Last review date: January 24, 2025

☒ omnibus – all personal data 

☒ sector-specific 

e.g. health, banking, insurance, and finance

☒ constitutional

Last review date: January 24, 2025

• The Protection of Privacy Law, 1981 ("Privacy Law") is the main Israeli law regulating privacy in Israel (privacy in general and privacy in computerized databases).
• The Protection of Privacy Regulations (Data Security), 2017 ("Data Security Regulations"), which determine the level of security and the security measures that should be implemented in computerized databases.
• The Protection of Privacy Regulations (Transfer of Information to Databases outside the State's Boundaries), 2001 ("Transfer Regulations"), which regulate the transfer of personal data from Israeli databases outside the State of Israel.
• The Protection of Privacy Regulations (Instructions for Data that was Transferred to Israel from the European Economic Area), 2023 (the "EEA Data Import Regulations") impose requirements on Israeli data controllers for: (a) personal data transferred from the EEA to Israel (excluding direct transfers by data subjects); and (b) additional personal data stored in Israeli databases containing EEA data. Obligations include data deletion, limiting retention of unnecessary data, ensuring accuracy, and notifying data subjects.

In addition, there are guidelines published by the Israeli Protection of Privacy Authority ("PPA"), the Israeli regulator of privacy and data protection, dealing with specific matters (e.g., biometric data, surveillance cameras, outsourcing, processing of personal data by placement agencies, drones, guidelines for "smart cities", cloud services, responsibility of the board of directors in relation to data security, etc.) and additional sector-specific guidelines published by specific Israeli regulators in their respective fields (e.g., banking sector, finance sector, health sector, etc.)

Last review date: January 24, 2025

• The Privacy Law and the Data Security Regulations set out the obligation to safeguard personal data maintained in a computerized database and the standards of security to be applied.
• The Israeli Computers Law, 1995, which criminalizes unlawful computer-related misconduct, hacking or making malicious use of computers and computer programs.
• The Regulation of Security in Public Bodies Law, 1998, which regulates the protection of certain listed government and public bodies (e.g., telecommunication companies, national ports, transportation carriers, etc.) that provide essential public services and critical infrastructure, on matters relating to information security and cybersecurity.
• The Emergency Regulations (Iron Swords) (Dealing with Severe Cyber Attacks in the Digital Services and Hosting Services Sector), 2023, which expand the powers of the Israel National Cyber Directorate and give it the authority to issue binding instructions to certain digital services and hosting services businesses in the event of a cyberattack. The regulations are valid until 31 March 2025.

Last review date: January 24, 2025

Similar to those regulating cybersecurity. Namely:

• The Computers Law, 1995
• The Regulation of Security in Public Bodies Law, 1998.
• The Emergency Regulations (Iron Swords) (Dealing with Severe Cyber Attacks in the Digital Services and Hosting Services Sector), 2023.

Last review date: January 24, 2025

Yes.

1. Amendment 13 to the Privacy Law is set to enter into force on 14 August 2025 ("Amendment 13").

Key amendments introduced under Amendment 13:

A. Clarifying terms and definitions in the Privacy Law – Amendment 13 aims to align the statutory definitions relating to the protection of computerized personal data to the technological and social developments that have occurred since the Privacy Law was enacted, as well as to align with international legislation, such as the GDPR (e.g., the term "personal data" was expend to include all data that identifies or could identify an individual, replacing the earlier term "sensitive information" with the term "data of special sensitivity" which explicitly covers data such as genetic and biometric information, criminal records, and location data, the term "processing" now encompasses a broader range of actions performed on data, including collection, storage, and transfer, emphasizing the comprehensive nature of data management, the term "holder of a database" has been refined and expanded to include individuals or entities managing databases for the data controller).

B. Reducing the scope of the obligation to register databases – As part of Amendment 13, the obligation to register databases would apply only to databases:

1. which main purpose is to collect data for the purpose of providing it to others, as a way of doing business, including direct-mailing services or
2. which are controlled by "public bodies" which, according to the Privacy Law, are government ministries or other state institutions, local authorities or other bodies performing public functions under law.

C. Expansion of data subjects' notification requirements – Currently, the Privacy Law determines that any request to a person to obtain personal data for the purpose of retention or use in a database must be accompanied by a notice detailing whether such person is legally obligated to provide the data or if its provision depends on their own will and consent; the purpose for which the data is requested; and to whom will the data be transferred and for what purposes.

Following Amendment 13, the transparency requirement towards data subjects has been expended, and the notification to data subject must also include the consequences of refusing to provide the data, the name and contact details of the data controller, as well as the data subject’s rights of access and correction under the Privacy Law in connection with his/her personal data.

D. DPO appointment – Amendment 13 requires the appointment of a Data Protection Officer ("DPO") under the following conditions: (i) controllers which are "public bodies" or processors of data controlled by such bodies, (ii) owners or holders of a database which main purpose is to collect data for the purpose of providing it to others, as a way of doing business, including direct-mailing services, (iii) controllers or holders whose main activities involve data processing or require such processing, which due to their nature, scope, or purposes necessitate regular and systematic monitoring of individuals, including significant tracking or surveillance of behavior, location, or actions to a significant scale; and (iv) controllers or processors primarily involved in processing of a highly sensitive data on a significant scale, including banking corporations, insurers, hospitals, and health funds.

E. Increase of the PPA's enforcement powers - Amendment 13 enhances the PPA's supervision and enforcement authority with respect to the Privacy Law (and its regulations) and its violations and increases the PPA's investigative powers and its ability to impose greater monetary fines.

2. The last phase of the EEA Data Import Regulations is set to be implemented as of 1 January 2025. In this phase, the requirements under the said regulations will apply with respect to any data stored in a database that contains personal data received from the EEA (excluding data provided directly by the data subject).

3. The Emergency Regulations (Iron Swords) (Dealing with Severe Cyber Attacks in the Digital Services and Hosting Services Sector), 2023 are set to expire on 31 March 2025. It is currently unknown whether the validity of such regulations will be extended for an additional period.