Last week, the Privacy Protection Authority (the “Authority“) issued new guidelines (the “Guidelines”) regarding the role of boards of directors in fulfilling corporate obligations under the Privacy Protection Regulations (Data Security)-2017 (the “Regulations“) and the Privacy Protection Law-1981 (the “Law“).
In general, the published Guidelines are similar in essence to the draft published for public comments last year. However, we note that in the Guidelines, the Authority clarified certain provisions to reflect that the board of directors’ responsibility is supervisory and managerial in nature, rather than executive.
It should also be noted that although it’s not explicitly mentioned in the Guidelines, the Authority indicated on its website that organizations whose board of directors does not fulfill the supervisory obligations or designated tasks, as detailed in the Guidelines, may be in violation of the Law and the Regulations, and may be subject to sanctions under the Law, including those set forth in the recently enacted Amendment 13 to the Law, which will come into effect in August 2025 (the “Amendment“). Please note that the Amendment will grant the Authority, among other things, the power to impose significant financial penalties, including for violations of the Regulations. Therefore, we recommend that our clients ensure compliance not only with the Law and Regulations but also with these Guidelines and any other relevant guidelines published by the Authority. For the avoidance of doubt, the head of the Authority emphasized that the Guidelines take immediate effect and that it is expected to examine compliance with the Guidelines as part of its ongoing supervisory actions.
Notwithstanding, it is important to note that the Authority will not impose financial penalties directly on directors for non-compliance with the provisions of the Guidelines, although, in such cases, directors may be exposed to claims for negligence and breach of their duty of care.
Below is a summary of key issues included in the Guidelines:
The Authority’s position is that in organizations where processing of personal data is at the core of the organization’s activities (as opposed to processing that is only incidental to its core activities), or where there is a likelihood that its activities will pose an increased risk to privacy, the board of directors has a duty to supervise the organization’s compliance with the Law and Regulations, in accordance with the principles outlined in the Guidelines.
The Guidelines indicate that organizations whose activities are likely to create an increased privacy risk will be defined as such based on the relevant circumstances, including the characteristics of the organization (such as organizations engaged in data trading), the type and sensitivity of the personal data undergoing processing (such as the types of information listed in Item 1 of the First Schedule to the Regulations, “information with special sensitivity” as defined in the Amendment, or information about sensitive populations such as minors), and/or the scope of the data processed or the number of users authorized to access it.
The Authority’s position left broad room for interpretation regarding the nature of organizations subject to these Guidelines, which, in our opinion, may lead to a broad application of the Guidelines. Therefore, it is recommended to seek specific legal advice based on each organization’s characteristics and its personal data processing activities regarding the applicability of the Guidelines. We anticipate that, over time, further interpretations and common practices will provide additional clarity on this matter.
According to the Guidelines, and taking into account each organization’s specific characteristics, it is the responsibility of the board of directors to ensure the development, adoption, and implementation of a policy regarding how the organization will meet the requirements of the Law and Regulations, including the obligation to immediately notify the Authority of security incidents. The policy should address, among other things, how personal data is used and managed in the organization, and define effective supervisory, control, and compliance processes. The board must also ensure that the policy is implemented into the organization’s procedures and determine who in the organization is responsible for its implementation. The board will be responsible for ongoing supervision, receiving updates, and reporting on compliance with the requirements of the Regulations by those responsible within the organizations. The Authority emphasizes that adopting an effective internal enforcement program is one way the board of directors can fulfill its supervisory obligation, as outlined above.
Additionally, in the Authority’s view, certain supervisory requirements imposed by the Regulations, as outlined in the Guidelines and below, fall under the responsibility of the organization’s board of directors. This position is based on a purposive interpretation of the Law and Regulations, taking into account corporate governance principles and the customary division of responsibilities between the organs of the corporation under Israeli Corporate Law, as well as U.S. Corporate Law rulings, which have seemingly begun to influence Israeli court rulings.
Without derogating from the general obligations of the board, as outlined in the Guidelines and above, the Authority’s position is that the board of directors of organizations subject to these Guidelines must, as appropriate, fulfill the following obligations:
- Reviewing and deliberating the database definitions document before its finalization;
- Deliberating the key principles of the organizational data security procedure before its approval and finalization;
- Deliberating the results of risk assessments and penetration tests, including the actions required to correct the identified deficiencies;
- Holding quarterly or annual discussions, depending on the applicable databases’ security level according to the Regulations, on the security incidents that occurred in the organization; and
- Deliberating the results of the periodic audit regarding compliance with the Regulations, which must be conducted every two years – as stated in the Regulations.
It should be clarified that in appropriate cases, considering, among other things, the level of privacy risk involved in the organization’s activities, its size, and the composition of the board, the board of directors may decide to assign these tasks to another party in the organization, subject to supervision of their proper execution. In such cases, and in accordance with the provisions of the Regulations, the board must ensure that reasonable documentation is maintained regarding the reasons for this decision and the manner in which the other required actions are performed under the Regulations.
The Guidelines clarifies that it does not absolve or reduce the responsibility imposed on the company’s CEO, management, or any other party authorized to perform the obligations under the Regulations, either by the company’s bylaws or by law.
The content in this communication is provided for informational purposes only and is not intended to be comprehensive. It does not serve to replace professional legal advice required on a case by case basis.
