Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Israel: Proposed bills to amend the Israeli Protection of Privacy Law
2022 may be a turning point for Israeli privacy regulation. Substantial enforcement powers, including the authority to impose severe fines, are at the heart of a bill that the Israeli government and parliament are advancing. If enacted, the bill will reshape risk considerations when doing business in Israel. Dan Or-Hof, Founder of Or-Hof Law, provides an overview of the landscape of Israel's privacy legislation and a discussion of the potential legal reforms.
Advancing the Bill is a Top Priority
On November 7, the Minister of Justice, Mr. Gideon Saar, recorded an achievement after convincing the government to support what is now seen as Mr. Saar’s privacy reform. The ministerial committee for legislation has approved moving forward with two proposed amendments to the Protection of Privacy Law, 5741-19811 ('PPL') that together comprise the current reform:
- The first, a bill to enhance the Privacy Protection Authority's ('PPA') enforcement powers. The PPA will be able to impose fines of up to more than €2 million. It is the third time that this bill is being introduced after two unsuccessful attempts in 2012 and 2018.
- The second is a bill to considerably reduce the obligation to register databases and to update terms and definitions in the law. This bill was first introduced in 2020 and was not advanced until now.
The legislative process requires that the bills will undergo public hearings before the Constitution, Law and Justice Committee ('Constitutional Committee') of the Israeli Parliament ('Knesset').
On November 8, in advance of these hearings and in light of a gradual increase in the volume of cyber-attacks, the Constitutional Committee invited representatives of the government and the private market, to a hearing in order to discuss issues that need to be addressed to promote the protection of privacy in Israel.
In the course of that hearing, the chairman of the Constitutional Committee, MK Gilad Kariv, declared a 'state of emergency' for privacy protection in Israel, and further noted that advancing the modernisation of privacy laws will be a top priority of the committee during 2022.
Background in a Nutshell
The right to privacy in Israel is a protected fundamental right under Article 7 of the Basic Law: Human Dignity and Liberty 5752 – 19922. The PPL forms a comprehensive piece of legislation dedicated to regulating privacy and data protection issues, in the public and the private sectors. The PPL was amended several times. However, it lacks modern principles such as impact assessments, privacy by design and modern data subject rights.
Regulations promulgated under the PPL address specific areas of compliance, for example, data security, trans-border data flow, and procedures for exercising the right of access. Additional laws govern specific types of data processing, such as credit reports, patients’ records, unsolicited communications, genetic data, and biometric IDs.
The PPA is the authority in charge of supervising and enforcing the provisions of the PPL. The PPA is very active in publishing guidelines and recommendations and has shared with the public its views on the need to implement 'GDPR-like' procedures and controls as a best practice. These recommendations include, inter-alia, performing risk Data Protection Impact Assessments ('DPIAs'), planning and designing products in accordance with the data protection by design principle, and appointment of data protection officers.
As a result, the current privacy regulatory landscape in Israel includes an outdated set of laws alongside modern guidelines by the local regulator.
Currently, there are no attempts to legislate a completely new privacy law. Rather, the Justice Department has taken an incremental approach, and proposes to continue using the current PPL as a basis, and amend it as needed.
Lack of Amendments to Substantial Provisions
The current reform does not include proposals to amend substantial provisions of the PPL. These include, for example:
- Enhancing the lawful grounds for processing personal data. The only current lawful ground under the PPL is consent;
- Enhancing privacy notice requirements. The current notice requirements under the PPL are very basic;
- Enhancing data subject rights. The current protected rights under the PPL include only the right of access and rectification; and
- Updating the data transfer rules, which were enacted in 2001 and are not well suited to current data-related activities.
These matters are planned for an additional bill which has not yet been introduced by the Ministry of Justice. Therefore, the reform will not be completed in the near future.
More Powers to the Cyber Authority
Israel faces a growing number of cyber-attacks. Alongside the attempt to update the PPL, the Israeli National Cyber Directorate ('INCD') has proposed to enact a law which will grant it with enforcement powers, which not only relate to critical infrastructure, but also to private companies.
This attempt echoes several incidents which were a result of companies' disregard for alerts sent to them by the INCD about vulnerabilities in their systems.
As recent attacks have caused major data breaches, affecting substantial portions of the Israeli population, the INCD proposal may also be advanced as a bill during 2022.
Key Takeaways
Israeli privacy laws are undergoing a change that has started with a creative regulator who introduced GDPR-like concepts to the Israeli market. The change continues now with the current legislative reform.
As both the Minister of Justice and the chairman of the Constitutional Committee have expressed their commitment to updating the PPL, it is more likely than ever that the current bills will be enacted.
Dan Or-Hof CIPP/E; CIPP/US; CIPM; FIP Founder
[email protected]
Or-Hof Law, Tel Aviv
1. Unofficial English translation available at: https://www.gov.il/BlobFolder/legalinfo/legislation/en/ProtectionofPrivacyLaw57411981unofficialtranslatio.pdf
2. Available at: https://www.mfa.gov.il/mfa/mfa-archive/1992/pages/basic%20law-%20human%20dignity%20and%20liberty-.aspx