News

12.09.2024

New Amendment to Israeli Privacy Protection Law and Mandatory DPO Appointment

The Israeli parliament recently adopted a new amendment to the Israeli Protection of Privacy Law, 5741-1981 ("PPL") entering into force in 12 months, on August 14, 2025.

The Amendment, titled Amendment 13, is not a full amendment of the law, still lacking legal bases of processing (other than consent and legal obligation), extended data subject rights and obligatory DPIAs, but is nonetheless a very extensive amendment to a law from 1981 that was outdated and urgently needed adaptation to modern privacy laws. The intensity of the 20 sessions in the parliamentary Constitutional Committee producing the final text of the Amendment for approval by the main plenary of parliament, was primarily driven by the need to impose meaningful sanctions on breach of the Protection of Privacy Regulations (Data Security), 5777-2017, inter alia in light of the increase in cyberattacks due to the Iron Swords War, and also by the recently re-affirmed adequacy status by the EU recommending enshrining amendments in primary legislation.

The Amendment is expected to impact the entire market, including private and public entities. The Head of the Privacy Protection Authority ("PPA") was quoted referring to the imposition of financial sanctions as a "repricing of the right of privacy" in Israel.

Here is a list of the key changes:

  1. New definitions of Controller, Processor (titled Holder), Personal Data, Especially Sensitive Data and Processing (similar to GDPR);
  2. Database registration – the requirement to register legal Databases (a collection of personal information in digitized means) was cancelled except for public entities and data brokers processing data of more than 10,000 data subjects. A new notification obligation to the PPA for Databases of Especially Sensitive Data of 100,000 data subjects was added;
  3. Stakeholders: the unique position of a Database manager (entailing personal liability) was cancelled, the obligation to appoint an information security officer (CISO) was amended and we now have a new mandatory DPO appointment (see more on this subject below);
  4. A few new material provisions were added: (i) new purpose limitation principle - prohibition on processing personal data for a purpose contrary to the lawfully compliant purposes set for such database, (ii) prohibition on processing Personal Data without authorization from the Controller, (iii) prohibition on processing Personal Data collected in breach of PPL or any other law;
  5. Extensive investigative and enforcement powers were added to the PPA;
  6. Addition of new significant administrative fines (amounting to millions of NIS if multiple obligations are breached), some imposed without prior opportunity to remedy, but subject to reductions under certain circumstances and a cap of 5% of the annual turnover of the Controller or Processor;
  7. The PPA may request a court order to stop processing, when certain material provisions are breached;
  8. The list of criminal offences was amended and includes, for example, providing notification with erroneous information with an intent to mislead individuals to provide Personal Data, processing Personal Data without authorization from the Controller, etc.;
  9. In a civil claim for breach of certain provisions of the PPL, i.e. lack of notification, breach of data subject rights, etc., statutory damages in the amount of NIS 10,000 (approx. 2,500 EURO) may be claimed without need to prove actual damages;
  10. The notification obligation prior to collection of Personal Data from a data subject includes additional information;
  11. The limitation period for claims under the PPL was aligned to the 7 years of the general law in lieu of 2 years in the pre amended version of the PPL;
  12. A new statutory pre ruling procedure with the PPA was added;
  13. The Amendment includes specific provisions for law enforcement and national security agencies and specific provisions to be applied at election times.

In this article I will focus on the new requirement to appoint a Data Protection Officer (DPO).

 

DPO Appointment

Until the enactment of Amendment 13 there was no obligation on Israeli Controllers or Processors to appoint DPOs, although the PPA issued a document in January 2022 recommending such appointment in certain cases.
The Amendment imposes the obligation to appoint a DPO on the following entities:

(1) A Database Controller that is a public entity (i.e. government ministries and municipalities and additional entities, such as universities and HMOs) or a Processor of such Database (i.e. cloud provider of such entities), except for national security entities.

(2) A Database Controller when the Database contains Personal Data about more than 10,000 data subjects and the main purpose of the Database is collecting Personal Data in order to disclose it to a third parties as a business or for value, including direct-mailing services. i.e. a data broker.

(3) The core activities of a Database Controller or a Processor consist of data processing operations or are involved with processing operations, which, by virtue of their nature, scope or purposes, require ongoing and systematic monitoring of data subjects on a large scale, including systematic surveillance or monitoring of the behavior, location or actions of a person, amongst others, a cellular services provider, internet service provider, or online search engine.

(4) The core activities of a Database Controller or a Processor consist processing of Especially Sensitive Data on a large scale, including amongst others: a bank, insurance company, general hospital, a Health Medical Organization. "Especially Sensitive Data" is a very detailed definition including a list of 12 items, inter alia: medical data, sexual orientation, genetic data, biometric identifier, criminal records, personality assessment, and more. This is the most relevant criteria for the appointment of a DPO in the private sector.
The Amendment stipulates that processing Personal Data “on a large scale” includes, among others, taking into consideration the number of individuals whose data is being processed, their percentage in a certain population, the scope, quantity and range of the types of the processed Personal Data, the frequency and duration of the processing operations, data retention period and geographical area of the processing operations.

A comparison with the DPO provisions of the GDPR reflects that the provisions for appointment DPOs in the private sector in Israeli are almost identical.

 

DPO Tasks

The PPL Amendment states that the DPO will act to ensure compliance of the Database Controller or the Processor with the PPL and will promote privacy protection and information security, including:

(1) Serve as a professional authority and a source of knowledge, provide advice, prepare a training program and supervise its execution.

(2) Prepare a program for ongoing monitoring of compliance with the PPL, ensure its execution, report findings to the management and offer suggestions to remedy defects found.

(3) Ensure the existence of an information security procedure and a database definitions document (the local equivalent of a GDPR records of processing), that are brought for management approval.

(4) Ensure exercise of data subject requests regarding processing of their Personal Data, including requests to access or correct Personal Data.

(5) Act as the contact point between the entity and the PPA.

As opposed to the GDPR, the DPO tasks do not include advice regarding data protection impact assessments and monitoring their performance, as they are not mandatory under the PPL.

The contact details of the Data Protection Officer need to be published to the public in a simple, accessible manner.

The Database Controller or Processor appointing the DPO have to provide the DPO the conditions and resources necessary for the proper fulfillment of his role and ensure that the DPO is properly involved in any matter related to privacy protection.

 

DPO Qualifications

According to the Amendment, the Data Protection Officer needs to have the required knowledge and qualifications for the fulfilment of his/her role in an adequate manner, including, in depth knowledge of data protection laws, appropriate understanding of technology and information security, familiarization with the activity and purposes of the entity in which he/she serves, all while taking into account the nature, circumstances, scope, and purposes of data processing. It should be noted that during the Committee hearings a discussion evolved on what constitutes "appropriate understanding" of information security as opposed to "in depth knowledge" of data protection laws and it was clarified that the requirement is adequate understanding enabling the DPO to ensure the organizations' compliance with information security obligations.

The DPO does not have to be an employee of the entity, and these services can be outsourced.

The DPO will directly report to the general manager of the Database Controller or Processor appointing the DPO or to an employee directly subordinated to the general manager. This provision is intended to reflect on the seniority of the DPO in the organizational structure.

The DPO is prohibited from fulfilling an additional role or from reporting to a manager, if such additional role or reporting line may cause a potential conflict of interest in fulfilling the DPO duties according to the PPL. The PPA has already voiced its position in the past that the DPO and information security officer positions need to be fulfilled by different individuals as there is an inherent conflict of interest in one person fulfilling both roles.

 

PPA Authorities in relation of breach of DPO provisions

Authority to instruct to stop a breach

In any of the circumstances below, the Head of the PPA is authorized to notify a Database Controller or Processor who are obligated to appoint a Data Protection Officer because they are a public entity or a data broker, that their actions constitute a breach of the PPL and to instruct them to stop the breach and how it should be remedied (including a warning that administrative fines may be imposed if the breach is not remedied):

(1) the DPO did not receive the necessary resources or conditions or the was not adequately involved in all matters pertaining to data protection laws;

(2) the DPO does not directly report to the general manager or to an employee directly subordinated to the general manager;

(3) the DPO does not have the required knowledge and qualifications as listed in the PPL;

(4) the DPO performs an additional role or is subordinate to another manager in a manner that may subject the DPO to a potential conflict of interest in fulfilling the DPO duties.

Financial Sanctions

The Amendment introduces a new mechanism of administrative fines for breach of an array of obligations under the PPL and of certain regulations promulgated therefrom. The penalties are set as fixed amounts for specific breaches, can be reduced by up to 70% based on certain conditions defined in the PPL, such as a first-time violation and are capped by 5% of the annual turnover. Fines for small and tiny businesses are capped at much lower amounts.

If a public entity or a data broker do not appoint a DPO, or do not fulfil the orders of the Head of the PPA to stop or rectify a breach in relation to the DPO obligations (as listed above), the Head of the PPA will be authorized to impose financial fines in the amount of NIS 2 (approx. 0.5 EURO) for each person whose personal data is included in the Database multiplied by the number of data subjects and not less than NIS 20,000 (approx. 5,000 EURO), and if the personal data in the Database is Especially Sensitive Data – an amount of NIS 4 per person (approx. 1 EURO) and not less than NIS 40,000 (approx. 10,000 EURO).

DPO in the private sector - Sanctions

The enforcement powers of the PPA in relation to breach of the new provisions regarding DPO appointment listed above will initially be applicable only to obligations regarding DPOs of public entities or data brokers. The Constitution Committee was concerned that since the DPO appointment in the private sector is a novel position and training the required number of DPOs may take some time, enforcement of these provisions should be postponed until such time that the Minister of Justice has issued an order, approved by the Constitution Committee, according to which the PPA's authorities will also apply to a DPO of a private entity. When such order is issued, the PPA can also declare a breach when a DPO is not appointed in an entity systematically monitoring data subjects on a large scale or the core business of which includes processing Especially Sensitive Data on a large scale and can impose the financial sanctions mentioned above.

Reduction of fines

The PPA will reduce the amount of the fine by 10% if a controller or processor who are obligated to appoint a DPO when an entity systematically monitors data subjects on a large scale or when the core business includes processing Especially Sensitive Data on a large scale, actually appointed the DPO prior to imposition of the fines. This reduction if not applicable for public bodies or data brokers.

 

Conclusion

Amendment 13 is a landmark for Israeli privacy and a finale of extensive work by the Israeli Ministry of Justice, the Privacy Protection Authority, the Knesset Constitutional Committee and many privacy practitioners, including myself, participating in the Committee hearings.

The Amendment is a reform that will center stage the rights of privacy in Israel and push entities to prioritize allocation of resources for privacy compliance in light of the increased regulatory, civil and criminal risks. And the best place to start such compliance is by appointment of a qualified DPO.

 

Article provided by INPLP member: Dalit Ben-Israel (Naschitz Brandes Amir, Israel)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)