Forty years after the enactment of the Israeli Privacy Protection Law, a new draft bill seeks to adapt the Privacy Protection Law to the digital age.
One of the main purposes of the draft bill is to preserve the right to privacy as a fundamental legal right and protect the personal information contained in various databases. A complementary purpose is to augment the supervisory and enforcement capabilities delegated to the Registrar of Databases in the Privacy Protection Authority.
Accordingly, the amendment grants substantial enforcement powers to the Privacy Protection Authority and increases the fines imposed on offenders. By doing so, the draft bill is striving to increase the weight of privacy protection legislation in Israel.
The current Privacy Protection Law is archaic for several reasons
- It has not kept abreast of the digital world and the fast-paced technological changes in the fields of data collection and processing.
- It does not encompass all of the threats to and possible violations of an individual’s privacy.
- Not aligned with the European Union’s General Data Protection Regulation (GDPR), thereby adversely affecting the State of Israel’s standing vis-à-vis EU member states.
- The new draft bill reduces the obligation to register databases. The focus has instead shifted to supervision and enforcement and placing the regulatory emphasis on databases that pose a significant threat to privacy. This is, however, only a reduction in the registration obligation, not its complete elimination.
The amendment proposes that the registration obligation apply to large databases containing information about more than 100,000 data subjects, only if the database is particularly sensitive, considering the database’s type of controller (such as a public entity), the reason for processing the information (data collection as a business for the purpose of sharing with third parties), or the mode of data collection (the data were not collected from the data subjects or with their consent).
Also proposed is a registration obligation for databases containing information about more than 500,000 data subjects, including “highly sensitive information.” The bill proposes that databases containing between 100,000 and 500,000 data subjects have an obligation to report details regarding the establishment of the database.
- Terms and definitions pertaining to the protection of personal information will align with the customary terms used internationally, by the OECD and the GDPR. For example, the term “database controller” will replace the term “database owner.”
- The term “highly sensitive information” will replace the term “sensitive personal information.” The aim is to create a real distinction between a person’s identifiable information and information requiring high protection to safeguard the right to privacy. This is similar to the categories prescribed in the data security regulations for determining a database’s required level of security.
- With the reduction in the registration obligation, the draft bill also proposes revising the “purpose limitation principle.” Currently, the purpose limitation principle prescribes that information contained in databases subject to a registration obligation may not be used other than for the purpose for which the database was established. Therefore, this principle applies only to databases under a registration obligation. The legislative amendment proposes to prescribe a general prohibition on the use of information in a database other than for the purpose for which the information was provided. This prohibition applies to the database regardless of its registry status. The draft bill proposes that this prohibition should also apply to knowledge about a person’s private matters, even though the definition of “information” does not include this.
- The enforcement powers granted to the Registrar of Databases (the “Data Protection Supervisor” under its new name) will expand in order to augment the enforcement capabilities and the protection of personal information stored in databases.
- The government will establish a new enforcement mechanism, including investigative and enforcement authorities and the imposition of significant pecuniary sanctions. Sanctions will rise according to the volume of information contained in the database. This administrative enforcement mechanism will be an alternative track to criminal enforcement. The draft bill proposes heavy fines in instances of violations of obligations by virtue of the law and the data security regulations. These fines did not exist up until now, and they considerably boost the Privacy Protection Authority’s enforcement capabilities.
The draft bill is an important step toward achieving the objectives set by the Privacy Protection Authority and the government to increase privacy protection. The draft bill contains needed amendments the authority has been lobbying for already for several years. There are substantive indications of the intention to complete the process promptly. Furthermore, the draft bill specifies that the amendment will come into effect just six months after completing the legislative process. We recommend that companies analyze their readiness for enacting the legislative amendment already today since this will likely involve long and major processes.