The Israeli Privacy Protection Authority (‘PPA’) published, on 28 November 2018, an opinion (‘the Opinion’) addressing whether a collection of email addresses falls within the definition of a ‘database’ under Section 7 of the Protection of Privacy Law, 5741-1981 (‘the Law’), further to queries received by the PPA regarding the obligations imposed upon database owners and possessors.
Dalit Ben-Israel, Partner at Naschitz, Brandes, Amir & Co. Advocates, told DataGuidance, “The Israeli approach, both in decisions and opinions of the PPA and case law, follows the EU closely despite the somewhat different laws and regulations, presumably, amongst [other things], in order to maintain adequacy. The Opinion includes a detailed explanation of the [PPA’s] decision [to interpret] personal data widely.”
In particular, the Law defines ‘database’ as a collection of data, as including, information on a person’s occupation, religion, marital status and health. Furthermore, the Law excludes from the definition collections that include only names, addresses and means of communication, which in themselves do not produce a ‘characterisation’ infringing the privacy of the person. The Opinion provides that email addresses are not ‘only a means of communication,’ as they can also serve as a way of acquiring further identifiable personal data of an individual. Furthermore, the Opinion states that, more recently, email addresses are being used for identification purposes in social networks and internet sites, and so may provide a means for connecting an individual to additional personal data stored in other databases.
[For this reason] databases should have been registered anyway, even prior to the new interpretation of the PPL
Ben-Israel highlighted, “Any database containing email addresses [triggers] application of all other provisions of the Law and the Protection of Privacy (Data Security) Regulations, 5777-2017 (‘the Regulations’). The immediate effect would probably be that companies who [had] not [previously been obligated to register collections] containing only contact details of customers and suppliers, assuming that this data is not personal data, would now have to do so. In addition, [requirements such as] preparing data mapping, […] data security procedures and appointing a database manager under the Regulations, will have to be followed.”
The Opinion highlights that, in addition to a collection containing customer names and email addresses, it is unlikely that an organisation would not already possess other personal data about their customers, such as payment information and purchasing habits.
Ben-Israel concluded, “[For this reason] databases should have been registered anyway, even prior to the new interpretation of the PPL […] I believe that it will be problematic to challenge the Opinion, as opposed to the comments already given by some practitioners. The burden of registering databases is indeed something that [has been] discussed in Israel for a long time, and a step forward was taken when the fees for registration were cancelled some time ago. There is an expectation in the market to see the registration requirement cancelled, but I assume this will not [take place] in the near future, as there are more pressing statutory changes in the data protection field on the legislator’s desk.”
LAUREN SHERLOCK Junior Privacy Analyst