Israel: Data protection compliance and loyalty schemes: Part 1
The Israeli Privacy Protection Authority ('PPA') has recently published its report1 ('the Report') on compliance with the Protection of Privacy Law, 5741-1981 ('the Privacy Law') and the Protection of Privacy Regulations (Data Security) 5777-2017 ('the Regulations'). Dan Or-Hof, Founder of Or-Hof Technology and IP law firm, discusses the Report and what it reveals about the state of compliance concerning privacy and data protection.
While the review behind the Report had focused on various parts of the Israeli economy, the Report only contains findings on loyalty schemes.
Two important deficiencies that the Report highlights:
- local entities and branches of international corporations rely on the privacy and information security practices of their corporate headquarters. They do not implement appropriate controls and measures under Israeli privacy laws; and
- fewer than 50% of the inspected entities secure data adequately.
Over the 2018-2019 period, the PPA conducted a sweeping review on the state of privacy compliance in Israel in relation to the following parameters:
- data protection governance;
- database management;
- information security; and
The PPA review is commendable and has raised awareness of privacy and information security compliance. However, as the PPA lacks sufficient enforcement powers and resources, Israeli businesses have yet to achieve adequate compliance levels.
In the framework of the review, sectors inspected were, for example, mental health clinics, educational online platforms for children and educational institutions, data storage services, tourism, non-profit organisations, trade unions, and loyalty schemes.
Of all the sectors inspected, the PPA marked loyalty schemes as one of its most significant regulatory targets. The reason for this lies in the unique characteristics of loyalty schemes, in terms of privacy protection. Loyalty schemes control or process large amounts of sensitive identifiable information about customers, including their consumption habits. They also share such information with third parties and interact with its clientele, either directly or through outsourcing services.
These unique characteristics require loyalty schemes to adhere to strict provisions under the law in relation to all parameters of the compliance review, namely, data protection governance, database management, information security, and outsourcing.
In that sense, though the Report only refers to loyalty schemes, it can shed light on the general state of privacy compliance in Israel.
For the purposes of the compliance review, the PPA set the following compliance scale:
- high level of compliance (80% to 100%);
- medium level of compliance (50% to 80%); and
- low level of compliance (less than 50%).
In accordance with the above scale, the below reviews the parameters, starting from the lowest scoring.
Out of all the examined parameters, outsourcing was found to have scored the lowest in relation to compliance. According to the Report, 68% of inspected entities have a low and inadequate level of compliance with outsourcing rules. Another 14% have a medium level of compliance, and only 18% comply with the rules satisfactorily.
Deficiencies in relation to outsourcing
The main deficiency concerns the processing of personal information by third parties, while inspected entities had not taken sufficient steps in advance to assess the level of risk to which data subjects might be exposed.
Therefore, the Report suggests that:
- inspected entities that use the services of third parties for processing data, must examine the information security risks involved in such engagements beforehand;
- inspected entities must execute a contract with third-party outsourcing service providers, and include all provisions of Article 15(a)(2) of the Regulations. These include the outsourcing service provider's obligation to report, at least once a year, to the database owner about the service provider's performance according to the Regulations and the agreement, and notify the database owner when a security event occurs; and
- inspected entities must implement appropriate controls and supervision measures to ensure that the outsourcing service provider processes personal data in accordance to the Regulations and the agreement.
Data protection governance
According to the Report, 35% of inspected entities have a low and inadequate level of compliance with data protection governance rules. Another 20% have a medium level of compliance, and 45% comply in a satisfactory manner.
Deficiencies in relation to data protection governance
The Report suggested that:
- database managers were not appointed as required;
- database documents were not created and managed;
- roles and responsibilities were assigned to a specific officer in a manner that may give rise to a conflict of interest;
- there is lack of control and supervision by the representatives or Israeli branches of international entities on privacy and information security procedures concerning loyalty schemes, and a lack of aligning such procedures with the law; and
- procedures and employee training material which should address privacy protection only referred to information security.
Surprisingly, the PPA mentioned the obligation to register databases, although this requirement under the Privacy Law is not enforced in practice, and the large majority of database owners in Israel fail to register their databases. The PPA has indicated that database owners should register their databases and make sure that the identity of the registered database managers reflects the identity of the actual managers.
According to the Report, 20% of inspected entities maintain a low and inadequate level of compliance with information security rules. Another 32% have a medium level of compliance, and only 48% comply in a satisfactory manner.
The deficiencies in relation to information security
The Report suggested that there is:
- deficiencies in managing authorised access to databases;
- a lack of restrictions on using portable devices and lack of proper encryption; and
- entities with ISO 27001 information security management standard who had mistakenly thought themselves exempt from regulations and inspection procedures.
In response, the PPA suggested that:
- businesses ensure that there are access authorisation mechanisms in accordance to Articles 8 and 9(a) of the Regulations;
- businesses manage portable devices properly, including by restricting access to databases through these devices, implementing appropriate security measures, and using adequate encryption methods;
- entities with ISO 27001 certification follow the PPA Directive 3/2018 and comply with the requirements under the applicable laws, in addition to their ISO 27001 certification procedures and controls;
- entities ensure that they have in place the necessary information security measures and controls, and that all matters listed under Article 4 of the Regulations are maintained and reviewed periodically; and
- entities must provide information security and privacy training for every new employee and on an annual basis for all employees.
Notably, the Regulations require database owners to conduct privacy training once every other year, not annually. Additionally, this requirement applies to database owners who are subject to medium and high levels of security under the Regulations, for example, database owners holding databases who are subject to basic levels of security under the Regulations are exempted. It would appear that the PPA has mistakenly broadened this requirement.
According to the Report, 20% of inspected entities have a low and inadequate level of compliance database management rules. Another 23% maintain a medium level of compliance, and 57% comply in a satisfactory manner.
Deficiencies in relation to database management
The Report suggested the following:
- deficiencies in defining the databases and their purposes;
- lack of transparency regarding lawful grounds for collecting personal information;
- lack of proper notices in direct mailing activities; and
- data subjects are not informed of their right to request access to their personal data. Notably, the law provides data subjects with right of access to, and rectification of, their personal data. However, database owners are not required to inform data subjects of their right. It would appear that PPA guidance on this matter is not aligned with the provisions of the Privacy Law.
The PPA guidelines suggest:
- mapping all existing databases, and, accordingly, registering unregistered databases or updating existing registrations with the PPA Registrar of Databases;
- ensuring that registered details of databases include the purposes of managing the loyalty schemes and details relating to direct mailing and to the provision of direct mailing services, as applicable; and
- informing and allowing data subjects to exercise their right of access and rectification.
At the conclusion of each review, the PPA required each inspected entity to specify its commitments in writing by an executive officer in relation to remedying all deficiencies identified in the review.
Undoubtedly, the PPA's review has successfully spurred many businesses into conducting comprehensive self-assessments, resulting in a considerable improvement in terms of privacy and information security compliance. The PPA will consider examining in the future the relative level of compliance with other loyalty schemes.
Dan Or-Hof CIPP/E ; CIPP/US Founder
Or-Hof Technology and IP law firm, Tel Aviv
1. Available, only in Hebrew, at: https://www.gov.il/BlobFolder/news/customer_clubs_privacy/he/%D7%93%D7%95%D7%97%20%D7%A4%D7%99%D7%A7%D7%95%D7%97%20%D7%A8%D7%95%D7%97%D7%91%20-%20%D7%9E%D7%95%D7%A2%D7%93%D7%95%D7%A0%D7%99%20%D7%9C%D7%A7%D7%95%D7%97%D7%95%D7%AA.pdf