR. It also amends the definition of “database owner” so that it is akin to a “controller” under the GDPR. It would be defined as “whoever determines, alone or with others, the purposes of processing information in the database, or an entity authorized by law to own a database”.
The draft bill also proposes to discard the outdated definition of a database holder, so that it would capture not only a person receiving a copy of the database to process it on behalf of the database owner, but rather anyone who receives any access permission, even on a temporary basis, to use the database within the scope of services provided to the database owner.
Furthermore, the draft bill would also expand the definition of “processing” so that it is similar to the GDPR. The new definition would cover disclosure, transmission and dissemination, storage, review, organization, rectification, supplementation, retrieval and deletion of information.
The draft bill also seeks to reinforce the law’s prohibitions. It would proscribe maintaining or using a database “if the information contained therein was received, amassed, collected, or created in contravention of this law or any other law governing data processing”.
August 6, 2020, is the last day to submit public comments to the draft bill.
All modern organizations rely on processing information. The proposed amendments to the Protection of Privacy Law would significantly impact any company, organization, and agency in Israel. We recommend that all organizations be cognizant of the proposed amendments, and where needed, submit their comments to the Ministry of Justice. Public comments are of paramount importance so that the Ministry fully appraises the reality “on the ground” and the implications of its proposed amendments on economic activity. We are fully available to assist.