Yesterday, the Israeli Knesset’s Constitution, Law and Justice Committee approved Amendment 13 to the Israeli Privacy Protection Law, 1981 (hereinafter, respectively: the “Law“, or the “ Privacy Protection Law” or the “Amendment” respectively), and the Amendment is now being prepared for the second and third readings in the Knesset plenum, after which it is expected to become a law. We note that until its approval in the Committee, the Amendment was mistakenly referred to as Amendment 14.
Once the Amendment is approved by the Knesset plenum, it will constitute one of the most significant changes made to the Privacy Protection Law since its enactment. The Amendment includes, among other things, the alteration of various terms in the Law with the aim of aligning them with similar terms used in data protection regulations worldwide, an expansion of the obligation to appoint a data security officer, a significant reduction in the requirement to register databases – alongside a new obligation to notify the Privacy Protection Authority (the “Authority”, or “PPA”) with respect to certain databases, the establishment of a new obligation to appoint a data protection officer in certain cases, the introduction of new provisions on obtaining the PPA’s preliminary opinion on database compliance with the Law and more.
Additionally, the Amendment includes a significant expansion of the enforcement powers and tools available to the PPA and courts, with the aim of creating effective enforcement mechanisms and deterrence against non-compliance with the Law. This expansion includes, among other things, financial sanctions that may reach millions of NIS, in certain circumstances, some of which may be imposed even without the opportunity to remedy the violation.
The Amendment represents a significant step in strengthening privacy protection in Israel, particularly in the online realm, and aligning Israeli privacy protection laws with international regulations, particularly the European Union’s General Data Protection Regulation (GDPR).
It is important to emphasize that the Amendment is expected to come into effect one year from the date of its official publication, to allow the private sector sufficient time to study and prepare for the new provisions and obligations included in the Amendment. We note that during the interim period between the approval of the Amendment and its entry into force, the obligations imposed by the existing version of the Law will continue to apply. For example, database owners who are currently required to register their databases with the Database Registrar will continue to be subject to this obligation, even if, according to the Amendment, they will no longer be required to register their databases after the Amendment comes into effect.
Please find below a brief overview of the main changes included in the Amendment:
Definitions
As part of the Amendment, various definitions in the Law will be updated, amongst others to align them with the digital age and the standards set by similar regulations worldwide, particularly the GDPR. Here are some notable changes:
Personal Information: Under the current version of the Law, “information” (which is protected under the Law) is defined as a data on the personality, personal status, intimate affairs, state of health, economic status, vocational qualifications, opinions and beliefs of a person. The Amendment changes the term to “personal information” and significantly broadens this definition to include “any data related to an identified or identifiable person, including those who can be identified with reasonable effort, directly or indirectly, including through an identifier such as name, ID number, biometric identifier, location data, online identifier, or one or more data elements relating to his/her physical, health, economic, social, or cultural status.”
Particularly Sensitive Information: The current version of the Law defines “sensitive information” relatively narrowly, as data with respect to a person’s personality, intimate affairs, state of health, economic status, opinions and beliefs of a person. The Amendment changes the term to “Particularly Sensitive Information” and expands its definition to include a closed list, which, except for exceptions, contains the types of information listed in the second appendix to the Privacy Protection Regulations (Data Security), 2017 (“Data Security Regulations“) (including genetic and biometric information), as well as additional types of information, such as personality assessments made by a professional who, as a profession, expresses opinions about a person’s personality, and data about a person’s location that may indicate Particularly Sensitive Information of other types included in the definition of that term. Regarding information about a person’s assets and economic status, the definition of ‘Particularly Sensitive Information’ has been narrowed compared to the list in the second appendix to the Data Security Regulations, referring only to personal data on a person’s salary and financial activity.
Use/Processing of Information: The current version of the Law defines the “use” of information vaguely, to include “disclosure, transfer, and delivery” of information. The Amendment clarifies and expands the term “Processing/Use” of ‘Personal Information’ as “any action performed on personal information, including receiving it, collecting it, storing it, copying it, viewing it, disclosing it, exposing it, transferring it, delivering it, or providing access to it.”
Database Owner: The current version of the Law does not explicitly define the term “Database Owner”, even though the term is used in the Law. The Amendment changes the term “Database Owner” to “Controller of a Database” and defines it as “a person who alone or with another determines the purposes of data processing in the database, or a body or officeholder thereof authorized by law to process data in a database.” This definition is similar to the term ‘Controller’ in GDPR, although, unlike the GDPR definition, a controller in database is not required to determine the methods of data processing, which has caused some difficulties in interpreting and implementing the GDPR, and therefore is not included in the definition adopted by the Amendment.
Database Holder: The current version of the Law defines the ‘Database Holder’ as “one who permanently holds a database and is permitted to use it.” Over the years, many interpretive questions have arisen regarding this term and its applicability. The Amendment provides a new, clear, and expanded definition similar to the term ‘Processor’ in the GDPR: “an external entity to the controller of a database, processing data on its behalf.” However, it should be noted that the Amendment did not change the term “external entity” used in the Data Security Regulations, leaving an open question as to whether there is a substantive difference between the terms. We assume this will be addressed in future amendments to the Law and/or the Data Security Regulations.
Database Manager: While the current version of the Law defines “database manager” as “an active manager of a body that owns or possesses a database or a person whom the aforesaid manager authorized for this purpose”, the Amendment redefines the database manager as “the controller of a database, and regarding a public body as defined in Section 23 – the general manager of such body which controls or holds a database or whoever the general manager authorized to manage the database.” Thus, for databases of private entities, the obligation to appoint a database manager will be abolished when the Amendment will enter into effect.
Database Registration Requirement
According to the current version of the Law specific categories of databases require registration with the Israeli Database Registrar (including those containing sensitive information, used for direct marketing services, or public body databases). The Amendment significantly narrows this archaic requirement (which does not exist in the GDPR), leaving it only for public bodies (except for a public entity’s database containing only personal data about its employees) and entities managing a database whose primary purpose is collecting personal data for transferring it to another as a business model or for consideration, including direct mailing services (“Data Brokers”), provided the database contains personal data on more than 10,000 people.
However, alongside narrowing the registration requirement, the Amendment establishes a new obligation to notify the PPA about the existence of databases that are not required to be registered, but contain Particularly Sensitive Information (see the definition above) about more than 100,000 people. The notification must include the identity of the controller of the database, its address and contact details, the identity of the privacy protection officer (if required to be appointed), and the database definition document (which shall be prepared according to the Data Security Regulations).
It should be noted that owners of currently registered databases, which will no longer be obligated to be registered when the Amendment takes effect, must request in advance from the PPA to delete the database from the register, to avoid being subject to the obligations imposed by its registration.
Expanded Disclosure Requirements
In addition to the information required to be provided to a data subject when requesting personal information for processing it in a database (i.e., whether the person has a legal obligation to provide the information, or if providing the information is voluntary and subject to their consent, the purpose for which the information is requested, to whom the information will be disclosed, and the purpose of the disclosure), the Amendment requires informing the data subject also about the following: the result of not providing consent for processing the personal information (if providing the information is voluntary and subject to the data subject’s consent), the name of the controller of the database and its contact details, and the existence of the rights of access and rectification of personal information granted to the data subject under the Law.
Obligation to Appoint a Privacy Protection Officer
The amendment establishes a new obligation to appoint a ‘Privacy Protection Officer’, which will apply to:
- Controllers of databases who are public bodies (excluding security bodies).
- Controllers of databases whose primary purpose is collecting personal information for transferring it to another as a business model or for consideration, including direct mailing services (“Data Brokers”), provided that the database includes personal information of more than 10,000 people.
- Controllers of databases or database holders whose main activities involve, or are associated with, data processing activities which by their nature, scope, or purposes require regular and systematic monitoring of individuals, including systematic tracking or observation of a person’s behavior, location, or activities on a significant scale.
- A controller of database or database holder whose main activity includes processing Particularly Sensitive Information ‘on a significant scale’, including banks, insurance companies, hospitals and HMOs.
The Amendment clarifies that ‘processing data on a significant scale’ should be interpreted considering, amongst others, the number of people whose data is processed, their proportion in a specific population, the scope of the data, its quantity, the range of types of data processed, the duration and frequency of processing activities, the retention period of the data and the geographical area of the processing activities. Although the PPA has previously issued guidelines on voluntary appointment of a ‘Privacy Protection Officer’, we anticipate that it will issue further guidelines and clarifications regarding the terms mentioned above to create clarity for the entities that are subject to such obligation.
It is also noted that the Amendment specifies that the Privacy Protection Officer does not need to be an employee of the entity in which he/she will fulfil his/her role, but they must have the required knowledge and skills to perform their duties properly. Additionally, the Amendment states that the officer will operate to ensure the controller of the database or database holder’s compliance with the Law, and to promote privacy and data security in the databases. Given the anticipated difficulty for private entities in fulfilling this obligation, no monetary sanction will be imposed on companies required to appoint a Privacy Protection Officer under sections (c) and (d) above (until the Minister of Justice cancels the deferred applicability by order, with the approval of the Constitution, Law, and Justice Committee).
Enhanced Enforcement Tools for Violations of the Privacy Protection Law and Data Security Regulations
The current version of the Law granted the PPA limited enforcement powers, including the ability to impose monetary sanctions that do not meet international standards. Specifically, the current Law did not grant the PPA the power to impose monetary sanctions for violations of the Data Security Regulations, posing an obstacle to their effective implementation and enforcement. The Amendment seeks to address this by establishing extensive powers for effective enforcement of the Law and the Data Security Regulations, granting the Privacy Protection Authority new and stricter enforcement powers.
Examples of Changes in Enforcement Tools Introduced by the Amendment:
- Supervisory Powers and Administrative Inquiries:
- The Amendment grants the Authority extensive supervisory powers over compliance with various provisions of the Law, as well as the power to initiate administrative inquiries where there is reasonable ground to believe that certain provisions of the Law have been violated.
- Cease and Desist Orders:
- The Amendment grants the head of the Authority the power to order controllers of databases or database holders whose actions amount to a violation of certain provisions detailed in the Amendment, to cease the infringing activity.
- Financial Sanctions:
- The Amendment grants the Authority the power to impose financial sanctions for violations of various provisions in the Law (e.g., regarding the registration obligation, exercising data subjects’ rights, requesting personal data for processing without providing the required notice, violating the purpose limitation principle) and the Data Security Regulations.
- The amount of sanctions may reach millions of NIS under certain circumstances, including cumulative violations of different provisions of the Law. For databases which are subject to high level of security and containing information about over a million people, the head of the Authority may impose a doubled financial penalty (up to 640,000 NIS per violation of various provisions).
- Some financial sanctions will be determined as a multiple of a fixed sanction amount which is detailed in the Amendment by the number of individuals affected by the violation or whose personal information is in the database, as applicable.
- Reduction of Financial Sanctions:
- The Amendment includes a mechanism for reducing the amount of sanctions based on various factors, including the behavior of the violator (e.g., if the violator ceased the violation on their initiative and reported it to the PPA or took actions to prevent recurrence of the violation and minimize damage), as well as consideration of the violator’s business turnover.
- Two-Stage Mechanism for Certain Violations:
- For certain violations, the Amendment introduces a “two-stage” mechanism, allowing the head of the PPA to notify the violator that their actions constitute a violation and give them an opportunity to rectify it before imposing a financial sanction if the violation is not corrected.
- Publication of Sanctions:
- The Amendment grants the head of the PPA the power to publish on the Authority’s website the imposition of a financial sanction and additional relevant details (e.g., the nature of the violation, the date and circumstances of the violation, the amount of the financial sanction imposed, and details about the violator relevant to the matter), after giving the violator an opportunity to present their arguments. The Amendment specifies that the name of a corporate violator will not be published if the head of the PPA is convinced that the violation is minor in the circumstances, unless the publication is necessary to warn the public whose personal data is in the database.
- Judicial Orders for Data Processing Violations:
- If the head of the Privacy Protection Authority has reasonable grounds to believe that a database is violating or is about to violate certain provisions of the Law, the Amendment grants the head of the authority the power to request the Administrative Court to issue a judicial order to the controller of the database or database holder to cease data processing activities causing or likely to cause a violation, or an order to entirely delete the personal data in the database.
- Updated List of Criminal Offenses:
- The Amendment updates the list of criminal offenses stipulated in the Law, which now include, among other things, processing personal data from a database without authorization from the controller of the database and requesting personal data for processing in a database by providing incorrect information with the intent to mislead about the provision of personal data.
- Compensation Without Proof of Damage:
- The Law allows for a lawsuit to claim compensation of up to 10,000 NIS without proof of damage, from a controller of database or database holder, for certain violations, including processing personal data without registering the database (if registration is required), requesting personal data for processing without providing the required notice, and violating various obligations concerning the right to review, correct, or delete personal data, all according to the conditions detailed in the Amendment.
Future Outlook: The Amendment is a welcome development. The current version of the Privacy Protection Law is outdated, not aligned with public needs, international standards, or technological advancements. However, key issues remain unaddressed in this Amendment, and it is expected that the Amendment will impact the implementation of regulations enacted under the Law, which were not updated in the current Amendment. For example, the Amendment will significantly change certain definitions used in the Data Security Regulations (e.g., concerning types of sensitive data and determining the level of data security applicable to a database). Therefore, future amendments to the Data Security Regulations are anticipated to align them with the Law.
Additionally, despite the numerous and significant changes included in the Amendment, the work is not complete. Amendment No. 14 to the Law, which we hope that will be advanced in the near future, is expected to include further significant steps, bringing Israeli privacy protection laws another step closer to international regulation, including the GDPR. Among other things, the next amendment is expected to regulate and expand additional legal bases for data processing beyond consent (e.g., processing data for legitimate interest or research purposes) and expand the rights of data subjects.
The content in this communication is provided for informational purposes only and is not intended to be comprehensive. It does not serve to replace professional legal advice required on a case by case basis.
