Written by: Haim Ravia, and Dotan Hammer
The Knesset (the Israeli parliament) recently enacted Amendment No. 13 to the Protection of Privacy Law, 5741–1981, set to take effect in August 2025. This amendment marks the most significant update to Israeli privacy regulations since 1996 and introduces several key changes –
- The definition of “personal information” has been expanded to include any data related to an identified or identifiable individual, including online identifiers like IP addresses.
- The term “Highly Sensitive Information” now replaces “sensitive information,” aligning with GDPR terms and covering genetic data, biometric data, criminal records, and location data.
- The amendment broadens the definition of “processing” to include all operations performed on information, such as collection, storage, and transfer.
- Those who process information for database owners, such as technology service providers, are now considered “Database Holders” subject to legal obligations.
- Database registration requirements have been scaled down, now required only for databases containing personal information regarding more than 100,000 people or databases maintained by public agencies.
- Databases with highly sensitive information on more than 100,000 people must be reported to the Privacy Protection Authority, including details about the data controller and privacy protection officer.
- Certain entities, including public agencies, banks, insurers, and hospitals, must appoint a privacy protection officer to promote compliance with privacy laws.
- The Privacy Protection Authority’s enforcement powers have been expanded, allowing for significant penalties and administrative measures.
- Security and defense agencies are exempt from the Privacy Protection Authority’s oversight, with internal privacy inspectors appointed instead.
Additional amendments include an extension of the statute of limitations for civil claims from two to seven years, expanded notification requirements for data processing, introduction of compensation without proof of damage of up to 10,000 ILS for certain violations, and expanded requirement of data security officers for certain organizations.
The amendment also allows the public to seek preliminary opinions from the Privacy Protection Authority on compliance matters. Yet the amendment does not fully address modern data protection issues, such as expanded legal bases for data processing beyond consent or data subject rights like the right to be forgotten.
According to the Commissioner of the Privacy Protection Authority, Mr. Gilad Semama, the Authority is reinforcing its enforcement framework to focus on comprehensive compliance assessments. Violations after the amendment takes effect can attract substantial fines, marking a significant shift in the enforcement landscape.
Click here to read our extended client update.
Click here to read Amendment 13 to the Protection of Privacy Law, 5741 – 1981 (In Hebrew)