Updated Israeli Privacy Law Takes Effect With Grace Period for DPO Hiring
Legislation significantly revamping Israel's data protection law took effect Thursday, but the country's privacy watchdog said it will delay enforcement of one of its provisions until October.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Amendment 13 to the Protection of Privacy Law updates statutory requirements but also broadens the enforcement powers of Israel's Protection of Privacy Authority (PPA), "signaling a decisive shift toward proactive governance and regulatory assertiveness," Dan Or-Hof, a cybersecurity and data protection lawyer, wrote in a Wednesday analysis for IAPP.
The reform signals the country's intent to align with global privacy standards while charting a path that combines European adequacy with a strong focus on cybersecurity, Or-Hof added.
Under the revised law, the PPA can impose fines as well as issue administrative orders and cease-and-desist directives, Or-Hof noted. Fines could reach millions of shekels, with multipliers for large-scale databases or sensitive data processing.
Companies could also face civil litigation, with statutory damages of up to 100,000 shekels ($29,500) without needing to prove harm, he wrote. Courts will be able to order deletion of illegally obtained data or bar further processing.
In addition, the PPA now has authority to conduct administrative inquiries, appoint inspectors and issue binding orders, Or-Hof said. It may publish enforcement actions, including the names of violators, and escalate cases to criminal prosecution. Its directives and guidelines will be treated as de facto law, with non-compliance subject to penalties.
One major change under the law is the requirement for every public body and many entities in the private sector to appoint a data protection officer (DPO), Or-Hof noted.
On Monday, the PPA announced that the regulator "does not intend to initiate enforcement actions" until Oct. 31. This is intended to give organizations time to comply with the new DPO requirement. In public bodies, DPOs must be appointed according to applicable appointment processes and some entities are having practical difficulties completing the appointment process by Aug. 14. It warned, however, that by then, "all necessary actions must be taken to complete the appointment processes and fill the position."
Amendment 13 also mandates that entities provide clear, accessible information about data collection, processing purposes and recipients, with specific disclosure requirements for processing sensitive data, particularly when biometrics or AI systems are involved, Or-Hof wrote.
Consent must be informed, freely given and, in most cases, explicit, particularly for sensitive data and direct marketing, said Or-Hof.
The law requires that data controllers notify the PPA of a database that holds sensitive information on more than 100,000 people and submit a database definitions document, a statutory equivalent to the EU General Data Protection Regulation's records of processing activities, Or-Hof said.
The database definitions document "is the foundation of the Privacy Protection Law," Barnea Jaffa Lande & Co. attorneys wrote Wednesday. Organizations must examine and map data processing activities under their control, document them and review the documentation annually.
"We estimate these documents will become one of the central enforcement focuses" of the PPA, the firm said.
The PPA "offers a preliminary opinion mechanism, allowing entities to seek regulatory guidance before launching new data initiatives," the firm added. This will boost transparency and reduce regulatory uncertainty, it said.
Or-Hof noted that the PPA intends to regulate AI systems that process personal data. Organizations must assess the impact of automated decision-making, ensure transparency and safeguard against bias and discrimination, he said. "These requirements echo global trends and reflect Israel's cautious yet proactive stance on AI governance."
Another new provision is the requirement for entities holding large sensitive databases to conduct risk assessments and penetration tests every 19 months, Or-Hof said. They must then document their findings, update security procedures and report serious incidents to the PPA.
"Compliance is no longer optional," Or-Hof wrote. He urged organizations to conduct gap analyses, update privacy notices and appoint qualified, independent DPOs. They should review their consent mechanisms and put in place robust security controls, he added.