In early 2022, a bill was introduced into the Knesset (Israeli parliament) proposing several amendments to the Protection of Privacy Law (“Law”). This bill, proposes several significant changes to the existing law and if passed, will bring the Israeli law more in line with the GDPR.
The main elements of the bill are streamlining key definitions, introducing the requirement for appointment of a data privacy officer (DPO), scaling back the current requirements for registration of databases, and granting wider enforcement powers to the Israeli Privacy Protection Authority (PPA). These main elements are detailed below.
The bill proposes changing and broadening the definition of “data” to include any personally identifying information, and adding a new category to cover “data with special sensitivity” such as physical location, political opinions, etc., which parallels the GDPR. The bill would also introduce the terms “data controller”, which is familiar from the GDPR, instead of the former title, and would require certain organizations to appoint a Data Privacy Officer (DPO) in some instances.
The bill also moves towards the GDPR data protection approach, and would limit the current requirement, widely viewed as unduly onerous and outdated, to register almost all databases. Under the bill, organizations would only be required to register a database, if it contains sensitive data of 500,000 or more people, or personal information from 100,000 or more people provided by third parties.
The final and perhaps most significant change is the expansion of the powers of the PPA to enforce compliance and to prosecute privacy violations. These include a long list of investigatory and punitive powers that are far beyond the PPA’s current powers.
It is expected that the bill will undergo a number of revisions before it becomes law, and so do not know what form the final amendments will take. What we do know, is that all organizations operating in Israel, should take legal advice once these amendments take effect, since they will have wide impact on the data protection regime