Last review date: January 24, 2025
The Protection of Privacy Authority (within the Israeli Ministry of Justice) ("PPA").
The Israel National Cyber Directorate ("INCD")
Last review date: January 24, 2025
PPA: Enforcement priorities of the PPA are likely to be focused on the following:
- Following the enactment of Amendment 13, which enhances the PPA powers to impose significant administrative fines and initiate administrative proceedings against non-compliant entities, businesses will likely face stricter scrutiny as the PPA is expected to intensify enforcement efforts, focusing on organizations' compliance with data protection and security obligations.
- Cross-sectorial inspection, which is likely to proceed and to expand to additional sectors.
- Investigative Proceedings - the PPA initiates investigative proceedings and takes a more active approach following events that receive media coverage and which raise questions or concerns about privacy and data security laws. It is likely that the PPA will continue with this approach.
INCD: Not enforcement priorities per se, but main efforts by the INCD, as the national security and technological agency responsible for defending Israel’s national cyberspace, would be to defend cyber-attacks on the national level, promote cyber threat protection by private and public organizations, publish best practices and increase cyber threat awareness. In 2025, an increase in activity by the INCD is anticipated, driven by the heightened cyber threat landscape following the Israel-Hamas war.
Last review date: January 24, 2025
Regulatory investigations in Israel are increasingly focused on compliance with stringent data security and privacy requirements. Regulators are prioritizing sectors handling sensitive personal data and critical infrastructure. Investigations often center on breach notification failures, inadequate cybersecurity measures, and improper data handling practices.
Regulatory investigations or direct enforcement activity by data or cyber regulators are:
☒ Increasing
Class actions/group actions under data or cyber regulation are:
☒ Staying the same
Last review date: January 24, 2025
There are:
☒ administrative remedies from regulators and law enforcement
The PPA is entitled to impose administrative fines ranging from ILS 10,000 to ILS 25,000 for breach of certain provisions of the Privacy Law by corporations (whereas for continued violations, the administrative fine will include 1/10 of the amount provided for said violation for each day that the violation continues to occur following a notice of violation issued by the PPA).
As of 14 August 2025, when Amendment 13 to the Privacy Law enters into force, the amounts of administrative fines which the PPA can impose for violations of the Privacy Law, significantly increase, and can reach to thousands of New Israeli Shekels, including p to NIS 100 per data subject whose personal data is included in the database.
In addition, the PPA is authorized to issue orders to cease violations and issue administrative warnings detailing violations and potential penalties for non-compliance.
☒ criminal penalties from regulators and law enforcement
In general, any person who willfully infringes the privacy of another in any of the ways provided under the Privacy Law or violates the obligation to maintain personal data in confidence is liable for imprisonment for up to five years.
In addition, any person who commits certain violations of the Privacy Law with respect to computerized databases is subject to imprisonment for a term of up to one year (whereas in this regard it should be noted that such an offense does not require proof of criminal intent or negligence). These include managing a database without registration or for a purpose which is different than the purpose for which the database was registered, failure to provide or providing a partial privacy notice to data subjects, failure to provide data subjects with access and correction rights, etc.
As of 14 August 2025, with the enactment of Amendment 13, the list of Privacy Law violations punishable by imprisonment is updated. It now includes offenses such as obstructing investigations by the PPA, deliberately omitting mandatory information in a database application form to deceive, and processing personal data without authorization from the data controller. Additionally, the maximum imprisonment term for these violations has increased to three years.
☒ private remedies
A breach of the provisions of the Privacy Law regarding databases constitutes a tort under the Torts Ordinance (New Version) and any data subject that suffered damages from the breach may claim for damages (including filing a petition for certification of a class action).
In addition, the Privacy Law determines that in a case of a criminal conviction for violation of the right to privacy of an individual, the court may award statutory damages of up to an amount of approx. ILS 65,000 to be paid to the injured person, and in a civil tort proceeding under the Privacy Law for a case of a violation of the right to privacy of an individual, the Israeli court may order the infringing party to pay to the plaintiff statutory damages in an amount of up to ILS 65,000 as well (whereas in certain circumstances, twice such amount may be awarded).
As of 14 August 2025, with the enactment of Amendment 13, Israeli court shall be entitled to award statutory damages in an amount of ILS 10,000 for various violations related to the processing of personal data in a database. These include failing to register the database, processing personal data without the proper notification or authorization, denying access to personal data for review by a data subject, failure to correct or deleting inaccurate or outdated data upon request, etc.
☒ other
Publication of Breach: It is a common practice for the PPA to publish its determination that a person has breached a certain provision of the privacy legislation on its website. Such determination may serve as the basis for civil litigation, including the filing of petitions for the certification of class actions (relying on the regulator's determination of illegality as sufficient to meet the burden of proving a prima facie cause of action).
Suspension of registration of a database: Where the owner or a holder of a database infringes any provision of the Privacy Law or the regulations thereunder, or fails to comply with a request made to it by the PPA, the PPA may suspend the registration of a database for a period that it shall determine or cancel the registration of the database in the registry, provided that prior to the suspension or cancellation the owner of the database was given the opportunity to be heard.
As of 14 August 2025, with the enactment of Amendment 13, if the head of the PPA has reasonable grounds to believe that certain violations or potential violations of the Privacy Law are occurring or will occur in a database, he may request an administrative court order which instructs the data controller or processor to cease processing activities that are causing or are likely to cause the violation. Additionally, the court may issue an order for the complete deletion of personal data from the database if necessary.