Home » Blog » New Data Protection Rules in Israel
Blog 11 min read

New Data Protection Rules in Israel

Aug 21, 2024 New Data Protection Rules in Israel

This blog was originally posted on 21st August, 2024. Further regulatory developments may have occurred after publication. To keep up-to-date with the latest compliance news, sign up to our newsletter.

AUTHORED BY ANI NOZADZE, SENIOR REGULATORY COMPLIANCE SPECIALIST, COMPLIANCE & RISKS

Introduction

On 14 August 2024, Amendment No. 13 to the Israeli Privacy Protection Law of 1981 (the “Law”) was published in Rashumot, the official gazette. The amendments, which will enter into force on 14 August 2025, introduce a number of important updates to the Law, aligning the Israeli privacy legislation to advanced privacy laws, especially the EU General Data Protection Regulation (GDPR).

Some of the key changes introduced by the amendments are outlined below. 

Updated Terms and Definitions

The amendments make changes to key terms in the Law. These include the following:

  • The term “data” has been replaced with the broader term “personal data,” which is defined as any information relating to an identified or identifiable individual. An “identifiable individual” is one who can be identified with reasonable effort, directly or indirectly, including through an identifier such as a name, ID number, biometric identifier, location data, online identifier, or one or more factors specific to the individual’s physical, health, economic, social, or cultural identity.
  • The term “sensitive data” has been replaced and now the term “special categories of data” includes additional categories, such as genetic data, biometric data, criminal history, personality assessments, location services, and traffic data.
  • The term “database owner” has been replaced with “data controller,” aligning more closely with the GDPR’s concept of “controller,” defined as the entity that alone or jointly with others determines the purposes and means of processing data in the database or an entity legally authorized to process data in a database.
  • The definition of “processor” has been expanded to include any external party to the data controller who processes data on its behalf, aligning more closely with the GDPR’s definition of “processor.”
  • “Processing” or “use” of data now includes any action involving personal data, such as transfer, access, disclosure, provision, or granting access to personal data.

Scaled Down Registration Requirement

The amendments remove the obligation to register databases in the public registry for most organizations. In addition to public agencies, the formal registration requirement now only applies to those entities whose primary purpose is to collect personal data for transferring to others as a business or in exchange for payment, including direct marketing services, where the database contains personal information of more than 10,000 individuals.

Data controllers that are not required to register databases, but are processing sensitive data relating to more than 100,000 people will now be required to notify the Privacy Protection Authority of their identity and contact details, etc.

Databases which are registered in the registry at the time of the amendments’ commencement will remain registered unless the data controller notifies the Authority that it is no longer subject to the registration requirement. 

Obligation to Appoint a Data Protection Officer

As part of the amendment, certain entities have the obligation to appoint a Data Protection Officer (“DPO”), whose role will be to ensure that organizations comply with the Law as well as to promote protection of personal data. Among the entities required to appoint DPOs are:

  • Data controllers whose primary purpose is collecting personal data for transferring to others, where the database contains personal data about more than 10,000 individuals;
  • Data controllers or processors whose main activities involve processing personal data or are associated with such activities, which, due to their nature, scope, or purpose, require ongoing and systematic monitoring of individuals, including tracking or systematic surveillance of an individual’s behaviour, location, or actions on a significant scale (e.g., location tracking or online search service providers whose main activity involves such tracking);
  • Data controllers or processors processing particularly sensitive data on a significant scale;
  • Public bodies; etc.

Expanded Powers of the Privacy Protection Authority

The amendment significantly expands the powers of the Privacy Protection Authority, transforming it into a robust regulator with the authority to oversee and enforce compliance among both private and public entities. This includes investigative powers, the authority to order the cessation of unlawful data processing, administrative inquiries, and the imposition of various administrative enforcement measures, including financial penalties.

The amendments authorize the Head of the Privacy Protection Authority to impose substantial administrative financial penalties for violations of the law. The penalties will be based on various criteria, including the types of violations, number of violations, number of data subjects in the database, whether the data is of a sensitive nature, etc. Penalties may be imposed on both the data controller and the processor who violated the Law. Potential reductions are envisaged for small or micro-businesses (based on annual turnover).

The amendment also formally establishes the Authority’s power to conduct broad audits (proactive inspections) and utilize external experts.

Preliminary Opinions

As part of the amendment, personal data controllers and processors, as well as those who plan to become a controller or processor, have the right to request a preliminary opinion from the Privacy Protection Authority regarding the database’s compliance with the Law or its provisions concerning data processing. The Authority is required to provide its opinion within 60 days from the date of the request or the date of submission of the relevant documents, whichever is later.

Stay Ahead Of Regulatory Changes in Data Protection Rules in Israel

Want to stay ahead of regulatory developments such as Data Protection Rules in Israel?

Accelerate your ability to achieve, maintain & expand market access for all products in global markets with C2P – Your key to unlocking market access, trusted by more than 300 of the world’s leading brands.
C2P is an enterprise SaaS platform providing everything you need in one place to achieve your business objectives by proving compliance in over 195 countries.

C2P is purpose-built to be tailored to your specific needs with comprehensive capabilities that enable enterprise-wide management of regulations, standards, requirements and evidence.
Add-on packages help accelerate market access through use-case-specific solutions, global regulatory content, a global team of subject matter experts and professional services.

  • Accelerate time-to-market for products
  • Reduce non-compliance risks that impact your ability to meet business goals and cause reputational damage
  • Enable business continuity by digitizing your compliance process and building corporate memory
  • Improve efficiency and enable your team to focus on business critical initiatives rather than manual tasks
  • Save time with access to Compliance & Risks’ extensive Knowledge Partner network
C2P-Laptop-Heatmap

State of Privacy in the United States: Data Protection Legislation across the U.S.

This whitepaper provides an overview of comprehensive personal data protection acts adopted by U.S. state legislatures, affecting data processing operations of companies established within, as well as outside, these states.

download NOW
Compliance & Risks
Edited by Compliance & Risks
Close

Related Resources