Israel's Privacy Protection Law Amendment: A Landmark Reform in Data Protection and Privacy Rights

 Israel's Privacy Protection Law Amendment: A Landmark Reform in Data Protection and Privacy Rights

By: Adv. Assaf Kriel (L.L.B, M.B.A, C.I.A, IntArb)
AK & Co. (Israel)

The Israeli privacy protection landscape has undergone its most significant transformation since 1981 with the recent approval of Amendment 13 to the Privacy Protection Law by the Knesset on August 5, 2024. This comprehensive reform represents a pivotal shift in Israel's approach to data protection, bringing its regulatory framework more closely aligned with European Union standards while introducing substantial changes to enforcement mechanisms and organizational requirements. The amendment reflects the evolving nature of data protection challenges in the digital age and establishes a more robust framework for protecting individual privacy rights.

Enhanced Regulatory Framework and Enforcement Powers
The amendment significantly strengthens the Privacy Protection Authority's (PPA) position as a regulatory body, granting it unprecedented enforcement capabilities. The PPA now possesses extensive investigative powers, including the authority to conduct proactive audits, appoint inspectors, and utilize external experts. These inspectors are empowered to demand information, access premises under specific circumstances, and seize relevant materials when necessary. This expansion of authority represents a fundamental shift from the previous reactive approach to a more proactive regulatory stance.
The enforcement framework has been substantially enhanced through the introduction of significant financial sanctions. The PPA can now impose administrative fines based on a sophisticated matrix of criteria, including the type of violation, the scope of the breach, the number of affected data subjects, and whether the information involved is classified as "Specially Sensitive Information." The sanctions can reach up to millions of New Israeli Shekels, with considerations for business size and annual turnover affecting the final amounts. This tiered approach ensures proportionality while maintaining effective deterrence across different organizational scales.
The amendment also introduces punitive damages of up to 10,000 NIS that courts can award regardless of actual harm, particularly in cases involving violations of purpose limitation principles or failures to fulfill data subject access rights. This provision creates an additional layer of accountability and provides individuals with enhanced remedies for privacy violations.

Modernized Definitions and Data Governance Principles
The amendment introduces updated definitions that better reflect contemporary technological realities and align with international privacy standards. The term "personal data" has been expanded to encompass any information relating to an identified or identifiable person, including indirect identifiers such as location data and online identifiers. This broader definition acknowledges the increasing sophistication of data collection and processing technologies.

The concept of "Specially Sensitive Information" has been significantly expanded to include biometric data, genetic information, and categories specific to Israel such as professional evaluations and salary data. This classification recognizes the heightened privacy implications of certain data types and imposes additional protection requirements. The amendment also introduces the concepts of "Database Controller" and "Holder," aligning more closely with the GDPR's controller and processor definitions, thereby facilitating international data transfers and compliance programs.
Organizations processing personal data must now adhere to comprehensive disclosure requirements that emphasize transparency and informed consent. When obtaining consent, controllers must provide data subjects with detailed information about the processing of their personal data, including:

- The legal basis for data collection
- Specific purposes for which the information will be used

- The controller's identity and contact details

- Potential third-party transfers and recipient identities

- Consequences of refusing to provide information

- Data subjects' rights, including access and rectification

The amendment reinforces the purpose limitation principle, prohibiting the processing of personal data for purposes beyond those legally defined within the database's objectives. This strengthened principle ensures that data processing remains aligned with the original purposes communicated to data subjects and prevents mission creep in data usage.

Data Protection Officer Requirements and Responsibilities
A significant new obligation introduced by the amendment is the requirement for certain organizations to appoint a Data Protection Officer (DPO). This requirement applies to:

1. Public bodies (excluding certain security entities)

2. Data brokers handling information of more than 10,000 individuals

3. Organizations conducting regular and systematic monitoring of individuals on a large scale

4. Entities processing Specially Sensitive Information on a large scale, such as healthcare providers and financial institutions
The DPO must possess a thorough knowledge of privacy laws, technological understanding, and familiarity with the organization's operations. Their independence is guaranteed through direct reporting lines to senior management and protection against conflicts of interest. The position can be filled by an external contractor, providing flexibility for organizations to engage specialized privacy professionals.

The DPO's responsibilities encompass a broad range of privacy governance functions, including:

- Advising management and employees on privacy compliance

- Developing and implementing privacy training programs

- Monitoring compliance with legal requirements

- Ensuring proper documentation of privacy practices

- Managing data subject rights requests

- Serving as the primary contact point with regulatory authorities

Registration Requirements and Implementation Framework
The amendment substantially reduces the administrative burden of database registration while maintaining oversight of high-risk processing activities. Registration is now mandatory only for data brokers handling information of more than 10,000 individuals and public bodies. However, controllers processing Specially Sensitive Information of 100,000 or more data subjects must notify the PPA and provide specific documentation, including their database definitions form.
A notable innovation is the introduction of a pre-ruling procedure, allowing organizations to seek advance guidance from the PPA regarding their compliance with legal requirements. This mechanism promotes regulatory dialogue and enables organizations to address potential compliance issues proactively. The PPA must provide its opinion within 60 days, and these opinions may be published (with the applicant's consent) to provide guidance to the broader business community.

Transition Period and Extended Liability Framework
The law provides a transition period, with the amendments taking effect on August 6, 2025. This timeline allows organizations to implement necessary changes to their data protection practices and establish required compliance mechanisms. The statute of limitations for civil claims under the law has been extended from two years to seven years, reflecting the long-term nature of privacy violations and their potential impacts.
The criminal offenses chapter has been updated to focus on intentionally deceptive behaviors towards the PPA or fraudulent obtaining of information from data subjects. This revision emphasizes the serious nature of privacy violations while maintaining proportionality in enforcement.

Practical Implications for Businesses
Organizations operating in Israel must undertake several key steps to ensure compliance with the amended law:
1. Data Mapping and Classification: Companies need to review their data processing activities to identify instances of Specially Sensitive Information processing and assess whether they meet the thresholds for DPO appointment or notification requirements.

2. Policy and Procedure Updates: Organizations must review and update their privacy policies, consent mechanisms, and internal procedures to align with the enhanced disclosure requirements and purpose limitation principles.
3. Compliance Programs: Businesses should establish comprehensive privacy compliance programs that include regular training, monitoring, and documentation of privacy practices.
4. Risk Assessment: Organizations should conduct privacy risk assessments to identify potential compliance gaps and implement appropriate mitigation measures, particularly in light of the increased financial sanctions.

Conclusion
Amendment 13 to Israel's Privacy Protection Law represents a significant modernization of the country's data protection framework, bringing it closer to international standards while maintaining unique elements that reflect Israel's specific privacy concerns. The enhanced enforcement powers, coupled with substantial financial sanctions, underscore the importance of proper data protection measures in the modern digital economy.
Organizations must carefully evaluate their current practices and implement necessary changes to ensure compliance with these enhanced requirements. The introduction of the DPO requirement and pre-ruling procedure provides organizations with new tools to manage their privacy compliance effectively, while the reduced registration requirements help streamline administrative obligations.
As privacy concerns continue to evolve with technological advancement, this amendment positions Israel's privacy framework to address current and emerging challenges in data protection effectively. Organizations that proactively adapt to these new requirements will be better positioned to manage privacy risks and maintain trust with their stakeholders.


Contact us Kriel & Co. - Law Firm and Notary

Contact Us

Share by: