Israel and GDPR: A New Era of Privacy Regulation

In 2024, Israel became the latest jurisdiction to introduce comprehensive privacy legislation, drawing significant inspiration from the European Union’s General Data Protection Regulation (GDPR). On August 5, 2024, the Israeli parliament, the Knesset, approved Amendment No. 13 (the “Amendment”) to the Israel Privacy Protection Law (IPPL). This Amendment, set to take effect on August 15, 2025, represents a major overhaul of the IPPL, which has remained largely unchanged since its initial enactment in 1996.

Key Aspects of the Amendment

Expanded Definitions

The Amendment introduces significant changes to core definitions in the IPPL, aligning them more closely with international privacy standards:

• Personal Information – Now defined as any “data related to an identified or identifiable individual,” mirroring the GDPR’s broad approach to personal data.
• Highly Sensitive Information – This term replaces the IPPL’s previous definition of “sensitive information” and aligns with the GDPR’s concept of Special Categories of Data. The new classification includes biometric data, genetic data, location and traffic data, criminal records, and personality assessments.
• Data Processing – The definition of processing has been significantly expanded to encompass virtually all forms of handling personal information, including receipt, collection, storage, copying, review, disclosure, exposure, transfer, conveyance, and granting access.
• Database Controller – The Amendment replaces the previous term “database owner” with “database controller,” aligning it with the GDPR definition. A database controller is the entity or individual that determines the purpose of processing personal data within a database.
• Database Holder – Analogous to the GDPR’s “processor,” this term refers to an entity that processes data on behalf of the database controller. Given the Amendment’s broad definition of data processing, this term captures a wide array of third-party service providers.

Mandatory Appointment of Key Privacy Roles

The Amendment mandates the appointment of key personnel to oversee privacy compliance:

• Privacy Protection Officer – Similar to the GDPR’s Data Protection Officer (DPO), organizations meeting certain thresholds based on size and industry—whether controllers or processors—must designate a Privacy Protection Officer. This individual will be responsible for ensuring compliance with the IPPL and advancing data security and privacy initiatives.
• Data Security Officer – While certain organizations were previously required to appoint a Data Security Officer, the Amendment expands this obligation to a wider range of entities.

Enhanced Enforcement Powers

The Privacy Protection Authority (PPA), Israel’s privacy regulator, has been granted broader enforcement powers, including:

• Increased Financial Penalties – Fines are now proportionate to the number of affected data subjects, the nature of the violation, and the violating entity’s annual turnover. Large organizations face penalties of up to 5% of their annual revenue, potentially amounting to millions of dollars.
  • Example: A data processor unlawfully handling data from 1,000,000 individuals could face a fine of 8,000,000 ILS (approximately $2.5 million USD).
  • Small and micro-businesses are subject to a maximum fine of 140,000 ILS ($45,000 USD) per year.
• Expanded Investigative Authority – The PPA now has enhanced supervisory and investigative powers, enabling it to issue warnings, injunctions, and take corrective action against non-compliant entities.

Additional Key Amendments

The Amendment introduces several additional requirements aimed at strengthening data subject rights and enhancing corporate accountability:

• Expanded Data Breach Notification Requirements – Organizations must now adhere to stricter breach notification obligations.
• Enhanced Data Subject Rights – Individuals will benefit from expanded rights concerning access, correction, and erasure of their personal data.
• Extended Statute of Limitations & Exemplary Damages – Legal claims related to privacy violations will be subject to an extended statute of limitations, with the possibility of exemplary damages for serious breaches.

Preparing for Compliance

With the August 2025 implementation date approaching, businesses operating in Israel or handling data of Israeli residents must proactively adapt to the new regulatory landscape. Establishing a robust data protection program is now an essential aspect of corporate compliance, particularly in light of growing global privacy awareness and enforcement trends.

As Israel aligns its privacy framework more closely with the GDPR, companies will need to reassess their data governance practices to ensure full compliance with the new obligations under the IPPL.