Written by Haim Ravia and Dotan Hammer
The Israeli governmental committee for legislation voted to continue the legislation of Amendment number 14 of the Privacy Protection Law, which was introduced in January 2022 and had passed the first reading at the Knesset (the Israeli parliament). The committee’s decision allows the Knesset to continue deliberations on the bill from the point they were discontinued when the previous Knesset was dissolved for early elections. The bill can now continue through the legislative process in preparation for its second and third (final) reading. The bill proposes, among other things, an expansion of enforcement powers vested with the Privacy Protection Authority, an update to key definitions in the law, and a downscaled obligation to register databases.
The Knesset’s Constitution, Law, and Justice Committee also approved new regulations that attach novel and burdensome obligations and enhanced data subject rights specifically to personal data received from the European Economic Area. The Privacy Protection Regulations (Provisions Regarding Information Transferred to Israel from the European Economic Area), 2023, were adopted to support the efforts of the EU Commission’s recognition of Israel as an adequate country whose level of protection of personal data is equivalent to that in the Union. If Israel’s adequacy status is renewed, Israeli organizations can continue to receive personal data from the EEA almost seamlessly.
Privacy experts severely criticized the draft regulations as early as July, explaining that the proposed regulations favor data subjects from the EU over Israelis, which result in an outrageously discriminatory outcome. The experts indicated that the enhanced data subject rights should apply to all data subjects, regardless of their location. In response, the Knesset’s Constitution, Law, and Justice Committee expanded the applicability of the regulations so that they apply to any other personal data stored in the same database that has personal data which originates from the EEA.
Most obligations under the new regulations are not recognized in the existing Israeli privacy law. These include data deletion obligations, data minimization requirements, data accuracy procedures, and a duty to provide a privacy notice in a greater scope than currently codified in the Israeli privacy law. The new regulations also expand the law’s definition of “sensitive information” which will now also include information about a person’s ethnic origin and trade union membership.
The regulations will take effect within three months from the date of their publication regarding personal data received from that date onward. Personal data transferred at an earlier date will be given a longer grace period, possibly as far as January 1, 2025.
Click here to read the bill (in Hebrew).
Click here to read the draft of the Privacy Protection Regulations (Provisions Regarding Information Transferred to Israel from the European Economic Area), 2023 (in Hebrew).