1. Basic National Legal Regime
The primary sources of privacy and data protection law in the State of Israel are the Protection of Privacy Law 1981 (the 'Privacy Law') and the quasi-constitutional Basic Law: Human Dignity and Liberty (the 'Basic Law').
The Privacy Law protects the privacy of individuals by regulating the storage and dissemination of information relating to individuals, prohibiting infringement of a person's privacy without consent and providing for both civil and criminal liability for such infringement.
Section 2 of the Privacy Law identifies activities that constitute an infringement of privacy if carried out without consent, which are:
- spying on or trailing a person in a manner likely to harass him or her, or any other harassment;
- eavesdropping prohibited under any law;
- photographing a person while he or she is in a private domain;
- publishing a person's photograph under circumstances in which the publication is likely to humiliate him or her, or to bring him or her into contempt;
- publishing a photograph of a person who has been physically or psychologically injured in a manner such that it is possible to identify that person, where the photograph was taken at the time of the injury or shortly thereafter and under circumstances in which the publication is likely to cause embarrassment, excluding publication of photographs immediately following the photographing thereof without unreasonable delay under the circumstances;
- copying a letter or electronic message not intended for publication or use of its contents without the permission of the sender or the recipient, provided that the letter or electronic message does not have historic value and 15 years have not passed from the date it was written;
- using a person's name, appellation, picture or voice for profit;
- infringing an obligation of secrecy laid down by law in respect of a person's private affairs;
- infringing an obligation of secrecy laid down by explicit or implicit agreement in respect of a person's private affairs;
- using, or passing on to another, information regarding a person's private affairs, other than for the purpose for which it was given;
- publishing or passing on anything that was obtained by way of an infringement of privacy under bullet points (1) to (8) or (10) above;
- publishing any matter that relates to a person's intimate life, state of health or conduct in 'the private domain'; and
- publication of photographs of a person's identifiable corpse unless:
- 15 years have passed from the time of death;
- consent was obtained from the deceased or his or her relatives identified in the Privacy Law under the conditions specified in the Privacy Law; or
- a court order is obtained under conditions set forth in the Privacy Law.
These privacy protections apply regardless of whether personal data is stored in a database.
The Privacy Law also governs use of information stored in databases. A 'database' is defined in the Privacy Law as "a collection of data, stored by magnetic or optical means and intended for computer processing," subject to certain exceptions.
The Privacy Law does not use the term 'data subject'; however, the definitions of 'data' and 'database' indicate that the Privacy Law's database provisions apply only to databases containing information about natural persons, although case law has extended certain privacy (but not database-related) protections to legal entities.
The Basic Law provides that "every person is entitled to privacy and to the confidentiality of his life" and "there shall be no infringement of the confidentiality of a person's conversations, correspondence and writings."
Judicial precedent also represents a key source of privacy law in Israel.
A key recent development is the passage of the Protection of Privacy Regulations (Data Security) 2017 (the 'Data Security Regulations'), which became effective in May 2018. While the Privacy Law as originally enacted included provisions relating to databases, these provisions were technologically outdated. Following a full reappraisal and reassessment by the regulator, the Data Security Regulations were promulgated to supplement existing data security provisions under the Privacy Law and the Protection of Privacy Regulations (Conditions for Possessing and Protecting Data and Procedures for Transferring Data Between Public Bodies) 1986. The Data Security Regulations establish specific, granular requirements with respect to personal data collected and maintained in databases, and represent a significant increase in compliance obligations relating to data security.
One of the most notable provisions of the Data Security Regulations is the addition of a data breach notification requirement for 'serious data breaches.' A 'serious data breach' is defined as either unauthorised use or compromise of data integrity of a substantial portion of the database for a medium-security database, or any unauthorised use or any compromise of data security for a high-security database. Serious data breaches require immediate notification to the Database Registrar, an entity appointed by the government pursuant to the Privacy Law to supervise compliance with provisions of the Privacy Law and the regulations issued thereunder. While there is no uniform obligation to notify affected data subjects of these breaches, the Database Registrar, after consultation with the National Cyber Bureau Chief, has the authority to order the database-owner to notify affected data subjects.
Criminal and/or civil proceedings may be brought based on an infringement of privacy under the Privacy Law. Criminal sanctions include fines or jail terms, and civil remedies include injunctive relief and/or monetary compensation. Details regarding fines are described in the Administrative Offence Regulations (Administrative Fine - Protection of Privacy) 2004. Additionally, the Registrar may apply to the District Court for an order cancelling the registration of a database or suspending the registration's validity for a specific period.
Certain sector-specific laws impose obligations of secrecy which, if breached, could constitute an infringement of privacy, such as the Banking Ordinance 1941, the Patients' Rights Law 1996 and the Income Tax Ordinance (new version).
Amendment 13 to the Privacy Law is currently pending before the Israeli Knesset. If passed, the proposed amendment will vest the regulator - the Privacy Protection Authority (PPA) - with enhanced supervisory powers and authorise exponentially higher penalties for Privacy Law violations. While penalties for Privacy Law violations under existing regulations impose fines of ILS10,000-25,000 (approximately USD2,700-6,800) (excluding incremental penalties for ongoing violations), under Amendment 13, fines for violations will be increased up to a maximum amount of ILS3.2 million (approximately USD876,000), with daily increases of 2% for ongoing unmitigated breaches. Amendment 13 also adds a number of criminal violations to those already included in the Privacy Law, including:
- interference with the monitoring or enforcement activities of PPA personnel;
- provision of false information in the context of such enforcement activities;
- violations of certain obligations in connection with database registration obligations;
- fraudulent breaches of notification requirements in connection with collection of data from the data subjects;
- use of data in violation of the purpose limitation principle; and
failure to properly respect data subjects' access rights.
The PPA is the primary regulator for matters relating to privacy and data security. The PPA sits within the Israeli Ministry of Justice, and is headed by the Registrar of Databases (discussed below). The PPA conducts criminal investigations, administrative investigations and audits, publishes guidelines, conducts research and initiates new regulations. The PPA prepares an annual report about its activities for the review and oversight of the Israeli Knesset. It regulates and enforces data privacy and protection laws and regulations across all sectors, private and public, and may initiate enforcement actions based on information it receives from sources that can include other regulators and public bodies and the media, as well as complaints of aggrieved citizens.
The Registrar of Databases is appointed by the government pursuant to the Privacy Law. The Registrar maintains the Registry of Databases and supervises compliance with the Privacy Law and associated regulations. The Registrar may refuse to register a database if it has reasonable grounds to assume that the database is used or is liable to be used in connection with illegal activities or the data included in the database has been obtained, accrued or collected in breach of the Privacy Law or in breach of the provisions of any order. The Registrar is also authorised to appoint inspectors who have broad authority to inspect information and documents related to databases and search and seize objects from any place where they reasonably believe a database is being operated, provided that entry into a private residence requires a court order.
Regulated industries are subject to industry-specific requirements as well as general privacy, data protection and cyber-security requirements. For example, the Supervisor of Banks has issued privacy and cyber-security requirements for the banking industry, the Ministry of Finance has issued cyber-security guidance for insurance companies, and the Ministry of Health has issued guidance for healthcare institutions.
Under the Law for the Regulation of Security in Public Entities 1998, the General Security Service (GSS) and the National Cyber Security Authority may instruct certain entities (such as licensed telecommunications operators) to take specified cyber-security defensive actions.
1.3 Administration and Enforcement Process
The PPA has several enforcement tools that it may employ depending on the severity and nature of the violation. Such enforcement actions could take the form of a criminal investigation or an administrative enforcement process. The Registrar is authorised to appoint inspectors, who may demand that a person furnish all information and documents related to a database, and may enter, search and seize objects from any place at which they have a reasonable belief that a database is being operated (except that entry into a residence requires a court order). Additionally, individuals may bring civil suits under tort principles. Criminal sanctions include fines or jail terms, and civil remedies include injunctive relief and/or monetary compensation. A proposed Amendment 13 to the Privacy Law, if passed, would accord the PPA additional investigatory enforcement powers. Finally, as noted above, the Registrar may refuse to register a database if it has reasonable grounds to assume that the database is used or is liable to be used for illegal activities or as a cover for them, or the data included in the database were obtained, accrued or collected in breach of the Privacy Law or attendant regulations.
Aside from the standard rights of appeal under Israeli law, there are two specific and additional rights of appeal granted by the Privacy Law. First, database-owners may appeal to the District Court within 30 days after being served notice of certain decisions of the Registrar (such as an order by the Registrar to register a database that is otherwise exempt from registration, or a refusal by the Registrar to register a database). Second, an individual who requests to inspect data in a database and is refused, or who receives notice from a database-owner that the request to amend or delete data was rejected, is entitled to appeal to the Magistrates' Court.
1.4 Multilateral and Subnational Issues
While Israel is not part of any international system, the Database Registrar has the authority to determine that compliance with official or international standards is sufficient to demonstrate compliance with certain elements of the Data Security Regulations. For example, the Database Registrar has determined that ISO 27001 certification can substantially reduce an entity's data security compliance obligations.
Since 2011, the European Union has certified Israel as having an adequate level of protection for personal information pursuant to PPA's Directive 95/46 of the European Parliament. The certification extends to international automated data transfers, as well as non-automated transfers that are subject to further automated processing in Israel. The decision does not extend to international data transfers where the transfer itself, as well as the subsequent data processing, is carried out exclusively through non-automated means.
In addition to the benefits accorded to Israeli data recipients as a result of the EU adequacy certification, exports of data from Israel to the EU are automatically deemed to satisfy the 'legal basis' requirement under the Data Transfer Regulations, see 4.1 Restrictions on International Data Issues.
1.5 Major NGOs and Self-Regulatory Organisations
There are no major privacy or data protection non-governmental organisations (NGOs) or industry self-regulatory organisations (SROs) in Israel.
1.6 System Characteristics
Israeli data privacy and data protection law is distinct from regimes in the EU and US. While recent guidance from the Israeli regulator in some respects echoes the principles of the GDPR, Israeli privacy law differs from the GDPR in a few notable aspects, and in a number of respects imposes more stringent requirements than the GDPR. For example, Israeli privacy law imposes specific, granular data security requirements, requires the registration of certain databases, restricts data exports in a manner different than the GDPR and requires that database registrations include a notification regarding data exports. Unlike US privacy laws, Israel does not have substantial sector-specific requirements for the use of medical data; rather, medical data is by and large governed by general privacy laws and regulations (with a few exceptions, for example special requirements applicable to genetic data and use of medical information for purposes other than patient treatment).
1.7 Key Developments
The most notable development in Israeli privacy law in the past year has been the passing of the Data Security Regulations, which became effective as of May 2018. These Regulations were enacted in order to supplement existing data security provisions under the Privacy Law, and establish specific, granular requirements with respect to personal data collected and maintained in databases. The Data Security Regulations establish four categories of databases that vary according to data sensitivity, how data is used, the number of individuals having access to the database and the number of data subjects. Data security obligations vary according to the database's sensitivity classification. Additionally, the Data Security Regulations notably add a data breach notification requirement for 'serious data breaches' - see 1.1 Laws. Serious data breaches require immediate notification to the Database Registrar. The Database Registrar, after consultation with the National Cyber Bureau Chief, has the authority to order notification to affected data subjects where warranted.
In the summer of 2018, the PPA commenced an audit process pursuant to which more than 150 companies in various sectors were ordered to respond to a detailed questionnaire in order to gauge the level of compliance with the Privacy Law, the Data Security Regulations and the various directives published by the PPA.
1.8 Significant Pending Changes, Hot Topics and Issues
As noted above, Amendment 13 of the Privacy Law is currently pending before the Israeli Knesset. Additionally, the PPA is in the process of gradually implementing the notification requirement for serious data breaches under the Data Security Regulations.
2. Fundamental Laws
2.1 Omnibus Laws and General Requirements
All companies must have a database manager, who is defined under the Privacy Law as the active manager of the legal entity that owns or possesses a database or an individual appointed by such manager (the 'database manager'). A database manager is responsible, inter alia, for ensuring the security of the database systems, determining access rights to the databases, and determining ongoing operating instructions for the database systems. If the database is registered, the name of the database manager must be reported to the Database Registrar.
Entities holding five or more databases requiring registration, public bodies, and banks, insurance companies or companies involved in ranking or evaluating credit must also appoint a suitably trained person to be in charge of data security (the 'data security officer'), and his or her name must also be reported to the database registrar.
Unlike the GDPR, which dictates a closed list of legal bases for the processing of data, under Israeli law the central principle governing the permissibility of processing is the purpose limitation principle, which dictates that personal data may be used only for the purpose for which it was provided by the data subject. In addition, certain defences under the Privacy Law stipulate that processing will not be deemed a violation of privacy, for example, where privacy rights were infringed in good faith and in the context of acts performed pursuant to a legal, moral, social or professional obligation, where the infringement involved a legitimate interest.
Privacy by design concepts are not implemented in the Privacy Law, although the PPA recommends utilising this approach and has published a non-binding guide regarding how to accomplish privacy by design. Regarding drones, see Section 33 below.
Pursuant to the Data Security Regulations, owners of high-security databases must conduct security risk assessments aimed at identifying data security risks and perform mandatory penetration tests at least every 18 months. In addition, the non-binding guide published by the PPA (described above in section 10(c)) includes guidelines for performing privacy impact analyses.
Database-owners (and the data security officer, if appointed) are responsible for preparing a data security policy that is binding upon all individuals having access to the database, details of which should be disclosed within the organisation on a need to know basis. The data security policy must include specific provisions, including, among others, provisions regarding the physical security of the database systems and architecture, a description of means for management of security threats and security breaches of different degrees in proportion to the sensitivity of the data threatened, and details related to data security from any data processing outsourcing arrangement, with explicit reference to the agreement between the parties and to the data processor's data security policy. The data security policy must be updated at least annually, or more often in the event of material changes in applicable systems, risks or processing. Where an organisation owns multiple databases, a single data security policy may apply to multiple databases of the same risk category.
The Privacy Law grants data subjects the right to access and correct personal information held in databases. Where a database is maintained by a third party, the database-owner must refer the applicant to the holder and provide the holder's address. The owner or holder of the database is entitled to impose a fee of approximately USD5.50 for the inspection. If a person's inspection reveals that database information is inaccurate, incomplete, unclear or not up to date, that person may request that the database-owner (or under certain circumstances, the database-holder) correct or if applicable, delete the data.
Consent to processing may be revoked by the data subject, but continued processing may be sanctioned by the legal defences described in 2.1 Omnibus Laws and General Requirements.
The Privacy Law stipulates that the data subject may at any time instruct that he or she be removed from databases used for direct mail (defined under the Privacy Law as an individual approach to persons, based on their belonging to a population group, as determined by one or more characteristics of those persons whose names are included in the database).
The Privacy Law does not expressly address anonymisation, de-identification or pseudonymisation. The definition of 'data' suggests that data properly cleansed of identifying information would be outside the scope of the Privacy Law; however, the regulator has historically taken the approach that data is deemed identifiable where the relevant entity or its business collaborator has the ability to derive data subject identities using other data sets. A public committee has been charged with establishing standards for anonymising medical information. Standards for anonymisation or de-identification have been the subject of litigation.
There are no specific provisions relating to automated decision-making. However, concerns regarding profiling underlie the 1996 amendment to the Privacy Law, the explanatory notes for which discuss the importance of protecting privacy in light of the growing sector of the economy that provides automatic data processing services. In this regard, it was noted that entities involved in providing direct mail services are able to infringe people's privacy by classifying them into categories based on their personal characteristics, and publicly disseminating these 'profiles' without consent. The 1996 Privacy Law amendment included a section regulating direct mail services.
A key labour law court decision addressed employers' online monitoring of employees. In the 2011 Isakov case, Israel's highest labour court issued a decision that established comprehensive rules regarding employers' monitoring of employees' computer, information technology and email use at their workplace (Tali Isakov Inbar v the State of Israel). Such monitoring requires either the employee's written consent or a court order, as well as the satisfaction of other requirements, see 2.4 Workplace Privacy.
Privacy infringements, violations of certain database-related offences and breaches of regulations issued pursuant to the Privacy Law constitute civil wrongs under the Civil Wrongs Ordinance (new version). In addition, a court may award damages amounting to ILS50,000 (approximately USD13,816) without proof of damages for breach of privacy rights, and damages may be doubled where the privacy infringement was with intent to harm.
2.2 Sectoral Issues
Classes of data deemed sensitive data under the Privacy Law include details regarding a person's personality, private affairs, state of health, economic situation, opinions and faith and other information deemed to be sensitive data by order of the Minister of Justice (to date, no additional classes of information have been added to the list). Any database that includes sensitive data must be registered with the Registrar.
In addition, the inclusion of certain classes of data in a database can mandate incremental data security requirements under the Data Security Regulations. The Data Security Regulations establish four categories of databases. Data security obligations vary according to database classification, with significantly more stringent requirements applying to medium- and high-security databases. The security classification assigned to a database derives from factors including:
- the type of data included in the database, in particular the inclusion of sensitive information such as medical, genetic, financial, information about political and religious beliefs, criminal history, telecommunication data, or location information;
- the number of individuals having database access permissions;
- the number of data subjects; and
- whether a primary purpose of the database includes making information available to other parties for business purposes (for example, for use for direct marketing).
The Wiretap Law 1979 provides that unauthorised electronic surveillance, or the unauthorised use of electronic surveillance devices, may constitute a criminal offence. Investigative authorities must obtain a court order before engaging in electronic surveillance, unless such electronic surveillance is for purposes of national security in which case only the approval of the Minister of Defence or Prime Minister is required. Additionally, PPA's Directive 1/2017, published by the Database Registrar, stipulates that the provisions of the Privacy Law, regarding the right to inspect information, apply to all digital information, including recordings of telephone calls, chat correspondence, recorded video calls, etc.
While there is no specific regulatory framework for privacy-related aspects of text messaging, a class action suit from 2011 against a major communication company brought to light the violation of privacy arising from the defendant's practice of saving its users' text messages without such users' knowledge for the purposes of servicing its platform. The company discontinued this practice following the suit.
Section 11 of the Privacy Law includes a notice requirement, pursuant to which any request to a person to provide data that will be held or used in a database must be accompanied by a notice stating:
- whether the person has a legal obligation to deliver the data or whether delivery depends on consent;
- the purpose for which the data is requested; and
- to whom the data will be delivered and for what purpose.
'Do not track' considerations are not specifically addressed under Israeli law.
Consent required for behavioural advertising is not specifically addressed under Israeli law.
PPA's Directive 4/2012 titled 'Use of Security and Surveillance Cameras and Databases of Recorded Images,' published by the Database Registrar, applies to the use of surveillance cameras in public spaces (which includes certain privately owned property accessible to the public) used by government and non-government entities. When such footage is recorded, the identifying information collected about individuals or information that enables identification of individuals are 'databases,' which are subject to the Privacy Law. Additionally, under the Directive, entities using CCTV systems are required, inter alia, to evaluate the need for such technology and its effect on privacy and other rights, consider less invasive alternatives, and exercise special caution when situating cameras in public spaces frequented by minors, such as schools and community centres. Such entities must also consider privacy concerns when designing the placement, coverage and functionality of CCTV systems and post clear, legible signs both at the entrance to the filmed location and within the filmed area. Additionally, PPA's Directive 1/2017, published by the Database Registrar, stipulates that the provisions of the Privacy Law, regarding the right to inspect information, apply to all digital information, including recorded video footage.
Finally, PPA's Directive 5/17, relating to the use of surveillance cameras in the workplace, stipulates that any use of video monitoring by an employer must be reasonable, proportional, fair, in good faith and for a legitimate purpose, and must also be established by an explicit policy that is present to employees and to which the employees consent.
While Israel does not have any specific provisions relating to social media, search engines and the right to be forgotten, different versions of an amendment to the Privacy Law have been pending before the Israeli Parliament since July 2014. These amendments would provide data subjects the right to request that the search engine operators remove their data. Should the search engine operator refuse to do so, the data subject would have recourse at court.
A few cases have been brought before Israeli courts requesting that online presences be erased. For example, in the 2015 Oksman case (Oksman v Sobari) before the Israeli District Court, the plaintiff demanded that a website publishing legal updates erase all references regarding a suit brought against him. In that case, the court determined that the current Israeli law does not guarantee such a right. Conversely, in another similar case from the same year, the same court ruled that information that the plaintiff was requesting to remove from search engines should indeed be removed, based on defamation laws rather than privacy laws.
The Privacy Law requires the owner of a database to register the database if it:
- contains data on more than 10,000 people; see definition of 'data' at 2.1 Omnibus Laws and General Requirements;
- contains sensitive data; see definition of 'sensitive data' at 2.2 Sectoral Issues;
- contains data about natural persons not provided by them, on their behalf or with their consent;
- belongs to a public body; or
- is used for direct mail services; see definition of 'direct mail services' in 2.3 Online Marketing.
Possessing or managing a database that must be registered is prohibited unless:
- the database has been registered;
- the application to register the database has been submitted and the Registrar has not registered it within 90 days and has not notified the applicant of a refusal to register or a delay for special reasons; or
- the Registrar has issued an order stating that the database must be registered (in respect of a database that would not normally be subject to the registration obligation) and the Registrar's order grants permission to manage and possess the database during the registration procedure.
Thus, while database registration is the responsibility of the data-owner, a data processor may violate the Privacy Law where it processes data using a database that requires registration but has not been registered.
The Privacy Law does not define 'database owner'; the term is commonly understood to approximate the EU 'controller'. A 'database-holder' is defined as one who has a database in his or her possession on a permanent basis and is permitted to use it (the term is roughly comparable to the EU 'processor').
Israeli law imposes criminal penalties for certain hate speech. The Penal Law 5737-1977 (the 'Penal Law') prohibits publications that are deemed to incite racism (with 'racism' defined as persecution, humiliation, degradation, a display of enmity, hostility or violence, or causing violence against the public or parts of the population, because of their colour, racial affiliation or national ethnic origin); such publications carry criminal penalties regardless of whether or not the publication actually resulted in racism or whether or not the content of the publication is factually accurate. Penalties include a five-year jail sentence.
Increased criminal penalties are available for any crime that is racially motivated (ie, for crimes other than publications referred to above, with the definition of 'racism' being applicable to 'racially motivated crimes'), such that any person who commits a racially motivated crime, or a crime based on animosity towards a group of people because of their religion, religious group, ethnicity, sexual orientation or because they are foreign workers, such person will be liable for the shorter of:
- a sentence twice as long as the length determined in the law for such crime (where not racially motivated); or
- a ten-year jail sentence.
The Penal Law also prohibits the publication of calls to commit acts of violence, as well as words of approval, encouragement or identification with an act of violence, if there is a real possibility that such publication would result in acts of violence. Penalties include a five-year jail sentence.
The age of legal majority is 18. The Legal Capacity and Guardianship Law 1962 stipulates that any legal action of a minor requires the approval of his or her representative (a parent or an appointed guardian), unless that action is an action that minors of his or her age tend to do. Israeli law does not expressly authorise minors above a certain age to consent to use of personal information.
Use of a minor's personal data, or personal data obtained from a minor (even if that data relates to a third party) for advertising or marketing purposes without the consent of a parent or guardian is prohibited under the Consumer Protection Regulations (Advertisement and Marketing Directed at Minors) 1991. However, such prohibition does not include use of such information in order to provide goods or services to a minor.
Under the Incorporation of Biometric Identification and Data in Identification Documents and in Databases Regulation 2011 (Biometric Regulations), the use of biometric identification data from minors is heavily restricted, and collecting fingerprints for the purpose of obtaining biometric identification data is prohibited completely when the minor is under the age of 12.
Under a newly enacted law, which will come into effect as of 1 September 2019, a daycare centre for children under 36 months old must be visually recorded (without use of audio recording) at all times during its hours of operation, unless 70% of the parents enrolled refuse such recording. The existence and location of such cameras must be indicated by appropriate signage, and must also be fully disclosed to all daycare employees. The recordings must be kept for 30 days, and then automatically deleted.
2.3 Online Marketing
Israel's Communications Law (Bezeq and Broadcasting) 1982 (the 'Spam Law') requires opt-in (ie, data subject consent) for dissemination of promotional material by email, fax, automated calling systems and short messaging technologies (such as SMS or MMS). 'Promotional material' is defined as communications that are intended to encourage the purchase of products or services, or the spending of money in another manner. In addition to requiring prior written consent, the Spam Law requires that all promotional material include a clear, conspicuous notice containing information including:
- identification of the promotional material as an advertisement - for email communications, the word 'advertisement' must appear in the email subject line;
- the advertiser's identity, address and contact information; and
- notification of the recipient's right at any time to opt out of receiving promotional material and simple and reasonable means to opt out - for email communications, an email address must be included.
In addition to the requirements that exist under the Spam Law, the Privacy Law regulates 'direct mail' (which is defined as "an individual approach to persons, based on their belonging to a population group, as determined by one or more characteristics of those persons whose names are included in the database"). An 'approach' includes one made in writing or in print, via telephone, facsimile, computer or other means. Direct mail solicitations must state clearly that it is a direct mail solicitation, the registration number of the database, and notification that the recipient of the solicitation has the right to be deleted from the database and the address to be contacted for this purpose, as well as the identity and address of the database containing the data from which the solicitation was made, and the sources from which the owner of the database received that data. A recent PPA directive provides certain leniencies for direct mailing to a database-owner's active customers, as long as the database owner does not use any sub-categorisations or additional profiling beyond the customer's status as an active customer.
The provision of direct mail services to others by way of transferring lists, adhesive labels or data or other means is referred to under the Privacy Law as 'direct mail services.' Databases used for direct mail services must be registered, and the manager or holder of a database used for direct mail services must keep a record of the source of all of the data, the date the data was received and the persons to whom the data was given.
2.4 Workplace Privacy
Privacy in the workplace is governed by generally applicable privacy laws and regulations, including the Privacy Law and the Data Security Regulations.
The PPA has issued a number of specific directives addressing privacy issues arising in workplaces. For example, PPA's Directive 2/2012 addresses the applicability of the Privacy Law to screening procedures for workplaces and placement agencies. In addition, PPA's Directive 5/17, relating to use of surveillance cameras in the workplace, stipulates that any use of video monitoring by an employer must be reasonable, proportional, fair, in good faith and for a legitimate purpose, and must also be established by an explicit policy that is available to employees and to which the employees consent.
Two Israeli labour court decisions have addressed video monitoring in the workplace. In the first case, the court ruled that installing and operating a security camera in the employees' workspace without their consent and notwithstanding their express objection constituted a violation of their privacy, and significant deterioration in their working conditions, which entitled the employees to resign without such resignation being deemed a breach of contract (Leshziner v Pe'er Medical Rehabilitation Center). In the second the court held that installing security cameras in public areas of the workplace (such as the building entrance) did not constitute a violation of the employees' privacy (Gafner v Prigo Israel Agencies Ltd).
2.5 Enforcement and Litigation
Violations of Israeli privacy laws are subject to criminal penalties, administrative fines and may be the subject of individual tort claims. The legal standards that must be established in order to allege violations of privacy or data protection laws depend on whether the claim is civil or criminal in nature. However, certain provisions of the Privacy Law are strict liability offences and carry a one-year imprisonment term; these include managing, possessing or using a database in breach of the Privacy Law, delivering false details in an application for registration of a database, failing to deliver details or delivering false details in a notice attached to a request for information, failing to comply with certain provisions of the Privacy Law regarding the right to inspect information, granting access to a database in breach of the Privacy Law, failing to appoint a security officer where necessary, managing or possessing a database used for direct mail services in breach of the provisions of the Privacy Law, and delivering information in breach of the Privacy Law. Amendment 13 also adds a number of criminal violations to those already included in the Privacy Law.
3. Law Enforcement and National Security Access and Surveillance
3.1 Laws and Standards for Access to Data for Serious Crimes
The Criminal Procedure Law (Enforcement Authority - Telecommunications Data) 2007 allows Israeli investigative authorities (such as the police and other specified authorities) to request a court order requiring licensed telecommunications providers to provide such investigative authority with access to telecommunications meta data. Such meta data may include location, subscriber or traffic data, but does not include content. Licensed telecommunications providers may in certain circumstances be required to provide such meta data for a limited period of 24 hours without a court order. In setting forth the scope and duration of such an order, courts are required to consider the extent to which such order intrudes on to individual privacy rights. In addition, the Wiretap Law 1979 authorises Israeli investigative authorities to obtain real-time access to telecommunications content for investigating and preventing serious crimes. Wiretaps for national security purposes require the approval of the Prime Minister or Minister of Defence. Wiretaps for the purpose of investigating or preventing criminal activities require court approval.
3.2 Laws and Standards for Access to Data for National Security Purposes
The Telecommunications Law 1982 provides that any licences provided to a licensed telecommunications-provider may be subject to certain terms and conditions, as set forth by the Minister of Communications. Individual telecommunications licences may contain terms and conditions requiring the provision of certain data to the Israeli government or security agencies. In addition, the Telecommunications Law requires licensed telecommunications providers, upon the order of the Prime Minister, to provide Israeli security agencies with access to their telecommunications network, to the extent necessary for the security agencies to exercise their lawful authority. It is understood that such orders have been issued to major Israeli telecommunications companies, but the substance of such orders has not been made publicly available. In addition, Section 11 of the General Security Services Law authorises the Prime Minister to ensure that licensed telecommunications providers provide certain meta data to the Israeli security services. The General Security Services Law does not authorise the collection of content.
3.3 Invoking a Foreign Government
The restrictions on transfer of data outside the State of Israel do not apply where such transfer takes place in accordance with a request made under the International Legal Assistance Law 1998, which provides for data disclosure procedures between Israel and applicable countries regarding legal proceedings.
3.4 Key Privacy Issues, Conflicts and Public Debates
One hotly debated issue is the creation of a registry of Israeli citizens' biometric information by the Population and Immigration Authority. Currently, when an individual's national identity card is issued, he or she may refuse to include his or her biometric information (fingerprints) in the national registry (although this negatively effects the term of the national identity card's validity). Prior to such inclusion, the data subject must be made aware of the risks involved, the security methods implemented, and his or her right to request that such information be removed from the database.
4. International Considerations
4.1 Restrictions on International Data Issues
Under the Protection of Privacy Regulations (Transfer of Information to Databases outside of the State's Boundaries) 2001 ('Data Transfer Regulations'), data transfers from databases within Israel to a location outside the State of Israel are strictly prohibited unless a legal basis for the transfer exists ('legal basis requirement') and the recipient is bound by a data protection undertaking that meets Israeli law ('undertaking requirement').
A 'legal basis' for international data transfers under the Data Transfer Regulations exists if:
- the data is transferred to a country the laws of which ensure that the transferred data is protected to a degree no less than that accorded by Israeli law, incorporating principles whereby the:
- data must be gathered and processed legally and fairly;
- data shall be held, used and transferred solely for the purpose for which it was received;
- stored data shall be correct and current;
- data subjects shall have the right to view and correct the data; and
- proper security precautions should be implemented to protect the data;
- the data subject has consented to the transfer (further to a 2007 amendment, 'consent' means informed consent, and may be express or implied);
- the transfer is critical to the subject's health and he or she is unable to give consent;
- the data is transferred to a corporation in which the owner of the Israeli-based database has a controlling interest (ie, over 50%) and the corporation has undertaken to maintain the privacy of the data;
- the recipient undertakes toward the owner of the Israeli-based database to uphold the laws regarding the holding and using of data applying to databases located in Israel;
- the data has been lawfully publicised;
- transfer of data is necessary for the benefit or the security of the public;
- transfer of data is required under Israeli law; or
- data is transferred to a database in a country:
- that is a party to the Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (the Convention);
- that receives data from other European Union member countries under the same terms and conditions; and/or
- that, according to a declaration issued by the Israeli Registrar, has a privacy protection authority with which the Registrar has reached a co-operative understanding.
The 'undertaking requirement' obliges the recipient to agree in writing that such recipient will take sufficient precautions to protect the privacy of the data subjects and will not transfer the data to anyone else ('restriction on subsequent transfers').
Both the 'legal basis requirement' and the 'undertaking requirement' must be satisfied for data exports from Israel to comply with local law. Therefore, even where legal basis exists, data export is prohibited unless the legal undertaking requirement is met.
4.2 Mechanisms That Apply to International Data Transfers
As described above, a 'legal basis' for data export exists where data is transferred to a database in a country that receives data from other European Union member countries under the same terms and conditions. Formerly, this provision was interpreted by the PPA to include entities participating in the now-invalid US 'Safe Harbor' programme. The PPA has not publicly commented on the acceptability of Privacy Shield participation for purposes of this clause.
4.3 Government Notifications and Approvals
No government notifications or approvals are required to transfer data internationally. However, data exports must be disclosed on the database registration statement for registered databases.
4.4 Data Localisation Requirements
4.5 Sharing Technical Details
Israeli law generally provides that the development, use, import or export of products containing encryption technology requires a licence from the Ministry of Defence. Such licences ordinarily prohibit the export of encryption 'know-how or technology' without government consent. Although there is no publicly available guidance clarifying the scope of such prohibition, it is typically understood to restrict the export of source code that has been developed to provide encryption functionality. The Israel Ministry of Defence ordinarily conditions the grant of consent to export such 'know-how or technology' on its review of the applicable source code.
4.6 Limitations and Considerations
As noted above, restrictions on the transfer of data outside the State of Israel do not apply where such transfer takes place in accordance with a request made under the International Legal Assistance Law 1998. No specific limitations or considerations are set forth in Israeli laws and regulations regarding foreign litigation proceedings.
4.7 "Blocking" Statutes
There are currently no blocking statutes in force in Israel.
5. Emerging Digital and Technology Issues
5.1 Addressing Current Issues in Law
While there is no specific framework regarding Big Data analytics, depending on the circumstances, at times it may be questioned whether such use is consistent with the Privacy Law's purpose limitation and the requirement for provision of proper notice to individuals whose personal information will be included in a database. See section 23 above regarding a case currently pending that raises questions regarding whether use of anonymised data requires data subject consent.
General principles apply for automated decision-making.
General principles apply for profiling.
General principles apply for artificial intelligence.
While no regulatory framework specifically relates to the IoT, the PPA has recently addressed the IoT in a publication on its website, stating that while it does not believe IoT creates additional privacy risks, it does intensify and escalate the existing risks.
General principles apply for autonomous decision-making.
When applying for a national identity card or passport identity card, passport or laissez-passer, two fingerprints of the applicant are scanned and a photograph is taken of the applicant's facial features. As noted in section 27 above, the data subject may refuse to have his or her fingerprints included in the biometric register. However, the storage of images of the facial features of all residents of Israel in the biometric database is mandatory.
The highest labour court has prohibited the collection of biometric data from employees without their informed consent, freely given. Additionally, under the Data Security Regulations, collection of biometric data from employees will result in the employee database being deemed a medium security database, with the attendant requirements.
While there are no specific limitations on the use of location-based communications, the inclusion of such data in a database is one of the determinative criteria for classification of a database as a medium security database.
The PPA has published draft guidance concerning the privacy aspects of drone operation. Generally, drone operators are required to conduct their activities in a manner that minimises the collection of personal data to the extent necessary for the specific purpose for which the drone is operated. Drone activities and technologies should be structured to incorporate principles of 'privacy by design' - for example, recording technology carried by a drone could limit picture resolution so as to reduce the possibility that pictures could be used to identify individuals. Drone operators must also make efforts to notify the public regarding drone activities that could affect privacy rights.
6. Cybersecurity and Data Breaches
6.1 Key Laws and Regulators
The PPA has historically enforced compliance with the data security requirements of the Privacy Law, including under the Data Security Regulations. See section 2 regarding the authority and enforcement powers of the PPA.
In 2015, Government Resolution 2444 established the National Cyber Defense Authority (NCDA) as the civilian operational arm of the National Cyber Bureau. The establishment of the NCDA means that Israel has two regulatory agencies that regulate potentially overlapping aspects of data security. Government resolutions have outlined a framework where NCDA focuses on matters of cyber-security while PPA focuses on matters of data privacy. However, legislation implementing this framework and defining the authority of each of these two agencies has yet to be finalised.
The regulatory authorities generally responsible for specific industries may also impose cyber-security requirements. For example, the Supervisor of Banks has imposed additional privacy and cyber-security requirements on the banking industry, the Ministry of Finance has issued cyber-security guidance for insurance companies, and the Ministry of Health has issued guidance for healthcare institutions.
In 2015, a circular was promulgated by the Supervisor of Banks outlining principles that should be followed by banks in order to protect themselves against cyber-attacks. The circular stressed the importance of increasing data protection capabilities and making cyber-security a top priority. It also directs the board of directors and senior management to take responsibility for ensuring proper mechanisms and strategies for cyber-protection, internal monitoring and reporting are put in place. The circular also requires that every banking institution appoint a competent 'manager of cyber-protection' and set out in writing a detailed policy for cyber-security. The circular also addresses the need for a proactive cyber-protection programme that should include, inter alia, an assessment of all of the bank's areas of operations and potential vulnerabilities to cyber-attacks, as well as effective monitoring and communication between different areas of the bank's operating environments in order to enable the identification and communication of irregularities and threats.
6.2 Key Frameworks
Government Resolution 2443 stipulates that local Israeli regulation should be based on international standards to the greatest extent possible. Specifically, Resolution 2443 points to ISO 27001 as the applicable standard for organisational cybersecurity and ISO 15408 for certifying cybersecurity products. Additionally, in 2012 the Israeli Ministry of Health published Circular 18/2012, which requires all healthcare institutions to obtain certification under ISO 27799. The circular also requires all service providers to such institutions that hold either medical information or information regarding the infrastructure of the institution to comply with the standards of ISO 27799. Finally, the Data Security Regulations provide that the Registrar has discretion to accept compliance with specified international standards as satisfaction of the regulatory data security requirements. The PPA has indeed published Directive 03/2018 'Applicability of the Protection of Privacy Regulations (Information Security) 2017 upon Organisations that are Certified Under the ISO/IEC 27001 Standard,' which determines that companies that have been certified under the ISO/IEC 27001:2013(E) Standard, as they are interpreted and detailed in the ISO/IEC 27002:2013(E) Standard (and which fulfil their obligations under the same) are deemed to be compliant with the security obligations included in the Data Security Regulations, except with respect to certain points listed in the Directive, such as the creation of certain documentation regarding the databases, creation of access logs, and notification obligations for serious data breaches.
6.3 Legal Requirements
Database owners must prepare and maintain:
- a database specification defining general parameters of the database and its use;
- a data security policy regarding physical security, database access protocols, management of security threats and security breaches; and
- a system architecture summary that maps the system architecture.
As noted above, certain entities are required to appoint a data security officer.
Amendment 13 to the Privacy Law, currently pending, imposes personal liability on senior executives who fail to take adequate measures to prevent criminal offences with respect to databases or who improperly disclose database information.
Owners of high-security databases must conduct security risk assessments aimed at identifying data security risks and perform mandatory penetration tests at least every 18 months. Additionally, an entity outsourcing processing to a third party must perform a risk assessment that considers the nature of the specific data being processed, implements appropriate data security measures, and imposes a binding data security policy on the processor.
Regarding service-providers, there is a requirement to establish administrative procedures applicable to an external service-provider that provides data processing services.
Owners of medium- and high-security databases are required to perform data security training for employees every two years.
6.4 Key Multinational Relationships
See 4 International Considerations above.
6.5 Key Affirmative Security Requirements
Security requirements differ, depending on the categorisation of the database. However, these requirements generally include:
- physical and digital security measures;
- access controls;
- testing and auditing of data security; and
- the appointment of a data security officer.
6.6 Data Breach Reporting and Notification
As noted above, one of the most notable provisions of the Data Security Regulations is the addition of a data breach notification requirement for 'serious data breaches.' A 'serious data breach' is defined as either unauthorised use or compromise of data integrity of a substantial portion of the database for a medium security database, or any unauthorised use or any compromise of data security for a high security database. Serious data breaches require immediate notification to the Database Registrar, an entity appointed by the government pursuant to the Privacy Law to supervise compliance with provisions of the Privacy Law and the regulations issued thereunder. While there is no uniform obligation to notify affected data subjects of these breaches, the Database Registrar, after consultation with the National Cyber Bureau Chief, has the authority to order the database owner to notify affected data subjects.
Certain industries may be subject to additional reporting requirements. Banking corporations, for example, are required under regulations specific to the banking industry to report certain data breaches to the Supervisor of the Banks.
6.7 Ability to Monitor Networks for Cybersecurity
According to the Data Security Regulations, database systems may not be connected to the internet or other public networks without appropriate protections from unpermitted access and viruses, such as firewalls and antivirus/malware programs. Any transmission of database information by means of public networks or the internet must use reasonable encryption technology. Databases that can be accessed remotely through the internet or other public networks must apply additional security measures for ensuring that only permitted users are accessing the database and only to the extent that such users are permitted. Use of mobile devices to access database systems should be reduced to the greatest extent possible in consideration of data sensitivity, the security level of the applicable database and applicable risks. If mobile access is permitted, database-owners must take security precautions that take this into account. Reasonable encryption of data on mobile devices shall be considered reasonable protection of such data.
Additionally, regular updates must be performed across the relevant systems, including of the necessary software. Systems that the manufacturer does not provide security support for should not be used unless appropriate alternative security responses are provided. Furthermore, databases must be backed up in a manner such that login/access data can be restored to their original form at any time.
6.8 Cyberthreat Information Sharing Arrangements
The Israeli Antitrust Authority (IAA) has released a 'Draft Opinion Paper' for public comment that provides a framework for information-sharing between private entities. Under the Draft Opinion Paper, information concerning cyber-threats should not constitute a 'restrictive trade practice' under the Antitrust Law 1988, provided that the information does not touch on the commercial activities of the parties or contain information that would be sensitive from a competition perspective, such as information regarding pricing or future business plans.
6.9 Significant Cybersecurity, Data Breach Regulatory Enforcement and Litigation
In the PPA's latest report promulgated in November 2018, significant issues relating to cyber-security breaches and enforcement were addressed. Notably, following the leak of personal information from a website for stock exchange trading, which was purchased by the Bank of Jerusalem, an enforcement procedure was conducted to examine the level of security in the Bank's systems. The information leak occurred as a result of AnonGhost hackers, leading to leakage of sensitive information about the bank's customers and others to the Darknet. The findings revealed that although the bank had established security procedures, the procedures and monitoring systems were not implemented properly. After the completion of the enforcement process, a request was submitted to approve a class action against the Bank of Jerusalem, alleging violation of the Protection of Privacy Law.
6.10 Other Significant Issues
Originally published in Chambers & Partners
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.