Search
Close this search box.
Privacy Protection Law
Reut Weitzman

Reut Weitzman

28 August, 2024

The Knesset approved Amendment No.13 to the Privacy Protection Law (PPL) on August 5th, 2024. Rushed in by the war, this Amendment unifies the changes decided upon during the course of 20 hearings. The aim? To reflect the modernized digital era we are living in. It will come into effect on August 6th, 2025.

The key changes include updates to definitions to expand the scope of the law and new disclosure obligations to provide individuals with more information about and control over their data. Additionally, there has been a lessening of the outdated registration requirements which will make it easier for small organizations to comply and there is a new requirement, that came about through discussions at the Knesset, for certain types of databases to appoint a Data Protection Officer (DPO). And perhaps most significantly—new enforcement powers have been granted to the Privacy Protection Authority (PPA).

Updates to Definitions:
The amendment updated definitions like “Personal Data” and “Specially Sensitive Data,” making them broader to expand the PPL’s scope. “Personal Data” is now any information that can identify an individual. “Specially Sensitive Information” now encompasses information that reveals significant details. Special regulations govern this category. “Database Controller” now refers to entities or individuals who are deciding the purposes of data processing or those legally authorized to process data. “Holder” is now an external party from the controller, processing data on behalf of the controller. “Processing” now means all actions involving personal data, such as transfer, review, disclosure, delivery, or access.

Disclosure Obligations:
The disclosure obligations give people more rights to information and control over their personal data. This promotes transparency and trust. If you are requesting to track or gather personal data, be sure to provide the following when requesting consent: Legal obligation status (mandatory or voluntary), purpose of data collection, controller’s name and contact information, data transfers to third parties, consequences of refusal, and rights of data subjects.

Changes to Registration Requirements:
The purpose of this was to shift the PPL’s focus from data regulation to data processing. There are three cases. For the first case, if processing data for over 10,000 individuals and planning transfers, or if the controller is a public body, registration is necessary. The second one is to notify the PPA if processing Specially Sensitive Data for over 100,000 individuals. Finally, case three is if your previously registered data doesn’t meet current criteria, inform the PPA for registration deletion.

Data Protection Officer Requirements:
The DPOs are dedicated to ensuring privacy compliance and serve as a professional expert within an organization. Organizations must appoint a DPO if processing involves over 10,000 individuals and data transfer plans, if the controller is a public body, if regular and systematic monitoring of individuals is required, or if you are handling Specially Sensitive Data on a large scale. The DPO must report directly to the CEO and cannot hold other positions, though they may be an external contractor.

New Granted Enforcement Powers to the Privacy Protection Authority:
The amendment enhances the formal authority of the Privacy Protection Authority (PPA), empowering it to enforce compliance effectively. The PPA can now audit using external experts, as well as stop data processing if it seems fitting according to their analysis. They can even force complete deletion of a database if the situation calls for such a measure. Financial penalties for violations were significantly increased and widened in scope. In some cases, compensation without proof of damage is even a viable path.

Urgency due to the war may have been a key factor in the PPL amendment’s final approval, but its content is the real indicator of how important it is. Regardless of its reasons, the Knesset approved a masterpiece. The broadened definitions, new disclosure obligations, and the appointment of Data Protection Officers are each examples of genuine care and consideration. Most of the individuals affected by this amendment will probably not know it, but if they did they would undoubtedly be grateful for their increased rights and protections. With these individuals in mind, the new enforcement powers of the Privacy Protection Authority, though intimidating, are necessary and valuable. Privacy protection in Israel will be better because of it.