Written by: Haim Ravia, and Dotan Hammer
The crux of the matter is not Amendment 13 to the Israeli Privacy Protection Law, which was recently enacted by the Knesset and will take effect on August 14, 2025. Instead, the Privacy Protection Regulations (Provisions Regarding Data Transferred to Israel from the European Economic Area), adopted in 2023, are at issue. How do they amend the Israeli Privacy Protection Law?
The regulations set forth a series of obligations, some entirely new to Israeli law. For example, a “right to be forgotten” (deleting personal information at the request of the data subject), an obligation to notify individuals about data processing when the personal data about them wasn’t directly obtained from them, an obligation to ensure the accuracy of the information, and more. All these rights were initially granted to individuals whose information was transferred to databases in Israel from the European Economic Area (namely, the European Union as well as Norway, Iceland, and Liechtenstein).
However, in just over three months, the scope of these regulations will expand dramatically.
How will the regulations apply?
Starting January 1, 2025, the regulations will apply to all personal information held in databases in Israel, as long as those databases also contain information that originated from the European Economic Area. Data that was provided directly by an EEA individual is exempt from the regulations. Many organizations in the Israeli economy receive information from the European Economic Area. For example –
- Banks and financial institutions;
- Insurance companies;
- Hospitals, and healthcare organizations;
- Accounting firms and law offices;
- Airlines, travel agents, and tourism companies;
- Government agencies and public authorities.
Who will benefit from the rights granted by the regulations?
At the beginning of 2025, the regulations will apply not only to information originating from the European Economic Area that is held in databases in Israel but also to personal data that originated in Israel (about Israelis). In practice, the regulations will grant these enhanced rights to residents of any country whose personal data is processed in Israel. As a result, the regulations will fundamentally change the rights given to individuals under the Privacy Protection Law of 1981.
What do the regulations state?
The vast majority of the obligations under the regulations are brand new to Israeli law. Here is a brief, and non-exhaustive list –
- Obligation to delete information – A database owner is required to delete information at the request of the data subject, especially if the information is no longer needed for the purposes for which it was created, received, stored, or collected. The database owner may decline the request on limited grounds.
- Limiting the retention of unnecessary information – A database owner is required to implement mechanisms that ensure that no unnecessary information is held in the database for purposes other than those for which it was collected or permitted to be held under the law.
- Obligation to ensure information accuracy – A database owner is required to implement mechanisms that ensure the information received in the database is correct, complete, clear, and up-to-date. If the information is found to be inaccurate, measures must be taken to correct or delete it.
- Notification obligation – When the information that the database owner received was not directly provided by the data subject, the database owner must notify the data subject within no more than a month regarding the identity of the database owner and the database manager, their address, and contact information; the purpose for which the information was transferred to the database owner; the type of information transferred; and the data subject’s rights regarding deletion, review, and correction of the information. This obligation also applies when the database owner intends to transfer the information onward to third parties.
How to prepare
In our experience, the degree of preparation required varies significantly across different organizations. Fundamentally, it requires an understanding of the information the organization receives from databases in the European Economic Area, the databases within the organization where this information is recorded, the implications of the regulations to all data subjects in Israel, analysis of whether the organization can comply with these obligations, and what lawful steps the organization can take to limit the application of the regulations.
Final Notes
- At a session held in April 2023 in the Knesset’s (the Israeli Parliament’s) Constitution, Law, and Justice Committee, the Israeli Ministry of Justice announced its desire to publish within a few months, a bill proposing substantial amendments to the Privacy Protection Law, known as Amendment 15. The ministry sought to render the regulations redundant by ensuring the substantial changes would enacted into law before 2025. However, not even a draft bill for Amendment 15 has been published to date. It is therefore unlikely that by January 1, 2025, the regulations will have not taken effect as mentioned above, unless the Ministry of Justice seeks to delay their application and manages to promulgate this change in the regulations by then.
- We are likely to face a highly undesirable situation where, in January 2025, a new substantial arrangement will take effect through these regulations, while at some unknown time subsequently, another substantial arrangement will take effect through an amendment to the law.
- The regulations are a form of secondary legislation that aims to amend substantial arrangements in a law. The state itself acknowledges that such substantial arrangements should be enacted in primary, not secondary legislation—namely, through an amendment to the Privacy Protection Law. In our view, this can support an argument against the regulations’ validity.
We are happy to assist with any further details or questions on this matter:
Haim Ravia, Adv. HRavia@PearlCohen.com
Dotan Hammer, Adv. DHammer@PearlCohen.com
Cyber, Privacy, and Copyright Practice Group.
