A substantial increase in enforcement powers

Published by the Israeli Government on 5 January 2022, the Protection of Privacy Bill (Amendment No. 14), 2022 (Bill No. 14)¹ ('Bill No. 14') presents material changes to the Protection of Privacy Law, 1981² ('PPL'). Bill No. 14 is comprised of two previously proposed bills and includes new additions on a number of topics.

At the core of Bill No. 14 is a substantial enhancement of the Protection of Privacy Authority's ('PPA') supervision and enforcement powers. Under Bill No. 14, the PPA will have the authority to impose fines of up to ILS 3,200,000 (approx. €875,280) and additionally ILS 64,000 (approx. €17,510) per day for continuous or repetitive violations, alongside police-like investigatory powers.

Privacy supervisors in security and enforcement agencies

Under Bill No. 14, the police, the secret services, and other law enforcement and intelligence agencies, will need to appoint internal privacy supervisors. The supervisors will be in charge of inspecting the agency's privacy-related procedures and policies, handle complaints, train personnel, implement an annual privacy protection plan, and prepare compliance reports for both the head of the agency and the PPA.

This chapter in Bill No. 14 was not part of the previous two bills that were merged into Bill No. 14. Presumably, it was added to strengthen Israel's position in the ongoing discussions with the EU on maintaining the 2011 adequacy recognition of the EU Commission in Israeli privacy laws.

Reduction of the obligation to register databases

Under Bill No. 14, fewer organisations will be under a duty to register their databases with the Databases Registrar, which is currently part of the PPA, while replacing some of the registration obligations with a notification requirement.

According to Bill No. 14, the registration obligation will depend on the scope of records in the database and the sensitivity of the data, as follows:

• every database with records on more than 100,000 data subjects will still need to be registered if the data was not collected from the data subjects, if the database is owned by a public entity, or if the database is operated by a data broker;
• every database owner with sensitive records on more than 500,000 data subjects will need to register the database; and
• database owners holding sensitive data on between 100,000 and 500,000 data subjects that are not subject to the duty to register the database will still need to submit a notification to the PPA with details as prescribed under the law.

The aim of this amendment is to considerably reduce the bureaucratic registration procedures, while maintaining the registration obligations of a small number of entities which will provide the PPA with better oversight of large sensitive databases. However, the current bill sets out thresholds that are presumably too low, thereby requiring registration from too many organisations.

More lawful grounds and data subject rights

The Justice Department, which authored Bill No. 14, has indicated that Bill No. 15, though not yet introduced, will include proposed amendments to material aspects of the law, such as data subjects' rights and the lawful grounds of processing.

However, on 31 January 2022, the chairman of the Constitution Law and Justice Committee in the Knesset ('the Israeli Parliament'), Gilad Kariv, introduced a private, non-governmental bill to amend the PPL ('the Kariv Private Bill'). Titled 'Strengthening and Protecting the Right to Privacy, 2022'³, the Kariv Private Bill focuses on provisions similar to those contained in the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), including a proposal to reshape data subjects' rights under the law, by including the following rights:

• a right to withdraw consent;
• an enhanced right of access;
• a right to object to processing;
• a right to receive an explanation of automated decisions;
• an enhanced right of rectification; and
• a right to delete data ('the right to be forgotten').

The Kariv Private Bill further proposes that a data controller may ask for up to ILS 30 (approx. €8.20) in consideration for implementing a request to exercise a data subject right. This provision will undoubtably be subject to substantial scrutiny.

Privacy class actions

On 20 January, 2022, the Israeli Government passed resolution 1010⁴, to support a non-governmental bill authored by the Israeli Parliament Member Michal Rozin. The bill titled: 'Class Actions Bill (Amendment – Class Action for Violation of Privacy), 2021'⁵ explicitly adds a violation of privacy to the list of causes of action under the Class Actions Law, 2006. According to the resolution, this bill will be added to a governmental bill addressing this subject.

The Kariv Private Bill also aims to establish privacy violations as a cause of action under the Class Actions Law, 2006.

Currently, class actions for privacy and cybersecurity violations are filed with causes of action based on other laws, such as the Consumer Protection Act, 1981. The two bills are aimed at clarifying that the law explicitly permits class actions for violations of the PPL, thereby providing a greater incentive to file such claims.

A new head of the regulator with an enforcement agenda

On 14 November 2021, the Government appointed Adv. Gilad Smama to be the new director of the PPA. Previously, Adv. Smama held managerial positions in the public sector. While lacking professional knowledge in privacy protection, Adv. Smama has considerable knowledge in running governmental activities, with a substantial emphasis on enforcement. If given the proposed powers under Bill No. 14 , Adv. Smama will likely lead the PPA in utilising these powers.

New guidelines on DPOs

Oddly enough, neither the PPL, nor any of the three proposed bills to amend it, require the appointment of a data protection officer ('DPO'). Conversely, on 25 January 2022, the PPA has published new finalised guidelines⁶ with a recommendation to appoint a DPO. The guidelines set forth recommendations and requirements, and they are accompanied by a training kit⁷.

The PPA indicates that appointing a DPO is a crucial element for an organisation's privacy compliance efforts and it is specifically recommended for large organisations and when the core activities encompass the processing of personal data, or if the processing of personal data is done on a large scale.

The DPO role includes similar, however not identical, duties to those under the GDPR, including drafting the organisation's privacy policy, implementing the Privacy by Design and by Default concepts, overseeing the privacy procedures and policies, conducting impact assessments, ensuring the implementation of an information security risk assessment, handling complaints, preparing annual compliance plans, submitting annual reports to the management, training personnel, and serving as the organisation's point of liaison with the PPA.

The guidelines further recommend that the DPO will be involved with all substantial personal data processing matters from the early stages of each project, that the DPO will have sufficient skills and training, that the organisation will equip the DPO with sufficient resources and authority, that the DPO will be professionally independent, and that the DPO will not assume conflicting positions.

Dan Or-Hof Founder
[email protected]
Or-Hof Law, Tel Aviv