Written by: Haim Ravia, Dotan Hammer
Israel’s Privacy Protection Authority (PPA) has released draft guidance on the application of the Privacy Protection Law to artificial intelligence (AI) applications. The draft primarily clarifies how privacy law applies throughout the development and use of AI systems, as well as to the data they generate.
The draft sets out several key compliance expectations. It requires organizations to disclose to individuals that they are interacting with AI. Such notification must include what data is being processed in the interaction and how it is processed. Organizations are also expected to adopt a strong accountability framework by implementing Privacy-by-Design principles, appointing designated privacy officers for AI matters, conducting Privacy Impact Assessments (DPIAs), and establishing internal policies for generative AI use.
The guidance goes on to expand on AI’s possible impact on data protection, mentioning the risk of “inference attacks,” in which personal data is extracted from the trained database. Organizations must monitor and report such incidents. The guidance also affirms that data subject rights under the law apply to AI-generated personal data, including the right to correct inaccurate information. This may potentially lead to the PPA requiring algorithmic adjustments to ensure accuracy.
Finally, the guidance limits the use of publicly available personal data for training AI models, allowing it only where implied consent exists under clearly defined conditions.
Some aspects of the draft guidance raise feasibility questions, such as the possibility that AI developers will be required to implement a “data deletion” feature in the training process when a data subject withdraws their consent to have their data used for training.
The draft is open for public comments until June 5, 2025. Once finalized, this will serve as Israel’s first authoritative framework for AI-related privacy compliance.
Click here to read the draft guidance (in Hebrew).
