Today, the Knesset voted to approve the enactment of Amendment No. 13 to the Privacy Protection Law. The amendment (previously known as amendment no. 14), which will come into effect one year after its forthcoming publication in the official gazette, includes a series of comprehensive changes to Israel's outdated privacy law. This is the most comprehensive amendment to the law since 1996 when the law's chapter on data protection was enacted.
The amendment updates the definitions in the law to expand its scope; scales down the obsolete obligation to formally register databases; mandates that certain organizations appoint a privacy protection officer; grants extensive enforcement powers to the Privacy Protection Authority; and more. The amendment affects every organization in Israel that processes personal information. It could also have an indirect impact on non-Israeli organizations that receive personal data from Israel. This is the case if the non-Israeli organization's receipt of the data is based on the Israeli rule for cross-border transfer that binds the recipient to abide by the data protection rules that apply in Israel.
However, the amendment does not address fundamental elements found in modern data protection legislation. Missing topics include the expansion of the legal bases for data processing beyond informed consent, modern data subject rights (such as the right to be forgotten), codifying the data minimization principle, and more.
Updating the Definitions in the Law
The updated definitions in the law aim to modernize its provisions and align its definitions with those of the EU GDPR. Here are the key changes.
Personal Information. While the current law's definitions are limited to certain types of "information" such as data about a person's personality, personal status, health condition, or economic status, the amendment expands "personal information" to mean any "data related to an identified or identifiable person." An identifiable person can be identified with reasonable effort, directly or indirectly, including through an identifying piece of data. The new definition also encompasses online identifiers (such as IP addresses and other technological identifiers) – considered personal information in modern legal systems for over a decade.
Highly Sensitive Information. This replaces the current law's definition of "sensitive information" and is equivalent to the GDPR's Special Categories of Data. Types of personal information considered highly sensitive include genetic data, biometric data, criminal records, assessments of personality traits, and location and traffic data. These were not included in the existing law.
Data Processing. The amendment adds a modern and broad definition to the law, defining "processing" as any operation on information, including receipt, collection, storage, copying, review, disclosure, exposure, transfer, conveyance, or granting access.
Database Holder. The definition of a holder of a database is now an entity "external to the database owner that processes information for them". Due to the broad definition of "processing," various technological service providers, such as database maintenance providers, would be considered holders and subject to all the obligations imposed on holders, under the law, including data security.
The old term "database owner" will have changed into "data controller" in a database, which is essentially one that determines the purposes of processing personal information in the database. This echoes the term "controller" in the GDPR. The Database Registrar will be renamed the "Head of the Authority" for privacy protection.
Scaling Down the Obligation to Formally Register Databases.
The current law includes an outdated obligation that no longer exists in modern privacy legislation: registering databases with the privacy regulator.
The amendment significantly scales down the current obligation to formally register databases. It requires that organizations register their database only if: (a) the main purpose of the database is to collect personal information to provide it to others as a business or in exchange for anything of value, and the database contains personal information on more than 100,000 people; or (b) the data controller in the database is a public agency (unless the database contains personal information only about the public agency's employees). The amendment is expected to reduce the registration burden for many businesses which will generally no longer need to register databases of information about their "suppliers," "customers," "HR," or "security footage." However, databases that do not require registration must still comply with the law's limitations on collecting and using personal information, including securing the information in these databases.
Amid the scaled-down registration requirement, the amendment also includes a new reporting requirement to the Authority on databases containing "highly sensitive information" on more than 100,000 people. In these cases, the data controller must notify the Authority of the controller's identity, address, contact information, the identity of the privacy protection officer (if such an appointment is required, as mentioned below), and more.
Databases registered before the amendment comes into effect will continue to be registered even if, after the amendment, they are not required to be registered, unless the data controller notifies the Authority that the database is no longer subject to the registration requirement, in which case the Head of the Authority will delist the database from the registry.
Appointing a Privacy Protection Officer.
Entities meeting certain criteria will be required to appoint a role not previously found in the law – a privacy protection officer (equivalent to the Data Protection Officer in the EU GDPR). The entities required to appoint a privacy officer are: public agencies (or entities holding databases of public agencies); those with a database whose main purpose is collecting personal information to provide to others as a business or in exchange for anything of value (provided they have personal information on more than 10,000 people in the database); data controllers or holders of databases whose primary activities include regular and systematic monitoring of individuals, including tracking or systematically following a person's behavior, location, or actions on a large scale (such as telecommunications providers and online search service providers); and those whose main activities involve processing highly sensitive information on a large scale (including banking corporations, insurers, hospitals, and health maintenance organizations). These criteria are somewhat similar to those in the GDPR.
The privacy protection officer's role is to ensure that the data controller and the holders comply with the law's provisions and promote privacy protection and data security in the databases. The privacy protection officer does not have to be an employee of the organization.
The privacy protection officer will serve as a professional authority and knowledgeable focal point, advise the organization's management and employees, prepare training and continuous monitoring programs, supervise their implementation, report findings to the organization's management, and propose solutions to repair deficiencies. They are also responsible for handling data subject inquiries, ensuring the implementation of data security procedures and additional information security documents, serving as the contact person with the Privacy Protection Authority, and more. The officer must have the knowledge and skills to perform their duties appropriately, including in-depth knowledge of privacy protection laws, a proper understanding of technology and information security, and familiarity with the organization's fields of activity and objectives. These provisions are also similar to those in the GDPR.
Expanding the Enforcement Powers of the Privacy Protection Authority.
The Privacy Protection Authority – the Israeli privacy regulator – has long complained about insufficient enforcement powers. The amendment includes a significant expansion of the Authority's enforcement powers. The amendment's provisions on this topic include:
- Financial penalties. The amendment authorizes increased financial penalties according to the number of data subjects in the database, the type of violation of the law's provisions, and the violating entity's financial turnover. In some cases, penalties can reach hundreds of thousands of ILS, and in other cases they are uncapped because the basic penalty figure is multiplied by the number of data subjects affected. Penalties are imposable for several types of violations, including processing personal information in a database without registering the database, violating the data subject's right to review and correct personal information, seeking a person's information without providing the required privacy notice, processing personal information for an unlawful purpose, and more.
- The Powers of the Head of the Authority. The Head of the Authority is authorized to issue administrative warnings and order that violations cease within the time frame they determine. These include cases of processing personal information for a purpose that violates privacy under Section 2 of the law, cases where the data controller or holder processes personal information in a database created, received, accumulated, or collected unlawfully, and more.
- The Authority's Investigative and Supervisory Powers: This includes authorizing inspectors to investigate and conduct administrative inquiries into violations, compel any person to identify themselves and provide any information or document, enter the location where databases are situated or where they are used, seize any object believed to be connected to an offense, seek judicial orders, and more.
- Exclusion of Security Agencies. Security and defense agencies (such as the IDF, Israel Police, Israeli Security Agency, and the Israel Secret Intelligence Service) are excluded from the Authority's supervisory and investigative powers, and internal privacy inspectors will be appointed in these bodies.
Additional Amendments
Extending the statute of limitations. While the current law sets a two-year statute of limitations on civil claims, the amendment lifts this restriction. Therefore, the general statute of limitations law, which is usually seven years, will apply.
Expanding the notification obligation. The amendment expands the notification obligation that applies to anyone seeking a person's personal information to be processed in a database. The notice will now need to include the data controller's name and contact information, a statement of the right to review the personal information and request its correction (according to Sections 13 and 14 of the law), and details on the consequences if the person declines to provide the personal information.
Exemplary damages. The amendment adds a new right to receive compensation without proof of damage of up to 10,000 ILS if a data controller or database holder violates certain provisions in the law, such as a data controller processing personal information without registering a database subject to registration, failure to notify of a data breach incident, and more.
Expansion of the Obligation to Appoint a Data Security Officer. The obligation to appoint a suitably qualified person to serve as the organization's data security officer will now apply not only to organizations that hold five (5) databases that require registration but also to owners of five databases that require registration, or databases that require notification to the Authority (in the case of databases containing highly sensitive information).
Preliminary Opinion. The amendment introduces a provision allowing the owner of a database, the holder of a database, or anyone about to become one – to voluntarily approach the Privacy Protection Authority to request a preliminary opinion regarding compliance with the law's requirements or instructions on processing personal information in the database. Subject to certain exceptions, the Privacy Protection Authority will provide the preliminary opinion within 60 days.
Political Parties Exception. The amendment introduces limitations on the Privacy Protection Authority's enforcement powers during election periods. The Authority will have no enforcement or supervisory powers regarding databases of which political parties, or candidates in local authority elections, are the controllers. The powers subject to these limitations include entry to the locations where the databases are situated or where they are used, search warrants, and seizure of objects. The Authority can exercise these powers only with the approval of the Chairperson of the Central Election Committee. The Chairperson may not approve these measures if they have a material adverse impact on the candidate's ability to run their campaign, and the adverse impact outweighs the data protection risks and the harmful impact to the public interest that underlies the enforcement measure.