The Israeli Ministry of Justice (“MoJ”) has published a bill memorandum covering a series of proposed amendments to the Israeli Protection of Privacy Law (the “Law”). If enacted, this would be the most comprehensive amendment to the Law since 1996. The bill seeks to amend the definitions of the Law’s key terms, thereby expanding the scope of the Law, and downscale the antiquated obligation to register database. These are two significant and far-reaching amendments. The bill also seeks to grant draconian enforcement powers to the Protection of Privacy Authority (“PPA”). These amendments are bound to impact every organization in Israel.
Amendments to the Statute’s Definitions
These amendments aim to modernize the Law and to adjust its terms to follow the blueprint of the EU GDPR. The new definitions would expand the scope of the Law, but also limit the applicability of the database registration obligation. Here are the most prominent amendments:
Personal Information. The current definition of Personal Information only covers certain types of personal information, such as information about one’s personality, familial status, medical condition, and financial condition. The amendment proposes to define Personal Information as “any information about an individual, who is directly or indirectly identified or identifiable by reasonable measures”. If enacted, the definition of Personal Information would also encompass IP addresses and other technological identifiers, which modern legal methods have now considered as personal information for over a decade.
Especially Sensitive Information. This cumbersome definition would replace the definition of “Sensitive Information” in the current Law. It parallels the concept of “Special Categories of Data” in the GDPR. Among the types of information included in this definition are genetic information, biometric identifiers, and criminal record (items not covered by current Law), as well as information about financial assets and consumption. The holders of databases with especially sensitive information will be obligated to register their databases, provided a few other conditions are satisfied.
Holder. This new definition would surprisingly diverge from the GDPR’s definition of “Processor”. It would encompass anyone with “authorization to use the information stored in the database to provide services” to the database owner (i.e., the controller). “Holding” is therefore not characterized by the physical possession of a database, but rather by having permission to access the database. Consequently, service providers will be considered “Holders” and will be liable for all the statutory obligations applicable to Holders, primarily data security obligations.
Additionally, semantic changes would rename the existing Law’s “Database Owner” to a “Database Controller”, resonating the GDPR’s notion of “Controller”; the “Registrar of Databases” would be renamed the “Commissioner of Protection of Privacy” (and, in short, the “Commissioner”).
Limitations to Databases Registration Obligation?
The current Law includes an antiquated obligation to register databases, which no longer exists in other modern data protection legislation. This obligation, perhaps appropriate in the 1980s when there were only about 1,500 databases in Israel, is no longer appropriate for the third decade of the 21st century. Even key public authorities – including the MoJ and the PPA themselves – conceded that the registration obligation’s contribution to the protection of privacy is minimal at best.
The bill’s explanatory notes declaratively aim to downscale the scope of this obligation. The bill proposed that databases will only be subject to mandatory registration if they include information about 100,000 individuals or more, that was not collected directly from the data subjects, on their behalf or with their consent; or if the databases are owned by a public authority; or if their main objective is to deliver the information to others (such as data brokers or direct marketing services provided to marketers). In addition, databases will be subject to mandatory registration if they include especially sensitive information about 500,000 individuals or more.
This definition is purportedly narrower than the one in the existing Law. However, the bill endlessly expands the definition of “Personal Information”, thereby also expanding the definition of “Database”, and in turn, the scope of the databases subject to mandatory registration.
Additionally, the bill proposes a new obligation to notify the Commissioner about databases that include especially sensitive information about 100,000 individuals or more. The current Law does not include such notification obligation. Similar obligations in EU laws were dropped with the enactment of the GDPR when they turned out to be only negligibly beneficial on one hand while imposing heavy administrative burdens on the other hand.
Other Substantial Amendments
The following amendments were not published for public comments in the bill memorandum, and it appears that their possible implications were not fully considered.
Lawful Management. Managing or holding a database whose information was created, received, accumulated, or collected in violation of the Law or any other legal provisions – is prohibited. This would introduce a severe limitation on processing information. While this may seem consistent with GDPR’s six legal bases for processing, it does not, in our mind, conform with Israeli law, which presently only recognized two legal bases: a data subject’s consent or the delivery of a processing notice to the data subject.
Limitation on Use. The current Law recognizes the principle of purpose-limitation. This principle bans the use of “knowledge” about an individual’s private affairs for any purpose other than the purpose for which it was collected. Courts have interpreted this principle broadly to also apply to completely trivial information about an individual.
The bill endlessly expands the scope of this principle. It not only forbids database owners and holders to use “information” for different purposes but also extends this prohibition to “knowledge about an individual’s private affairs” and goes so far as to prohibit owners and holders from allowing others to do so as well.
Going even further than that, the bill prohibits individuals from using or holding such information or knowledge, without the permission of the database owner. This provision has far-reaching implications which were not clarified in the bill memorandum.
For example – academic researchers may not be able to rely on personal information obtained from social media; search engines operators will need to ponder whether they are allowed to retrieve information from websites; artificial intelligence software developers may be banned from using publicly-available personal information for the training of their software; organizations that regularly search personal information for risk management purposes will have to verify that the sources of the information are permissible, etc. Surprising of all is the fact that this amendment implies that the MoJ recognizes the proprietary right of database owners over the information they possess, a concept that completely contradicts the modern view of personal information as the property of the data subject.
The PPA has been complaining for years about the lack of enforcement powers. The Israeli government twice tried to grant the PPA greater enforcement powers but failed on both occasions. In 2011, the proposed 12th amendment to the Protection of Privacy Law was published. After no legislative progress was made, it was republished as the 13th amendment to the Protection of Privacy Law in 2018 and failed to advance yet again. These two last amendments were now combined to form the current proposed amendment without substantial changes.
The proposed bill includes extensive enforcement arrangements, spreading across numerous pages, without any apparent equivalent in Israeli law. They include the following –
- Expansion of the PPA’s investigative and supervisory powers. These include, among others, the power of PPA’s investigators to investigate offenses, seize materials where there is a reason to believe they relate to an offense, detain a person for investigative purposes, and more. In this context, PPA investigators will, de facto, be able to largely replace the police.
- Exempting security agencies from the PPA’s investigative and supervisory powers. These agencies will instead be required to appoint internal privacy supervisors.
- Imposition of fines in increasing amounts, relative to the number of data subjects whose information is stored in the database. The baseline fine is NIS 800,000 (approximately US $250,000), which can be multiplied up to four (!) times. In case of a continuing offense, 2% of the sum will be added each day. In case of a repeated offense, this sum will be doubled.
- The reasons for imposing sanctions include, among others, violation of any of the following: the database registration obligation, the obligation to notify of changes in the database’s characteristics, the data subject’s right to review their information, and the obligation to manage access permissions to the database. The fines are especially high for infringements of the new provisions regarding use-limitation, despite these provisions’ inherent issues.
- Denial of the Commissioner’s authority to decrease the fine, unless the Minister of Justice establishes criteria for it by which the Commissioner may act.
- The Commissioner, with the approval of the Attorney General, can specify criteria to engage in the following –
- Issue an administrative alert before, or instead of, imposing monetary sanctions. If the Commissioner elects to issue an alert instead of a fine, and the organization repeatedly infringes the same provision, the Commissioner may regard this as a repeated offense and impose a doubled fine.
- Allow the infringing organization to sign an undertaking and post a bond, instead of paying the fine.
The Protection of Privacy Bill (Amendment no. 14), 5772-2021, is broad and comprehensive. We could only review a few of its provisions and the questions it raises. Particularly notable is the absence of substantial amendments on issues at the heart of modern privacy legislation – from privacy by design to broader data subjects’ rights, from privacy impact assessments to appointment of data protection officers. For years, the MoJ has declared that it is working on substantial changes in the Law, but they have yet to be proposed, let alone in this bill.
In a discussion held at the Knesset’s Constitution, Law and Justice Committee (the “Committee”) on November 8th, 2021, Member of the Knesset and head of the Committee, Gilad Kariv, pledged that privacy will be one of the main issues on the Committee’s 2022 agenda. In light of this, it is reasonable to assume that the Committee will advance the bill – subject to the political upheavals in Israel, of course. We doubt that the ultimately enacted bill will be the same as presented in the bill memorandum, but every organization in Israel must be aware of the bill’s possible implications.