Navigating Israel’s Data Protection Landscape:Key Compliance Insights for Businesses

As global concerns for privacy and data protection continue to rise, Israel's data protection laws are becoming increasingly relevant for businesses operating within or in connection with Israel. This article will delve into Israel's data protection framework, focusing on essential requirements, recent amendments, and the unique aspects that distinguish Israeli data privacy legislation from other major frameworks like the GDPR.

By reading this article, business owners and data managers will gain practical insights into Israel’s Privacy Protection Law, crucial amendments, and compliance strategies to secure data and avoid potential penalties.

What is Israel's Privacy Protection Law?

Israel's Privacy Protection Law (PPL) is the primary legislation governing data protection and privacy in Israel. Originally enacted in 1981, the PPL establishes guidelines for the collection, use, and safeguarding of personal data to protect individuals' privacy rights. Over the years, it has been amended to address evolving technological and data-driven challenges, aligning its standards more closely with global privacy frameworks like the GDPR.

The PPL applies to a broad range of organizations, including both public and private entities that handle personal data about Israeli citizens. Its provisions cover various aspects of data protection, such as data security, data subject rights, and the responsibilities of organizations in ensuring compliance. This law requires businesses to implement adequate measures to protect personal data from unauthorized access, use, or disclosure, emphasizing the importance of data security in maintaining trust with individuals.

The scope of the PPL extends to organizations operating within Israel and, in some cases, to foreign entities processing data related to Israeli citizens. Non-compliance can result in significant penalties, including fines and enforcement actions by Israel’s Privacy Protection Authority, which oversees adherence to data protection regulations in the country.

Key Definitions Under Israeli Data Protection Law

The Israeli Privacy Protection Law includes several critical definitions that form the foundation of data protection practices within Israel. Understanding these terms is essential for organizations aiming to comply with the law’s requirements.

• Personal Data: Also referred to as "Information," this includes data related to a person’s personality, personal status, intimate affairs, health, economic situation, professional qualifications, opinions, and beliefs.
• Processing: Known as the "Use of Information," this encompasses actions such as disclosure, transfer, and delivery of personal data.
• Controller: Although not explicitly defined in Israeli privacy law, the term "Database Owner" serves as an equivalent, describing the entity that owns the database(s).
• Processor: Not directly defined in Israeli privacy law, but referred to as "Database Holder," meaning an entity that permanently possesses and is authorized to use the database.
• Data Subject: The individual whose personal data is contained within the database.
• Sensitive Personal Data: Known as "Sensitive Information," this includes data on a person's personality, intimate affairs, health, economic situation, opinions, and beliefs. Additionally, information deemed sensitive by the Minister of Justice, with the approval of the Constitution, Law, and Justice Committee of the Knesset, falls under this category (though no further determinations have been made to date).
• Data Breach: Referred to as a "Security Incident," indicating any event that raises concern about a breach in data integrity, unauthorized access, or unauthorized deviation in the use of information.
• Database: Defined as a collection of information maintained electronically for computerized processing. Exclusions apply to collections for personal use without business purposes or collections that contain only names, addresses, and contact details, provided these do not infringe on privacy rights and the owner or controlling entity does not hold any additional collections.
• Severe Security Incident: An incident involving unauthorized access or harm to the integrity of information in a database with high-security levels, or unauthorized use or damage to a significant portion of information in a database with medium security levels.

Does the PPL Apply to Your Foreign Business?

If your business operates outside Israel, you may be wondering if Israel’s Privacy Protection Law (PPL) affects you. The law itself doesn’t clearly define whether it applies to businesses established abroad. This leaves room for two possible interpretations:

1. Primarily Domestic Application: The PPL primarily governs actions within Israel, meaning its requirements would typically apply to entities physically established in Israel.
2. Potential Reach to Foreign Businesses: However, the PPL could also extend to foreign businesses that process personal data of Israeli citizens. This means if your company processes information about Israeli individuals—even if you're based outside Israel—you may still be subject to the law. Similarly, if you have any presence or establishment in Israel, compliance with the PPL may be necessary.

Given the ambiguity, if your business collects or processes data from Israeli citizens, it’s wise to consider aligning with the PPL’s requirements to stay on the safe side.

Are Certain Business Activities Exempt?

In terms of material scope, the PPL only carves out household or personal activities from its requirements. This means that any business-related data processing is likely covered by the law. Whether you’re processing personal data for marketing, customer management, or other operations, your activities will generally fall under the PPL’s scope, and compliance is essential to avoid potential regulatory issues.

What Are the Key Principles for Processing Personal Data?

• Transparency - Your business is responsible for keeping individuals informed about the collection and use of their personal data. They have the right to know how their information is being used.
• Lawful Basis for Processing - Ensure that your data collection is legitimate. This means either obtaining the individual’s consent or justifying it through legal authorisation, public duty, or the vital interests of the data subject.
• Purpose Limitation - Collect and use personal information solely for specific purposes, as registered in your database records with the Israeli Registrar of Databases.
• Data Minimisation - Only gather data necessary to achieve your intended purpose. Regularly, at least annually, review the information you hold to confirm it aligns with your needs and isn’t excessive.
• Proportionality - Keep your data collection and processing proportional to your purpose. Avoid excessive data processing that goes beyond what is necessary for your specific objectives.
• Retention - Review the information stored in your databases yearly to ensure you’re not holding unnecessary data. When the purpose for processing data is complete, securely dispose of or delete it.
• Accuracy - Although not explicitly stated, accuracy is implied through data subject rights, such as the right to access and correct their data. Keep data accurate and, where needed, up to date.
• Accountability - As a data handler, your business must demonstrate compliance with all data processing principles. Maintain internal documentation, appoint necessary privacy roles (such as security commissioners or database managers), conduct periodic audits, and establish internal procedures for data processing activities.

The Israeli privacy guidelines also suggest implementing GDPR-originated practices like Data Protection Impact Assessments (DPIAs) and appointing a privacy protection officer.

Do You Need to Appoint a Data Protection Officer in Israel?

As a business owner, it's essential to understand whether you're required to appoint a Data Protection Officer (DPO) under Israeli law. The recent Amendment No. 13 to the Israeli Privacy Protection Law has introduced specific criteria for this obligation:

1. Public Entities: If your organization functions as a public body, such as a government ministry, municipality, university, or health maintenance organization, you are mandated to appoint a DPO.
2. Data Brokers: If your business involves collecting personal data on more than 10,000 individuals with the primary purpose of disclosing it to third parties for business purposes or monetary gain, including direct mailing services, you must appoint a DPO.
3. Entities Engaged in Large-Scale Monitoring: If your core activities involve regular and systematic monitoring of individuals on a large scale—such as tracking behavior, location, or actions—you are required to have a DPO. This includes telecommunications providers and online search engines.
4. Processors of Highly Sensitive Data: If your main activities involve processing especially sensitive data on a large scale, including medical data, genetic information, or biometric identifiers, you are obligated to appoint a DPO. This category encompasses banks, insurance companies, hospitals, and health maintenance organizations.

It's important to note that "especially sensitive data" is broadly defined and includes various types of personal information, such as medical records, sexual orientation, genetic data, biometric identifiers, criminal records, and personality assessments.

If your business falls into any of these categories, you must appoint a DPO to ensure compliance with Israeli data protection regulations. The DPO's role includes overseeing data protection strategies, ensuring compliance with legal requirements, and serving as a point of contact between your organization and regulatory authorities.

For businesses not meeting these specific criteria, appointing a DPO is not mandatory. However, implementing robust data protection practices remains essential to safeguard personal information and maintain customer trust.

Key Requirements for Data Security in Israel

It's crucial to understand the data security requirements that apply when handling personal data of Israeli citizens or conducting business within Israel. The Israeli Privacy Protection (Data Security) Regulations outline specific obligations:

1. Applicability: These regulations apply to both private and public sector entities that process personal data related to Israeli citizens, regardless of the entity's location. This means that even if your business is based outside Israel, if you handle data of Israeli individuals, you are subject to these regulations.
2. Data Classification: You must assess and classify your databases based on factors such as the sensitivity of the data, the number of data subjects, and the number of individuals with access rights. Databases are categorized into four risk levels: high, medium, basic, and those controlled by individuals with limited access. The level of risk determines the specific security measures required.
3. Security Measures: Implement appropriate technical and organizational measures to protect personal data. This includes access controls, encryption, regular security assessments, and monitoring systems to detect and respond to security incidents. The specific measures depend on the classified risk level of your database.
4. Documentation: Prepare and maintain essential documents, including a "database definition document," security procedures, and a data breach policy. These documents should detail your data processing activities and the security measures in place.
5. Third-Party Management: Conduct due diligence when engaging third-party service providers who process personal data on your behalf. Ensure they adhere to data security standards and include specific data protection clauses in your contracts with them.
6. Employee Training: Regularly train your staff on data protection principles and security practices to ensure they understand their responsibilities in safeguarding personal information.
7. Incident Response: Establish procedures for detecting, managing, and reporting data breaches. In the event of a severe security incident, you are required to notify the Privacy Protection Authority (PPA) immediately and may need to inform affected individuals as directed by the PPA.
8. Regular Audits: Conduct periodic audits and assessments of your data security measures to ensure ongoing compliance and to identify areas for improvement.

How Does Israel’s Data Protection Law Address Consent?

It's essential to understand how Israel's data protection law addresses consent in the processing of personal data. The Protection of Privacy Law, 5741-1981 (PPL), emphasizes the importance of obtaining informed consent from individuals before collecting or using their personal information.

Informed Consent Requirement

When requesting personal data, you must inform individuals about:

• Whether providing the data is mandatory or voluntary.
• The specific purpose for which the data is being collected.
• To whom the data will be disclosed and for what purposes.

Additional Transparency Obligations

Recent amendments to the PPL have expanded transparency obligations. Now, you are also required to inform individuals about:

• The consequences of refusing to provide the requested data.
• The identity and contact details of the data controller.
• The individual's rights to access and correct their personal data.

These additions aim to enhance individuals' understanding of their rights and the implications of data collection.

Exceptions to Consent

While consent is a primary basis for data processing, the PPL allows for certain exceptions where personal data can be processed without explicit consent. These exceptions include situations where:

• The processing is necessary to fulfill a legal obligation.
• The processing is essential for safeguarding the vital interests of the data subject.
• The processing is required for the performance of a contract to which the data subject is a party.

Implications for Your Business

To comply with Israel's data protection law regarding consent, you should:

• Implement clear and comprehensive privacy notices that cover all required information.
• Ensure that consent is obtained in a manner that is free, specific, informed, and unambiguous.
• Maintain records of consent to demonstrate compliance.
• Regularly review and update consent mechanisms to align with any legal developments.

Rights of Data Subjects Under Israel’s Data Protection Law

Data subjects have certain rights concerning their personal data in Israel. This section explains data subjects’ rights to access, correct, or delete their personal data, as well as their right to data portability and refusing to provide the data in certain cases.

These rights ensure that individuals have control over their personal data and impose specific obligations on organizations that process such information.

Right to Be Informed

Individuals have the right to be informed about the collection and use of their personal data. When collecting data, you must provide clear information regarding:

• Whether providing the data is mandatory or voluntary.
• The specific purpose for which the data is being collected.
• To whom the data will be disclosed and for what purposes.

This transparency ensures that individuals are aware of how their data will be used and can make informed decisions.

Right of Access

Individuals are entitled to access their personal data held by your organization. Upon request, you must provide them with a copy of their data and details about its processing. Exceptions may apply if disclosing the information could:

• Harm the individual's physical or mental health.
• Breach legal privilege.
• Affect ongoing investigations or law enforcement activities.

Right to Rectification

If individuals identify inaccuracies or incomplete information in their personal data, they have the right to request corrections. You are obligated to amend the data accordingly to ensure its accuracy.

Right to Deletion

While the PPL does not explicitly provide a "right to be forgotten," individuals can request the deletion of their personal data in certain circumstances, such as:

• When the data is used for direct mailing purposes.
• If the data is found to be incorrect.

It's important to assess each deletion request carefully to determine its validity under the law.

Right to Object to Processing

Individuals may object to the processing of their personal data, particularly for purposes like direct marketing. Upon receiving such an objection, you must cease processing the data for that specific purpose.

Right to Restrict Processing

In certain situations, individuals can request that you limit the processing of their personal data. This may occur when:

• The accuracy of the data is contested.
• The processing is unlawful, and the individual opposes deletion.
• The data is no longer needed, but the individual requires it for legal claims.

Right to Data Portability

The PPL does not explicitly include a right to data portability. However, best practices suggest that facilitating data transfer in a structured, commonly used, and machine-readable format can enhance transparency and trust.

Right to Lodge a Complaint

Individuals who believe their data protection rights have been violated can file a complaint with the Privacy Protection Authority (PPA). The PPA has the authority to investigate complaints and enforce compliance with the PPL.

Data Transfer Regulations: Can Personal Data be Transferred Outside Israel?

Transferring personal data from Israel to another country is generally prohibited unless the destination country ensures a level of data protection equal to or exceeding that of Israeli law. This means you must assess the data protection framework of the recipient country before proceeding with the transfer.

Exceptions Allowing Data Transfer

Despite the general prohibition, the regulations provide specific exceptions under which data transfer is permissible:

1. Adequate Protection by Recipient: If the recipient country offers adequate data protection, similar to Israeli standards, transfers are allowed. For instance, the European Commission has recognized Israel's data protection regime as adequate, facilitating data transfers from the EU to Israel.
2. Data Subject's Consent: Obtaining explicit consent from the individual whose data is being transferred permits the transfer, provided the individual is fully informed about the destination and purpose of the transfer.
3. Contractual Obligations: If the data transfer is necessary to fulfill a contract between the data subject and your business, or to implement pre-contractual measures taken at the data subject's request, the transfer is permissible.
4. Public Interest or Legal Claims: Transfers required for important public interests or for the establishment, exercise, or defense of legal claims are allowed.
5. Protection of Vital Interests: If the transfer is necessary to protect the vital interests of the data subject, such as in life-threatening situations, it is permitted.
6. Recipient's Undertaking: The data can be transferred if the recipient abroad undertakes to comply with Israeli data protection standards, with necessary adjustments. This requires a formal agreement ensuring the recipient adheres to the same level of data protection as mandated by Israeli law.

Obligations for Data Controllers

Before transferring data abroad, you must:

• Due Diligence: Assess the data protection laws and practices of the recipient country to ensure they provide adequate protection.
• Written Agreements: Establish contractual agreements with the foreign recipient, obligating them to uphold data protection standards equivalent to those in Israel.
• Data Subject Notification: Inform individuals about the transfer, including details of the destination country and the purpose of the transfer.

Onward Transfers

If the foreign recipient intends to transfer the data to another third party, they must obtain written consent from the original data controller in Israel. This ensures continuous protection of the data throughout its transfer chain.

Enforcement and Penalties for Non-Compliance with Israeli Privacy Laws

The law allows the Privacy Protection Authority (PPA) to enforce significant fines to ensure compliance, with the severity based on the nature of the violation.

The PPA can impose fines of up to NIS 3.2 million (approximately USD 1 million) for severe non-compliance. The fine amount varies based on the level of infringement, with higher penalties for repeated or intentional violations.

If non-compliance continues after an initial penalty is issued, daily fines can accrue, compounding the financial burden. This is designed to encourage rapid compliance with PPA requirements.

In addition to fines, the PPA may publicly disclose details of the penalties imposed on your business. This transparency measure can impact your business reputation, leading to potential financial losses beyond the fine itself.

Amendment 13 to Israel’s Privacy Protection Law: What You Need to Know

Amendment 13, enacted in 2018, introduced significant updates to Israel’s Privacy Protection Law (PPL), enhancing data security and regulatory oversight to align more closely with global standards like the GDPR. This amendment aimed to strengthen the protection of personal data and ensure that organizations uphold high standards for data privacy. Below are the core aspects of Amendment 13 that businesses handling personal data in Israel should understand.

Enhanced Data Security Requirements

One of the central changes in Amendment 13 involves stringent data security requirements. Under this amendment, organizations are required to implement robust security measures to protect personal data against unauthorized access, use, and breaches. The amendment specifies security protocols, such as data encryption, access control, and regular security audits. Companies are obligated to assess and classify their data based on sensitivity levels, with specific security measures required for each classification. Non-compliance with these data security regulations could lead to significant financial and reputational damage.

Appointment of a Data Protection Officer (DPO)

Amendment 13 includes a provision for appointing a Data Protection Officer (DPO) in organizations that handle a substantial amount of personal data or sensitive information. Although not all businesses are required to appoint a DPO, those managing large-scale data processing or high-risk information should consider it. The DPO is responsible for overseeing compliance with privacy protection regulations, conducting risk assessments, and ensuring that the company’s data processing activities comply with Amendment 13 and the broader PPL. This role mirrors the DPO requirements found in the GDPR, reflecting Israel's commitment to adopting international data protection standards.

Expanded Enforcement Powers for the Privacy Protection Authority

Amendment 13 grants the Privacy Protection Authority (PPA) in Israel broader enforcement powers to monitor and ensure compliance. The PPA is now authorized to conduct routine audits, investigate data breaches, and impose administrative fines on organizations that violate data protection laws. This expanded authority allows the PPA to play a more proactive role in safeguarding data security, giving it the means to act swiftly against breaches and non-compliance. Businesses operating in Israel must be prepared for potential audits and ensure that their data protection practices align with the PPL's requirements.

Data Transfer Regulations

Amendment 13 also introduces specific guidelines regarding the transfer of personal data outside of Israel. Organizations transferring data abroad must ensure that the receiving country offers an adequate level of protectionfor personal information. This requires companies to establish data transfer agreements that meet Israel’s data protection standards. The goal is to prevent data from being exposed to lower protection standards in foreign jurisdictions, safeguarding Israeli citizens’ personal information even when it is processed internationally.

Compliance and Penalties for Non-Compliance

With Amendment 13 in effect, compliance with Israel’s Privacy Protection Law is more crucial than ever. Companies that fail to adhere to these new regulations may face administrative fines, sanctions, and other legal repercussions. The amendment empowers the PPA to impose penalties on organizations that do not comply with data protection laws, especially those involving serious security incidents or data breaches. To avoid such penalties, businesses must regularly review and update their data protection policies, implement secure data handling practices, and ensure that their personnel are aware of and trained in these practices.

How Can Businesses Ensure Compliance with Israel’s Data Protection Law?

To comply with Israel’s Privacy Protection Law, start by appointing a Data Protection Officer (DPO) if required, and classify data based on sensitivity to ensure appropriate security.

Provide transparent privacy notices and obtain clear, informed consent for data collection. Adopt data minimization practices, keeping only what’s necessary, and maintain detailed records of all data processing activities.

Regular audits and employee training reinforce compliance, while a data breach response plan ensures you're prepared for potential incidents. Lastly, review third-party contracts to confirm they meet data protection standards.

For a simple, actionable guide to help you get compliant, check out our free compliance checklist tool.

How Can Secure Privacy Help With Compliance?

Secure Privacy offers a comprehensive solution to simplify your compliance with Israel’s Privacy Protection Law. With features designed to streamline data protection, Secure Privacy CMP helps you manage consent forms, automate data classification, and monitor third-party data processing. Our platform includes a compliance checklist tool to ensure your business meets all legal requirements, from record-keeping to data breach preparedness.

Let Secure Privacy support you in building trust with customers and avoiding costly penalties - schedule a demo today to get started.