GDPR-Like Legislation in Israel to Take Effect in 2025
Changes to Israel's Privacy Protection Law (IPPL) will take effect this year, significantly altering the nation’s privacy regulations and giving its privacy watchdog broader powers to increase financial penalties on violators.
Israel’s parliament, the Knesset, enacted Amendment No. 13 to the IPPL in August 2024 to introduce several substantial changes, many of which bring the IPPL closer to the European Union’s General Data Protection Regulation (GDPR).
Israel considers privacy a basic right protected by its constitution, falling under the jurisdiction of the Basic Law. However, prior to the recent amendment, the IPPL had not been significantly updated since 1996.
The changes introduced by Amendment No. 13 include expanding the definition of “personal information” to include any information pertaining to an identified or identifiable person, such as IP addresses; the term “sensitive information,” which covers genetic data, biometric data, criminal records, and location data, has been changed to “highly sensitive information;” and widening the definition of “processing” to include all operations regarding information, including collection, storage, and transfer.
Another change included the definition of a “database holder,” which will apply to any entity outside of the database owner that processes information for the owner. This will affect several different service providers, like database maintenance providers, which will be subject to the law’s restrictions.
Other changes include that certain companies, depending on their size and industry, must implement a new role—a Privacy Protection Officer. This person will be responsible for ensuring the company is compliant with the IPPL and for promoting data security and privacy protection efforts within his or her organization. These organizations include public agencies, those with a database where the primary purpose is to collect personal information to provide to others as a business (specifically entities with the personal information of more than 10,000 in a database), database owners or controllers, database holders that regularly or systematically monitor individuals (such as telecommunications providers or online search service providers), and organizations that process highly sensitive information on a large scale, including banking corporations, health maintenance organizations, hospitals, and insurers.
Israel’s privacy regulator, the Privacy Protection Authority (PPA), is also being given broader powers, including approval of significantly increasing financial penalties. These fines will depend on the number of individuals whose data is affected by a violation, the type of violation, and how much money the violating organization earns.
Fines have a maximum of 5 percent of a business’s annual turnover—which for larger companies could mean a fine of more than $1 million. The cap for fines against smaller businesses is set to 140,000 ILS ($45,000 USD) per year.
The head of the PPA will be able to issue administrative warnings and order that violations stop within a desired timeframe.
Security and defense agencies will be exempt from the PPA’s oversight. Instead, companies must appoint an internal privacy inspector to oversee how data is handled within an organization.
Another limit on the PPA will come during elections. The watchdog will not have any enforcement or supervisory powers over databases where political parties or candidates in local authority elections are the controllers.
As for someone wishing to file a claim against a company over a violation of his or her private data, the statute of limitations for civil claims was expanded from two years to seven.
The changes to the IPPL will take effect in August 2025, giving organizations less than seven months to prepare.