8 March 2018
DataGuidance confirmed, on 1 March 2018, with Dalit Ben-Israel and Efrat Artzi, Partner and Senior Privacy Lawyer respectively at Naschitz, Brandes, Amir & Co., Advocates, that the Proposed Protection of Privacy Law (Amendment No. 13), 5768-2018 (‘the Bill’) was published, on 27 February 2018, by the Israeli Parliament (‘Knesset’). The Bill, which has passed the first reading, proposes to enhance the Privacy Protection Authority’s (‘PPA’) supervision and enforcement of the Protection of Privacy Law, 5741-1981 (‘the PPL’), particularly by authorising the PPA to impose large administrative fines.
Dan Or-Hof, Founder of Or-Hof Technology & IP Law, told DataGuidance, “The Bill is particularly important in light of the considerable technological and commercial changes that have occurred during the last three decades. These changes create new risks to the right to privacy and the Ministry of Justice believes that better enforcement would tackle these risks successfully. Much like EU data protection laws, the PPL applies to the private and public sectors. The Bill provides a scale of maximum fines on the basis of the volume of data processed and its sensitivity. Therefore, companies who process data on a large scale (one million records or more) with highly sensitivity data, will face the highest fines for breaches of privacy.”
If passed, the Bill will enable the PPA to impose initial fines of NIS 5,000 (approx. €1,170) to NIS 800,000 (approx. €186,910) for violations of the PPL. Moreover, for severe violations, the initial amount can be increased two or fourfold, meaning that organisations could face up to NIS 3.2 million (approx. €748,030) in fines.
The PPA is gradually gaining more power and presence in the Israeli market. The Bill is another substantial element of this trend
Ben-Israel and Artzi explained, “The violations are categorised into three groups reflecting the severity of the breach; the more severe the breach, the higher the fine. In each of the three levels, there is a lower fine for breaches relating to ‘regular data’ and a higher one for ‘data with special sensitivity.'”
Violations which would be subject to fines under the Bill include database registration failures, failing to report to the PPA on certain matters, breaches of data subject rights, carrying out direct mailing in contravention of the legal requirements, and processing data beyond the specified purpose for which it was collected. In calculating the total fine, the PPA will consider the severity of the violation, the number of individuals the records in the database relate to and if sensitive data was involved. In addition, an increase of one fiftieth of the fine per day may be added for a continuous breach.
Ben-Israel and Artzi continued, “The PPA must notify the organisation of its intent to impose fines and provide certain details. Then, the organisation may, within 30 days, provide its arguments against the imposition of the fine and/or the amount of the fine. If, nevertheless, the PPA decides to impose a fine, the organisation receives a payment form.”
As the fine would be classed as an administrative decision, organisations may appeal to the Administrative Court, a division of the District Court.
Or-Hof concluded, “The PPA is gradually gaining more power and presence in the Israeli market. The Bill is another substantial element of this trend. It joins breach notification and detailed information security requirements, which will come into effect on 8 May, and a series of new guidelines issued by the PPA. While Israeli privacy laws are taking a separate course from the EU’s General Data Protection Regulation (Regulation (EU) 2016/679), the evolution of these laws requires close attention.”
ELLEN O’BRIEN | Privacy Analyst