One Law for the State – Another for Startups

The well-known French saying “noblesse oblige” indicates that nobility obliges. Israel loves to be a “start-up nation”. It is therefore expectable that the Israeli domestic law be in line with a state that boasts its encouragement of business creativity and innovation. But it is not. When it comes to technology, the substantive law in Israel is often outdated. Even worse, when you examine one aspect of the law, the protection of privacy, you find that not only does the law fail to meet the demands of digital era, but that the government extends itself more and more liberties while, at best, ignoring the business sector, and at worst, restricts it even more.

Privacy is a constitutional right in the Israeli legal system. It is enshrined in the Basic Law of Human Dignity and Liberty. The Supreme Court has time and time again acknowledged the importance of the right to privacy as a human right, and has named it as “one of the most important of rights”. Even before the right to privacy was elevated to its constitutional status, the Protection of Privacy Law was enacted in 1981. The law provides that a violation of privacy is a civil tort, and if committed intentionally – a criminal offense.

Innovative then, outdated now

Ever since the Protection of Privacy Law was enacted, profound changes have evolved in the way companies and organization use information and conduct their businesses based on it, eventually leading to the coined expression “Information Economics”. Waze was not sold to Google for more than one billion dollars because of its cool navigation program, and not even because of its impressive user count which, at the time of the acquisition, aggregated 50 million people. What largely determined its value were the transportation habits of those tens of millions that made extraordinarily precise information available to its disposal. 

 Any individual would confirm, without hesitation, that their whereabouts is a question that lies at the core of the right to privacy. However, the whereabouts of a person is not “information” as defined by the Protection of Privacy Law. An individual’s biometric data, which facilitates personal identification sometimes even without the individual’s knowledge, is also not considered “information” under the Protection of Privacy Law. What about conclusions that can be drawn about a person from big data or by cross-referencing statistical information with trivial personal details? Here too, the 1981 law is silent. Lawyers love this ambiguity, but businesses are in need of certainty and are tired of it. Nobody wants to spend money on a legal opinion before launching their information-based business. 

The outdated law deserves credit for having been groundbreaking and innovative at the time. But times quickly change: no one knew, for example, in the beginning of the 1980’s that multinational companies such as Google or Facebook would process detailed and intimate information about Israeli citizens. How our information will be used in the next decade and what conclusions will be drawn from it by then – no one knows.

It’s Convenient for the Government

One might expect the Ministry of Justice to overhaul the Protection of Privacy Law. In fact, Europe is doing so these very days but not Israel. The reason, according to some, is the lack of sufficient resources. My opinion is more conspiratorial: the present situation is very convenient for the Israeli government just the way it is. The government can always enact laws that satisfy its own needs, and stop there. It allegedly does so in the name of pressing interests, be it national security or market competition. There are many examples from recent years. Here are just a few:

 In 2010, the Israeli Supreme Court held that the Israeli law lacks any legal mechanism allowing a private individual who was the subject of defaming content posted online, to request the disclosure of the Internet user’s identity who posted the defaming content [Moore v. Barak 4447/07], so that he or she may take legal action against the defamer. The Court called on the Israeli legislature to amend the law to permit such disclosures. It took more than two years before the government proposed a bill. No legislative action was taken since then. The bill was abandoned. A private individual who believes has been prejudiced by an anonymous Internet user, cannot take legal action against the anonymous user. The government, on the other hand, has no such problem. The Israeli police can, if it wishes, petition a magistrate judge to order internet service providers and websites to disclose information about the IP address of any alleged wrongdoer, and their identity will be revealed.

Detriment to National Interests

The Israeli Criminal Procedure Law (Enforcement Authorities – Communication Data), also known as the “Big Brother” law, allows the government to obtain countless details about traffic data relating to individuals: names and addresses, details of payment method, types of text messages sent, where they were when they sent the message, when they sent it and so on. Add in the aged Wiretap law and it becomes clear that the government can obtain any information it deems necessary on each and every one of us. An individual, on the other hand, cannot obtain such data lawfully, and certainly not as easily and without incurring significant legal expenses, even if such information is indispensable to proving his or her case in a civil lawsuit.

 The government insists on implementing the “Biometric Database Law”. The law authorizes the government to collect and maintain digital fingerprints and biometric facial images of all Israeli citizens and use them for various purposes. The government insists on doing so despite the severe damage to national interests entailed in the law: if it were not for the establishment of the biometric database, Israelis would have long ago had smart ID cards which are harder to forge. 

Once the government realized that its interests can be fulfilled, and that time and time again it succeeds in curtailing the privacy of its citizens, it attempted to enact an invasive legislation motivated by its economic interests: the looming Credit Data bill, on the verge of being enacted these very days, will allow the Bank of Israel (Israel’s central bank) to establish a central database containing the credit history of all Israeli citizens. Information will be collected against the citizens’ will. In stark contrast to fundamental principles that require prior consent to such a severe violation of an individual’s privacy, an opt-out to be removed from the database will be available to those interested only in retrospect.

Sever Information Leaks

The Intensifying Tax Collection and Enhancing Enforcement Bill (Legislative Amendments), the government attempted, more than ever, to compel banks and financial institutions to provide the Israeli Tax Authority with ongoing information of business and private bank accounts. For the time being, the bill was dismissed by the Constitution, Law and Justice Committee at the Israeli parliament, due to its disproportionate invasion of privacy. We are yet to see what happens when disciplined voting is invoked by government’s coalition toward passing the bill into law… 

On the other hand, when business corporations or startups seek to make innovative use of information, they encounter a specific provision of the Protection of Privacy Law that precludes any latitude. This is section 2(9) of the Protection of Privacy Law, which proscribes using information about an individual’s private affairs for purposes other than those for which such information was given. Courts have interpreted this clause very broadly. As time elapses, and the Protection of Privacy Law ages, the clause has been given honorary status by the Registrar of Databases’ enforcement operations as well as in case law. It was even given a name - “the purpose-limitation principle”. The principle is considered today a fundamental principle in the protection of privacy. Legally speaking, the principle is captivating: it reflects the individual’s autonomy and control over his or her own information. From a practical and business perspective, the provision is ambiguous and unpredictable. For example, it is unclear what uses and purposes an individual consented to when publishing a public profile on a social network. Moreover, there is no telling what conclusions a corporation will draw about an individual when processing Big Data, and whether such individual can give his or her prior informed consent to such unknown uses of his or her personal information.

Bottom line: The government has numerous interests, and it doesn’t hesitate to override privacy rights in their name. It is no accident that the most severe data breaches in Israel were from government databases – from the Population Registry, to the Child Adoption Registry (!) which were sold to all interested buyers, all the way through data derived from the Tax Authority or Social Security computer systems. Corporations have one and only interest – to maximize profits. On the road to achieving their goal, they develop innovative technologies that make Israel what it loves to be, a Startup Nation. The law must therefore be adjusted to suit the needs of the Israeli business sector.