Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Israel - Data Protection Overview

Israel - Data Protection Overview

November 2021

1. Governing Texts

Data Protection in Israel is governed primarily by the Protection of Privacy Law and enforced by the Privacy Protection Authority. The law covers collection and use of personal data and sensitive data, sets the rights and obligations of the parties collecting and using the data, including security requirements with respect thereto, and sets the rights afforded to individuals whose data is collected and used.

1.1. Key acts, regulations, directives, bills

Data protection in Israel is governed primarily by the Protection of Privacy Law, 5741-1981 ('the Privacy Law') and the regulations promulgated under it, the Basic Law: Human Dignity and Liberty, 5752-1992, and the guidelines of the Israeli regulator, the Privacy Protection Authority ('PPA') (formely known as the Israel Law, Information, and Technology Autorithy ('ILITA'))

Additional legislation includes:

1.2. Guidelines

Although the guidelines published by the PPA do not have the status of law, they reflect the PPA's interpretation of the obligations under the existing Privacy Law and therefore should be considered. The guidelines include:

  • 2/2011 Use of Outsourcing Services for Personal Data Processing (only available in Hebrew here);
  • 4/2012 Use of Security and Surveillance Cameras and Databases of Recorded Images (only available in Hebrew here);
  • 2/2017 Direct Mailing and Direct Mailing Services (only available in Hebrew here);
  • 5/2017 Use of Surveillance Cameras at the Workplace and in the Framework of Employment (only available in Hebrew here);
  • Draft Guidelines on the Transfer of Ownership in a Database (only available in Hebrew here) ('the Transfer of Ownership Draft Guidelines'), which relate to database transfers in a merger & acquisition context; and
  • 3/2018 Application of the Data Security Regulations to Organisations Certified Under ISO 27001 (only available in Hebrew here).

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The Privacy Law applies to all entities in Israel, private, business, and public, that hold or process personal information.

2.2. Territorial scope

The Privacy Law does not explicitly determine its jurisdiction, nor does it require that the data subject be a resident or citizen of Israel. From this, one may conclude that the Privacy Law's jurisdiction is as of other Israeli laws, i.e., limited to acts within Israel. It is an unsettled legal question whether the Privacy Law applies to foreign entities processing personal information of Israelis, and whether it applies to Israeli entities processing personal information of non-Israelis. However, if the restrictions on the transfer of data are breached, any subsequent use of the data outside Israel is likely to be attributed to the party in Israel who breached the transfer restrictions.

2.3. Material scope

The Privacy Law applies to and covers personal data and sensitive data. Therefore, although it is not stated clearly in the Privacy Law that it does not cover anonymous data, it is reasonably assumed that the Privacy Law does not cover anonymous data.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The Israeli regulatory authority, the PPA, was founded in 2006, and is part of the Ministry of Justice.

The head of the PPA also serves as the Registryof Databases ('the Registrar'). The PPA is responsible for the protection of all personal information held in digital databases, including through the use of administrative and criminal enforcement.

3.2. Main powers, duties and responsibilities

The PPA represents Israel in the international privacy arena and participates in the legislative process. As mentioned above, the PPA publishes guidelines that reflect the PPA's interpretation of the obligations under the Privacy Law. The PPA has administrative and criminal investigatory powers and may conduct inspections and audits on any entity subject to the Privacy Law. The PPA may also impose administrative fines, in certain circumstances, as described below.

The Registrar is required to maintain the Registry of Databases and is empowered to supervise compliance with provisions of the Privacy Law and the regulations issued thereunder. The Registrar is authorised to refuse to register a database if it has reasonable grounds to assume that:

  • the database is used, or might be used, for illegal activities, or as a cover for them; or
  • the data included in the database was obtained, accrued, or collected in breach of the Privacy Law or any other law.

4. Key Definitions

The Privacy Law regulates two principles matters, the general right to privacy and the protection of personal data in databases. The following terms are defined under the Privacy Law:

Personal data: data regarding the personality, personal status, intimate affairs, state of health, economic situation, professional qualifications, opinions, and beliefs of a person.

Sensitive data: Data on the personality, intimate affairs, state of health, economic situation, opinions, and beliefs of a person, and other information if designated as such by the Minister of Justice, with the approval of a parliamentary committee (no such determination has been made to date).

A comparison between the definitions of personal data and sensitive data reveals that sensitive data does not include data regarding a person's personal status and professional qualifications.

Data controller | data processor: The Privacy Law does not use the terms 'data controller' and 'data processor' but rather refers to 'database owner,' 'database holder,' and 'database manager'.

Data security: protection of the data from disclosure, use, or copying performed without permission, or protection of the integrity of the data, i.e., that the data in the database is identical to the source from which they were extracted, and it has not been changed, delivered, or destroyed without permission.

Database: A collection of data, stored by magnetic or optical means and intended for computer processing, except for:

  • a collection of data for personal use that is not business purposes; and
  • a collection of data that includes only names, addresses, and contact information of persons which in itself does not create any characterisation that breaches the privacy of such persons, provided that neither the owner of the collection nor any corporation under its control has an additional collection of data.

Note that contrary to previous interpretations of this exemption, on 28 November 2018, the PPA clarified that a collection containing only names and email addresses would not fall under the exemption and therefore will be considered as a database (only available in Hebrew here).

Database holder: A legal person who has a database in its possession on a permanent basis and is permitted to use it.

Database owner: Not defined in the Privacy Law. Some compare the role of the database owner to that of the data controller under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Although there are several similarities between the two, they are not the same, as the Privacy Law does not state generally, that the database owner is primarily responsible for demonstrating compliance with the Privacy Law.

Database manager: The active manager of the legal entity which owns or possesses a database, or a legal person authorised to carry on such activities by the manager for this purpose.

Person: A natural person, as distinguished from a person for the purpose of ownership of a database, which may be a corporation. In order to differentiate the two meanings, in this Overview 'data subject' shall mean a natural person and 'legal person' shall mean a natural person or a corporation.

Data subject: Lease see the definition of 'Person' above.

Biometric data: Data used to identify a person which is a unique physiological human characteristic that can be measured by a computer.

Health data: Data referring to a patient's physical or mental health, or data about his\her medical treatment. Not defined in the Privacy Law, but in the Patient’s Rights Law, 5756-1996 (only available in hebrew here). 

Pseudonymisation: Not applicable.

5. Legal Bases

5.1. Consent

A database owner who collects personal data directly from data subjects, must request their consent and inform them: if they are under a legal duty to provide the data, the purpose of collection, and details of any third party that will receive the data and for what purpose.

5.2. Contract with the data subject

Not applicable.

5.3. Legal obligations

No person may bear responsibility under the Privacy Law for an act which such person is empowered to do by law.

5.4. Interests of the data subject

Not applicable.

5.5. Public interest

Not applicable.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Not applicable.

6. Principles


A database manager, holder, or employee must not disclose any personal data except for the purpose of carrying out its duties, implementing the Privacy Law, or under a court order in connection with legal proceedings.

Storage Limitation

A database owner will review annually whether the data stored in the database exceeds what is required for the database purposes.

7. Controller and Processor Obligations

Database owner must:

  • notify the Registrar and data subjects of a transfer of ownership in the database (in a merger or acquisition context or otherwise);
  • must be required to comply with the security requirements set in the Data Security Regulations; and
  • may be subject to administrative fines, and to civil and/or criminal liability.

Security of personal data

The Data Security Regulations set a list of requirements regarding data security. These requirements must apply to a database owner, manager, and holder. Although the Data Security Regulations do not establish what specific technical information security measures a database owner must adopt, they do mandate the adoption of a series of corporate and managerial measures, as well as technological measures, that conform to the types of information that the organisation stores and the uses that are made of the personal information. The security requirements may include, inter alia:

  • drafting a database settings document (similar to a record of processing), that will include a general description of the collection and processing of data and details of any transfer of data from the database to another country;
  • development and implementation of an information security policy and procedures, that will include provisions as to the physical security of the site where the infrastructure of the database is located, access authorisation to the database, and risks to which the database is vulnerable and how to resolve such risks, including by use of encryption mechanisms;
  • taking reasonable measures, customary in employee sorting procedures, in order to verify that there is no concern that an employee should not be authorised to access the database;
  • training and informing authorised employees of the requirements of the Privacy Law, the Data Security Regulations, and the security policy and procedures;
  • limitation or absolute prevention of the possibility to connect a portable device to the systems of the database, considering the sensitivity of the data contained in the database;
  • appointing an Information Security Officer ('ISO');
  • documenting any security incident;
  • assessing the risks involved in the engagement with a contractor and regulating certain matters in a written agreement with the contractor;
  • conducting a periodical review by a competent person, other than the ISO, in order to verify compliance with the provisions of the Data Security Regulations; and
  • maintaining, in a secured manner, data accumulated in the implementation of the Data Security Regulations provisions for a period of at least 24 months.

In the PPA guidelines regarding the application of the Data Security Regulations to organisations certified under ISO 27001(only available in Hebrew here), the PPA outlined those organisations that are certified under and comply with ISO 27001 must be considered as compliant with most of the requirements under the Data Security Regulations.

7.1. Data processing notification

Subject to certain exceptions (see below), a database owner is required to register its database to the extent that one of the following conditions are met:

  • the database contains data in respect of more than 10,000 data subjects;
  • the database contains sensitive data;
  • the database includes data about persons, and such was not provided by them, on their behalf, or with their consent;
  • the database belongs to a public entity; or
  • the database is used for direct mailing services.

A database must be registered prior to managing or holding the database unless the Registrar permits performing such acts prior to registration.

Although the Privacy Law imposes the obligation to register on the database owner, the Privacy Law also prohibits managing or holding a database that is required to be registered but has not been registered. Therefore, database managers or database holders could also face liability in connection with a database that is not registered.

Databases are exempt from the registration obligation where:

  • the database only contains data made public according to lawful authority; or
  • the database only contains data which was made available for public inspection according to lawful authority.

7.2. Data transfers

Transfer of ownership of a database

The PPA's Transfer of Ownership Draft Guidelines presents its proposed position with respect to the duties of database owners and the rights of data subjects in situations where the ownership of a database is transferred to another legal person due to sale of the database, or of the merger or acquisition of the database owner. According to the Transfer of Ownership Draft Guidelines, such duties and rights include the following:

  • the transferring database owner (the former owner) and the recipient database owner (the new owner) must notify the Registrar of such transfer of ownership;
  • if the characteristics of the database recipient are different from those of the transferring database owner in a significant way that may adversely affect the rights of a data subject, then the data subject's consent must be obtained prior to the transfer of the data to the database recipient. If such data subject's consent was not obtained, the data about him/her should not be transferred to the database recipient and should be erased;
  • if, due to the transfer of ownership in the database, the purposes of processing of, or the processing activities performed on, the data in the database must change, the data subject's consent must be obtained prior to the transfer of the data to the database recipient; and
  • if, due to the transfer of ownership in the database, the purposes of processing and the processing activities must not change, generally notifying the data subjects of the transfer of ownership and contact details of the database recipient must suffice.

Overseas transfers

The Transfer of Information Regulations state that data from a database in Israel must not be transferred to another country, except if the law of such country ensures a level of protection with respect to personal data that is no less stringent than that provided by Israeli law. On 1 July 2020, the PPA notified that its position is that the law of the European Union ensures such level of protection, and therefore transfer of personal data to countries that are or were members of the European Union is permitted, provided that those countries continue to comply with the provisions of the European Union law regarding protection of personal data.

Notwithstanding the foregoing, a database owner may transfer, or permit the transfer, of personal data to another country if:

  • the data subject gave his/her consent to the transfer;
  • the data subject's consent cannot be obtained and the transfer is necessary in order to protect the data subject's health or bodily integrity;
  • the data is transferred to an entity under the control of the database owner and the database owner ensured the protection of the personal data post-transfer;
  • the data is transferred to an entity that is obligated in an agreement with the database owner to hold the information in accordance with the conditions required in Israel;
  • the data was made public according to lawful authority or was made available for public inspection according to lawful authority;
  • the transfer of the data is imperative for the protection of public safety;
  • the transfer of the data is mandatory pursuant to Israeli law; or
  • the data is transferred to a country which is party to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108') or receives data under similar conditions.

On 1 July 2020, the PPA clarified that personal data may continue to be transferred to the United Kingdom after its withdrawal from the European Union, since the United Kingdom is party to Convention 108. This includes transfers of data to countries who enjoy an 'adequacy' status by the European Commission, or other transfers of data to non-EU countries which comply with the data transfer requirements of the GDPR (e.g., under Standard Contractual Clauses ('SCC')).

If data is transferred, the database owner must obtain the recipient's written obligation that it takes measures appropriate to ensure the protection of the data and that it must not transfer the data to any person, whether in the same country as the recipient or otherwise.

7.3. Data processing records

The Privacy Law requires a database owner to establish a 'database definitions document', which includes the following matters: general description of the data collection and usage activities, purposes for which the data is used, types of data contained in the database, details regarding overseas transfer of the database, activities of the database holder, main security risks and how they are dealt with, name of the database manager, holder and ISO.

7.4. Data protection impact assessment

In certain circumstances, a database owner may be required to conduct a data security risk assessment. Such risk assessment will be conducted at least once every 18 months.

7.5. Data protection officer appointment

A database owner must be required to appoint an ISO in certain circumstances.

Appointment of a data protection officer ('DPO') is not required under the Privacy Law. However, there is a requirement to appoint an ISO by an entity meeting one of the following conditions:

  • entities holding five or more databases requiring registration;
  • public bodies; or
  • banks, insurance companies or companies involved in ranking or evaluating credit.


The database manager must inform the Registrar as to the identity of the ISO.

Failure to nominate an ISO when required to do so may result in criminal sanctions, including administrative fines. While the ISO is to be responsible for data security, the database owner, holder, and manager nevertheless are each held individually responsible under the Privacy Law for data security as well.

The Privacy Law does not require that the ISO should be an Israeli citizen or resident. An individual convicted of an offence involving moral turpitude or an offence stipulated in the Privacy Law may not be appointed as an ISO.

The Data Security Regulations further detail the duties of the ISO and of the database owner with respect to the ISO. The ISO shall receive resources from the database owner in order to carry out its duties and shall report directly to the database manager. The ISO shall not perform other duties if such other duties may result in a conflict of interest with its duties as an ISO. The ISO shall develop a data protection procedure, and have it approved by the database owner, and shall develop an ongoing.

7.6. Data breach notification

Database owner shall document any security incident, and in certain circumstances inform the PPA of such incident.

A database owner is responsible for documenting any incident that raises concerns as to the integrity of the data or any unauthorised use of the data. If a severe security event occurs, then the database owner shall inform the PPA immediately, and not later than 72 hours from its occurrence and shall report the steps that were taken following such an event. The PPA may order the database owner to inform the data subjects that may be affected by the security event.

Sectoral obligations

In addition to the general obligation to notify a security event, entities in certain sectors are subject to more specific legislation that imposes on them additional duties.

Notably, the Supervisor of the Capital Market, Insurance and Savings Authority ('the Capital Market Supervisor') of the Ministry of Finance published a circular (only available in Hebrew here) regarding cyber risk management by financial institutions (such as insurance companies and investment banks). The circular requires financial institutions to, inter alia, report to the Capital Market Supervisor and to the Board of Directors of such institution any significant cyber event that resulted in the unavailability of systems containing sensitive data for over three hours or if there is any indication that sensitive data was accessed regarding cyber risk management by financial institutions (such as insurance companies and investment banks). The circular requires financial institutions to, inter alia, report to the Capital Market Supervisor and to the Board of Directors of such institution any significant cyber event that resulted in the unavailability of systems containing sensitive data for over three hours or if there is any indication that sensitive data was accessed.

In addition, the Supervisor of Banks of the Bank of Israel ('the Banks Supervisor') published Circular No. C-06-2560 Re: Supply Chain Cyber Risk Management (24 April 2018) ('the Banks Supervisor Circular'). The Banks Supervisor Circular requires banks to, inter alia, report to the Banks Supervisor any cyber event that already occurred or any warning about a possible cyber event that may occur in the future.

7.7. Data retention

A data subject may request that data about him/her be erased from a database. Under the Data Security Regulations, a database owner must consider, on a yearly basis, whether the personal data included in its databases exceeds what would be considered necessary for such database owner. Effectively, this requires database owners to establish data retention policies.

7.8. Children's data

The PPA in its guidelines introduced its position that in case of a minor, a data subject under 18, there is an obligation to inform and get the informed consent of the minor's parent or guardian regarding the collection and use of personal data. Collection of personal data regarding a child, a data subject under 14, must require informed consent of the parent or guardian, and collection of sensitive data regarding a minor, a data subject under 18, must require informed consent of the parent or guardian.

7.9. Special categories of personal data

A database containing sensitive data must be registered with the Registrar and a higher level of security must be implemented with respect to such database.

7.10. Controller and processor contracts

Database owner must require any of its contractors that have access personal data to adhere to certain requirements and must monitor their compliance with such requirements.

According to the Data Security Regulations, an owner of a database engaging a contractor for the provision of a service that requires granting such contractor access to the database, must assess, prior to the engagement, the data protection risks involved in such engagement.

Considering the aforementioned risks, the Data Security Regulations require that the following matters must be explicitly regulated in the database owner's agreement with the contractor:

  • the data which the contractor will be authorised to process and the purpose of such processing;
  • the type of processing which the contractor must be authorised to perform;
  • the database systems which the contractor will be authorised to access;
  • the term of the contractor's engagement and how the data will be returned to the database owner at the termination of such engagement;
  • directions as to how the contractor, a database holder, must perform its obligations pursuant to the Data Security Regulations and other obligations imposed by the database owner;
  • the contractor's duty to have its personnel sign an undertaking regarding confidentiality and adherence to the agreement between the database owner and the contractor; and
  • the contractor's duty to inform the database owner of any security event and to provide a report to the database owner, at least annually, regarding its performance of all the above.

The database owner must monitor the contractor's compliance with the terms of the agreement between the database owner and the contractor and with the Data Security Regulations, in the scope and to the extent appropriate considering the risks to data protection.

8. Data Subject Rights

8.1. Right to be informed

Upon collection of personal data from data subjects, a database owner must inform them: if they are under a legal duty to provide the data, the purpose of collection, and details of any third party that will receive the data and for what purpose.

8.2. Right to access

A database owner must either allow a data subject access to any data about him/her kept in the database or refuse to allow such access to the extent permitted by law.

A data subject may inspect any information about him/her that is kept in a database, whether in person, or by a representative or guardian. The database owner must enable the inspection of the information in Hebrew, Arabic, or English, as requested by the data subject.

If a database is maintained by a database holder on behalf of a database owner, then the database owner must refer a data subject asking to access the information to the database holder and instruct the database holder to allow such inspection.

Pursuant to the Data Inspection Regulations, the data subject must pay the owner or holder of the database a fee of ILS 20 (approx. €5,41) for the inspection. Inspection must be permitted within 30 days of the request, although the Registrar may extend the period by an additional 15 days.

The Data Inspection Regulations allow the database owner to provide a print-out of the requested information as the equivalent of permitting inspection of the data, but the print-out must not be removed from the premises of the database owner or holder without permission.

A database owner or holder may refuse the request for inspection of data from a database if:

  • the database is of one of the types of databases the Privacy Law determines must not be subject to inspection (e.g., a database of a security authority, tax authority, the database of the Israel Prison Service, data that the disclosure of may harm Israel's security or foreign relations or is prohibited by the provisions of any legislation); or
  • the database is a service bureau that processes and stores data for its customers, so long as the database owner or holder refers the data subject to the owner of the data on whose behalf the processing or storage services are performed.

The data subject must be notified if his/her request to inspect data is refused within 21 days of the request, although the Registrar may extend the period by an additional 15 days.

In the event the request is denied, the data subject requesting the data may file a suit in accordance with the procedures set forth in the Data Inspection Regulations.

A database owner may refrain from providing data to a data subject for his/her inspection if:

  • the data relates to the data subject's physical or mental health, and the database owner believes that such data may endanger the life of, or cause severe harm to the data subject's physical or mental health, then the database owner must provide the data to a physician or psychologist on behalf of the data subject; or
  • it will breach a legal privilege applicable to the data, as prescribed under any legislation or ruling, unless the data subject is the legal person for whose benefit the privilege is enacted.

8.3. Right to rectification

A database owner must respond to a data subject's request to rectify or erase any data about him/her kept in the database.

The Privacy Law provides that if a data subject inspects data about him/her and finds that it is inaccurate, incomplete, unclear, or not up to date, the data subject may request from the database owner or holder that such data be amended or deleted. This is, however, not an absolute right, and the database owner may refuse to accommodate such erasure request.

If the database owner agrees to the request, the amendments to the data or its erasure must be communicated to anyone who received the data from the database owner within the preceding three-year period. The data subject must be notified if his/her request to rectify or erase the data is refused within 30 days of the request, although the Registrar may extend the period by an additional 15 days.

A data subject may demand, in writing, from the owner of a database used for direct mailing that the information about him/her be deleted from such a database.

8.4. Right to erasure

Please see section on the right to rectification, above.

8.5. Right to object/opt-out

The Privacy Law allows a data subject to object to the processing of data only by means of a civil suit based on the claim that the processing violates the data subject's right to privacy. However, there is no established concept of a general right to object processing once the personal data has been provided for processing without violation of privacy (e.g., with the consent of the data subject). As of today, it is generally understood that data subjects in Israel do not have a right to withdraw their consent for processing.

In the PPA's Transfer of Ownership Draft Guidelines (which are still subject to change), a data subject's consent to processing must be obtained prior to the transfer of the data about such data subject to the new owner of the database.

A database holder and a database manager may be subject to administrative fines, and to civil and/or criminal liability.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Not applicable.

8.8. Other rights

Not applicable.

9. Penalties

The Administrative Fine Regulations authorise the Registrar to impose administrative fines of ILS 2,000 (approx. €541) on an individual for:

  • using, holding, or managing an unregistered database which requires registration;
  • delivering false information in a database registration application;
  • failing to deliver documents or an affidavit to the Registrar, on an annual basis, by a holder of at least five databases which require registration; and
  • managing or possessing a database used for direct mail services without properly tracking the sources of the information used.

Administrative fines of ILS 3,000 (approx. €811) may be imposed for:

  • managing or possessing a database used for direct mail services without designation of such use in the database registration;
  • managing or possessing a database used for direct mail services without properly notifying data subjects or responding to requests for removal;
  • failing to deliver information or delivering false information in a notice soliciting information that will be included or used in a database;
  • failing to comply with data subjects' inspection rights;
  • granting access to a database to a legal person not authorised under a written agreement between the database holder and database owner; and
  • failing to appoint an ISO for databases which are so required by law.

An administrative fine of ILS 5,000 (approx. €1351,84) may be imposed for using information from a database for purposes differing from those for which the database was registered.

A five-fold fine for every type of breach listed above must be imposed on a corporation. For continuing breaches, one-tenth of the fine can be imposed for each day of such continuance of the breach after a warning of the breach has been served.

Those found to have committed the aforementioned types of breaches may be charged with criminal liability and subjected to a one-year term of imprisonment. These are strict liability offences, as neither criminal intent nor negligence need to be proven.

Those found to be in breach may be subjected to five years imprisonment for disclosing data obtained by virtue of their position as an employee, manager, or holder of a database, except for disclosure for the purposes of performing one's duties, compliance with the Privacy Law, or under a court order in connection with legal proceedings. Violations of general privacy obligations (i.e., not specifically related to databases), such as publishing or handing over information that was obtained through breach of certain provisions of the Privacy Law or publishing of a matter that relates to a data subject's intimate life or state of health, may entail five years imprisonment provided that such violations were conducted with malicious intent (a relatively high standard under Israeli criminal law).

A breach of privacy is actionable as a civil wrong pursuant to the Privacy Law, and a claimant may obtain monetary compensation or injunctive relief. A court may award damages amounting to ILS 50,000 (approx. €13,519) without proof of damages for breach of privacy rights, and if such breach was intentional the damages may be doubled. Such statutory damages apply only to individual claims and cannot be the basis for class-action damages. In addition to providing that a breach of privacy is actionable as a civil wrong, the Privacy Law also specifies that an act of omission in breach of certain of its provisions may give rise to a tortious claim under the Torts Ordinance 2009 (New Version). This provision was added in order to ensure that even omissions, such as a failure to ensure data security, would also be actionable as a civil wrong. As a civil wrong, in certain cases such as business-consumer relationships, violation of privacy could be actionable as a class action under the Israeli Class Action Law, 2006 (only available in Hebrew here).

No civil or criminal action may be brought for breaches that cause no substantive harm. In addition, the Privacy Law provides the following defences from liability:

  • the violation of privacy was done through a protected publication under the Israeli Libel Law, 1965 (only available in Hebrew here);
  • the infringing party performed the violation in good faith under one of the following circumstances:
    • it did not know and was not supposed to know about the potential violation;
    • it was committed in circumstances under which the infringer has a legal, moral, social, or professional duty to do so;
    • it was committed in order to protect a legitimate interest of the infringer;
    • it was committed in the lawful ordinary course of business of the infringer and was not publicly disclosed; or
    • it was committed through the photography or publication of photographs taken in public places in which the plaintiff appeared incidentally; or
  • there was a public interest justifying the violation, and if it was performed by publication, the publication was truthful.

9.1 Enforcement decisions

Notable cases of enforcement by the PPA:

  • The PPA investigated and determined that two political parties and a service provider of those parties breached the Privacy Law as a result of a security incident that caused data concerning 6.5 million Israelis eligible to vote in the elections to be publicly available online. The PPA explained that the political parties, as database owners, are responsible for compliance with the Privacy Law by the parties themselves and by their service provider, a database holder. The PPA ceased the service provider's operation until it has corrected the PPA's findings and implemented appropriate measures to protect personal data and sensitive data in its possession.
  • The PPA, together with the police, investigated private investigators following complaints by data subjects regarding unauthorised access to personal data about them held by insurance companies. The private investigators obtained certain personal data about the data subjects fraudulently and then used it to impersonate the data subjects and obtain sensitive data from the insurance companies. The investigation file was transferred to the prosecution for its review and determination.
  • The PPA investigated a credit card company and determined that it breached the Data Security Regulations as a result of a security incident where an employee of the company stole a smartphone to which the company's customers sent all sorts of required documents via WhatsApp. In the aftermath, the company stopped the practice of using WhatsApp to send documents. The PPA determined that the company breached the Data Security Regulations by, inter alia, not limiting physical access to the smartphone and not using a password or fingerprint to limit technical access to the smartphone.