This week, the Knesset Constitution, Law, and Justice Committee approved an amendment to the Israeli Privacy Protection Law (PPL). The amendment proposes extensive changes to the PPL, including granting additional enforcement powers to the Privacy Protection Authority (PPA), imposing additional obligations on companies in the area of privacy protection and governance, and more. The approved amendment aligns the PPL with European data protection principles, with a focus on data processing, as opposed to the previous focus on the regulation of databases.

The committee first introduced the amendment at the beginning of 2022. It held over 20 discussions on the amendment, hearing from various relevant players.

1. Basic Terms and Definitions

The amendment changes several fundamental definitions of the PPL.

The proposed amendment defines “personal data” as information relating to an identified or identifiable individual with reasonable effort, either directly or indirectly.

Additionally, the proposed amendment includes a list of information types that will be considered “highly sensitive data,” such as data related to salary and financial activity, medical or genetic information, biometric data, information concerning opinions and beliefs, and more.

The proposed amendment further determines that “processing” shall encompass any action performed with personal data. Entities that control data processing activities will be referred to as “controllers,” and entities that process data on behalf of the controllers will be referred to as “processors.”

These definitions reflect a focus on the regulation and enforcement related to data processing activity. This enables putting a focus on individuals whose personal data is held by various entities, thereby expanding their rights concerning their data.

2. Expansion of Notice Obligations for Consent

The proposed amendment expands the obligations placed on companies seeking an individual’s consent for the collection of their personal data. According to the proposal, anyone requesting to obtain consent for data collection must provide the individual with a notice addressing the following: if the provision of data is required by law, the consequences of refusing to provide the data, the purpose for which the data is being collected, the name and details of the data controller, the entities to whom the data will be transferred to, and the individual’s right to access and rectify the data.

Any violation of these obligations may result in enforcement actions by the individual or the PPA. This expansion reflects the broader rights granted to the individuals concerned.

3. Softening the Database Registration Requirement

Under the current PPL statute, any owner of a database containing information about more than 10,000 individuals, sensitive data, data not directly provided by the individuals, a public entity’s database, or a database used for direct marketing services must register the database. In practice, this means that most databases held by companies operating on the Israeli market must be registered under the PPL.

As part of the aforementioned trend, the proposed amendment seeks to significantly ease database registration requirements. According to the proposal, the obligation to register a database will apply only to controllers and processors managing a database for the purpose of transferring information to others as a business practice or for compensation (for example, for direct marketing purposes), a database containing information about more than 10,000 individuals, or a public entity’s database.

Additionally, the controller of a database holding highly sensitive data concerning more than 100,000 individuals must notify the PPA of his identity and the identity of the appointed data protection officer (DPO), if so appointed.

This change significantly eases the burden on companies that previously had to register and update the PPA with any changes in their data processing activities. This does not eliminate the need to comply with other legal requirements, including those related to the obligations during data collection, data security requirements, and the obligation to uphold the rights of individuals whose data is being processed.

4. Obligation to Appoint a Data Protection Officer

As part of the additional obligations imposed on companies, the amendment will require various entities to appoint a DPO. The DPO will serve as a professional authority, responsible for:

• Implementing an employee training program.
• Maintaining a privacy compliance program.
• Ensuring the existence of an appropriate data security procedure and database definition document.
• Addressing inquiries from individuals.
• Overseeing all matters related to data protection.

Additionally, the amendment demands the DPO possess the required knowledge and skills, receive the necessary resources from the company, not hold another position within the company, and report directly to the company’s CEO. The DPO need not be an employee of the entity, allowing companies to hire external privacy experts to serve as DPOs.

The entities required to hire a DPO are as follows:

• Public entities and bodies.
• Controllers of databases whose main purpose is collecting personal data in order to transfer it to others as part of a business practice or for compensation, if the database contains the personal data of more than 10,000 individuals.
• Controllers or processors of databases whose activities include data processing operations that, by their nature, scope, or purpose, require regular and systematic monitoring of individuals, including tracking their behavior, location, or actions. This includes radio and telephony service providers, online search service providers, or those whose main business involves such activities.
• Entities engaged in the processing of highly sensitive data on a significant scale, including banking corporations, insurers, hospitals, and other health organizations.

5. Expansion of Enforcement Measures

The amendment seeks to expand the tools for effective enforcement against companies that violate the PPL and its regulations. The amendment grants additional enforcement powers to the PPA and allows individuals directly affected by PPL violations to file lawsuits in a wider range of cases.

According to the amendment, individuals may file suits if they, inter alia:

• Did not receive sufficient notice prior to the collection of their personal data.
• Had a request to access their personal data handled improperly.
• A decision by a company to delete or rectify their personal data was not carried out.
• Did not receive a notice regarding the deletion or rectification of their personal data.

For some of these provisions, the amendment allows for compensation without the need to prove damages.

The amendment also grants the PPA a broad range of tools for effective enforcement. These include:

• Issuing a notice to companies in violation of the PPL.
• Requiring the correction of a violation.
• The authority to order a company to stop data processing.
• The authority to conduct an administrative inquiry.
• The authority to impose significant financial penalties on companies violating the PPL and its regulations, which may exceed hundreds of thousands of shekels.
• The authority to carry out sector-wide oversight procedures in various industries.
• Additionally, the amendment will formalize a process of early consultation with the PPA regarding the operation of databases.

6. What’s Next?

The Knesset will soon hold a final vote on the proposed amendment. The amendment’s provisions will likely come into effect one year after its enactment. Upon completion of the legislative process, we recommend that all our clients operating in Israel take several steps to ensure compliance with the PPL and its regulations:

• Map data collection and processing activities to ensure compliance with the updated notice and consent requirements.
• Review privacy policy documents and align them with legal requirements.
• Assess the need to appoint a DPO within the organization, in accordance with the new provisions.
• Conduct a systematic gap analysis against the amendment’s provisions and identify potential risks in the company’s activities.

[View source.]