Final Version of Privacy Protection Law Amendment Published

We are pleased to inform you that the final draft of Amendment 13 to the Israeli Privacy Protection Law, 1981 (previously referred to as “Amendment 14”) was published on July 24, 2024. The amendment has undergone extensive discussion and revisions within the Law, Constitution, and Justice Committee and was presented yesterday to the Knesset for a vote in the second and third readings. It is anticipated that the amendment will pass without significant issues or objections.

The proposed amendment has been discussed for over a decade in the Knesset, in committees, and in various forums, and represents the most significant update to the law since its original enactment in 1981. The changes brought by the amendment can be broadly divided into two categories: (1) Changes aimed at aligning Israeli privacy protection legislation with modern, globally accepted standards (e.g., GDPR), including the removal and updating of outdated obligations and definitions; and (2) Changes aimed at strengthening and expanding the powers of the Privacy Protection Authority and establishing various enforcement tools.

Key Changes to Definitions:

The amendment includes changes to various definitions in the law. Some of these changes are technical and linguistic in nature, primarily aimed at achieving consistency between Israeli regulation and global standards (e.g., the definitions of “data owner” and “data holder” have been largely adjusted to align with GDPR corresponding definitions of “Controller” and “Processor”). On the other hand, some changes are substantive and have direct implications for the obligations under the law. Notably, the proposed change to the definitions of “personal data” and “special categories of personal data” is significant:

• Personal data – Prior to the amendment, the definition of “Personal data” in Israeli law mainly referred to private and personal data by nature. The amendment significantly expands this definition and aligns it with GDPR provisions – any information that allows for the identification of an individual directly or indirectly is considered Personal data, including online and digital identifiers. One immediate consequence of this change will be in relation to the obligations for informing and/or obtaining consent for the collection of digital identifiers on websites (e.g., cookies).
• Special Categories of Personal Data – Instead of the previous definition of “Sensitive Information,” which almost entirely overlapped with the definition of “regular” Personal Data, the amendment defines “Special Categories of Personal Data”, similarly to the categories recognized by GDPR, including, medical information, information about political opinions, information about a person’s national origin, sexual orientation, biometric information, and more. In line with the modern risk-based approach, the requirement to handle this data with heightened caution is reflected in the classification of “Levels of Data Security,” which affects both the required security measures and the fines that can be imposed for violations related to such data.

Significant Reduction in the Obligation to Register Databases:

As expected, the amendment significantly reduces the archaic obligation to register databases with the database registrar. The registration requirement will now apply only to: (a) databases whose primary purpose is sharing or selling such data to third-parties for business purposes (e.g., direct emailing services), which contains personal data about more than 10,000 individuals; and (b) databases maintained by public bodies, excluding databases related solely to the public body’s employees.

Additionally, there is a notification requirement to the authority regarding a database that is not required to be registered but containing special categories of personal data about more than 100,000 individuals. Although this is not a registration requirement, this notification obligation ensures that the Privacy Protection Authority remains informed and maintains oversight over significant databases in the market, presumably to focus its enforcement actions accordingly.

It is important to emphasize that the amendment explicitly states it does not automatically cancel the registration of databases that were registered in the past but are no longer required to be registered. To cancel the registration of such databases, request must be submitted to the authority (At Amit Pollak Matalon & Co., we have done this recently to assist clients cancel registrations in cases where a database was registered despite the fact that there was no registration requirement).

Requirement to Appoint a Data Protection Officer:

Similar to the existing requirement for appointing an Information Security Officer and following the authority’s previous recommendation regarding the appointment of a Data Protection Officer (DPO), the amendment introduces a new obligation to appoint a Data Protection Officer, which aligns with the GDPR. According to the amendment, the requirement generally applies to:

• Data controllers or data holders whose primary business involves processing operations that require ongoing and systematic monitoring of individuals, including tracking them on a large scale.
• Data controllers or data holders whose primary business involves processing special categories of personal data on a large scale, such as banks, insurance companies, hospitals, and health funds.
• Data controllers who are public bodies or hold such a database.
• Data controllers whose database is used for selling or sharing of personal data, including direct mailing services, containing information about more than 10,000 individuals.

The amendment also specifies that “large scale” processing will be determined based on several factors including the number of individuals whose data is processed, their proportion in a certain population, the extent and type of data processed, the duration and frequency of processing operations, the duration of data retention, and the geographical scope of processing operations. It is clear that a thorough evaluation and careful consideration of the organization’s characteristics and activities are necessary to determine if the obligation applies. Additionally, maintaining documentation of the reasoning and conclusions to avoid fines and penalties for incorrect assessments.

The amendment also addresses the required qualifications for a Data Protection Officer – the officer must have knowledge and training in privacy law, technological and information security understanding, and familiarity with the organization’s activities. The officer may be employed directly or outsourced. The officer must not hold another position that could create a conflict of interest with their role as a Data Protection Officer. Similar to the Information Security Officer, the Data Protection Officer is required to report directly to the CEO or senior management.

The duties of the Data Protection Officer are broadly defined and subject to interpretation. It is anticipated that over time, publications by the Privacy Protection Authority, enforcement decisions, and market practices will help clarifying the precise scope of this role. The amendment explicitly includes the following duties:

• Ensuring compliance with the law by the data controller or data holder and promoting the protection of privacy and data security in these databases.
• Serving as a professional authority and knowledge hub in the field, advising the management of the data controller and employees on privacy protection matters, and ensuring the existence of an organizational training program on the topic.
• Preparing a plan for ongoing monitoring of compliance with the law, ensuring its implementation, and addressing the findings arising from it.
• Ensuring the existence of security procedures and documentation of the database as required by regulations.
• Examining complaints and inquiries about the processing of personal data and ensuring that they are handled according to the law.
• Acting as a contact point with the Privacy Protection Authority, responsible for reporting and communication with the authority regarding violations or concerns related to personal data processing.

The contact details of the Data Protection Officer must be made publicly available “in an accessible and simple manner”.

Preliminary Opinion Mechanism:

The amendment establishes a new mechanism for requesting preliminary opinions from the Privacy Protection Authority. This mechanism aims to provide organizations with clarity on privacy-related issues, including the development of new products and technologies or new uses of personal data. According to the amendment, the head of the authority will set detailed procedures to be published on the authority’s website regarding how to submit a request for a preliminary opinion. There are specific instances where a preliminary opinion will not be provided, such as requests involving academic or theoretical questions, requests made in bad faith, or requests related to ongoing enforcement procedures. The authority may publish the opinions with the requester’s consent; if consent is not granted, the authority may publish the opinion without including any identifying details.

Strengthening the Authority’s Powers and Enhancing Enforcement:

The amendment is set to significantly strengthen the powers of the Privacy Protection Authority, providing numerous tools for oversight, enforcement, and penalties, both by the authority itself and through private civil enforcement remedies.

First of all, the amendment provides for the possibility of awarding damages for various violations under certain conditions – courts can award damages up to 10,000 NIS per individual without proof of actual damage, for example in cases of non-registration, failure to notify about data collection, or denial of access or correction rights. It will be interesting to see how this authority will integrate with the new and explicit possibility of filing class actions for breaches of the Privacy Protection Law, as provided in the recent Class Actions Law (Amendment No. 16), 2024 (principally, this authority was already expanded in the Supreme Court’s rulings recognizing the possibility of filing class actions for Privacy Protection Law violations where the cause of action is between a consumer and a business, an insurer and an insured, etc.; see Civil Appeal 4110/18 Plaintiff v. Kadima).

Moreover, the amendment establishes, expands, and details the authority’s enforcement powers, including those currently under Section 10 of the Law. These powers include the head of the authority’s authority to appoint investigators and inspectors and grant them various powers under the law, including access to computer materials and copying information, as well as conducting administrative enforcement actions and performing criminal investigations. Additionally, if violations or deficiencies are found, the head of the authority may order the termination of related processing activities and take administrative measures against the offending body. The amendment will allow the Privacy Protection authority to impose significant fines on the offending body for various violations, such as breaches of specific obligations in the Information Security Regulations and the recent regulations dealing with information originating from the European Union.

The amendment also institutionalizes and regulates the authority’s power to establish a broad oversight program for certain bodies and to utilize external parties for oversight activities, clarifying and expanding their powers, as well as regulating the authority’s power to require the submission

Effective Date:

The amendment is expected to come into effect about a year from the official publication date. Assuming that the Knesset approves the amendment in the current session, it is expected to take effect around August 2025. It is important to note that during the discussions in the Constitution, Law and Justice Committee preceding the legislative process, the authority repeatedly emphasized its intention to use its enforcement powers, including the ability to impose fines and monetary penalties, immediately after the law takes effect. Therefore, we recommend preparing accordingly and making the necessary adjustments in advance.

In addition, while the importance and significance of this amendment cannot be overstated, the final version of the amendment still does not provide a level of protection to data subjects comparable to that offered by the GDPR. Many significant issues remain outside the amendment, including two major ones: (a) the expansion of data subjects’ rights (such as a clear and explicit right to erasure, data portability, withdrawal of consent, etc.); and (b) the establishment of additional legal bases beyond consent within a closed and exhaustive list. We expect that these issues will continue to be discussed in future amendments (such as Amendment 16 published in the past).

At Amit Pollak Matalon & Co., we provide our clients with comprehensive services in the field of privacy and information security, including the appointment of an outsourced Data Protection Officer, consulting and training, handling registration and/or removal of databases, conducting periodic audits, assisting in implementing enforcement plans and tailored processes, and preparing organizations to comply with the law’s requirements. We would be happy to assist with any questions you may have.

APM Technology and Regulation Team.

This document is intended to provide only a general background regarding this matter. It should not be regarded as setting out binding legal advice but rather as a practical overview based on our understanding.