DLA Piper Intelligence

Data Protection
Laws of the World

Law

Israel
Israel

The laws that govern the right to privacy in Israel are the Basic Law: Human Dignity and Liberty, 5752 - 1992; the Protection of Privacy Law, 5741-1981 and the regulations promulgated thereunder (the 'PPL') and the guidelines of ILITA (as defined below).

Last modified 25 Jan 2017
Law
Israel

The laws that govern the right to privacy in Israel are the Basic Law: Human Dignity and Liberty, 5752 - 1992; the Protection of Privacy Law, 5741-1981 and the regulations promulgated thereunder (the 'PPL') and the guidelines of ILITA (as defined below).

Last modified 25 Jan 2017
Definitions

Definition of Personal Data

Personal Data, as defined under the PPL, means: data regarding the personality, personal status, intimate affairs, state of health, economic position, vocational qualifications, opinions and beliefs of a person.

Definition of Sensitive Personal Data

Sensitive Data, as defined under the PPL, means: data on the personality, intimate affairs, state of health, economic position, opinions and beliefs of a person; and other information if designated as such by the Minister of Justice with the approval of the Constitution, Law and Justice Committee of the Knesset. No such determination has been made to date.

Last modified 25 Jan 2017
Authority

The Israeli Law, Information and Technology Authority ("ILITA"), established in September 2006, as determined by Israel's Government decision no. 4660, dated 19.01.2006.

Last modified 25 Jan 2017
Registration

Subject to certain exceptions, database registration is required to the extent one of the following conditions are met:

  • the database contains information in respect of more than 10,000 data subjects
  • the database contains sensitive information
  • the database includes information on persons, and the information was not provided by them, on their behalf or with their consent
  • the database belongs to a public entity, or
  • the database is used for direct-marketing services.

A database is defined under the PPL as a collection of data, stored by magnetic or optic means and intended for computer processing, consequently excluding non-computerized collections.

In 2005, the Ministry of Justice set up a committee generally known as the 'Schoffman Committee' which recommended relaxing registration of ‘ordinary’ databases and focusing on specific categories of information (eg medical data, criminal records or information about a person’s political or religious beliefs). However, to date, the Schoffman Committee recommendations have not crystallized into binding legislation.

Last modified 25 Jan 2017
Data Protection Officers

Appointment of a Data Protection Officer is required by an entity meeting one of the following conditions:

  • a possessor of five databases that require registration
  • a public body as defined in section 23 to the POPL, or
  • a bank, an insurance company or a company engaging in rating or evaluating credit.

Failure to nominate a Data Protection Officer when required to do so may result in criminal sanctions, including administrative fines. The PPL does not require that the Data Protection Officer should be an Israeli citizen or resident.  

Last modified 25 Jan 2017
Collection & Processing

The collection, processing or use of personal data is permitted subject to obtaining the informed consent of the data subjects. Such consent should adhere to purpose, proportionality and transparency limitations. As such, consent should be obtained for specific purposes of use, the processing and use of personal data should be proportionate to those purposes, and data subjects should have the right to inspect and correct their personal information. The data subject's consent must be re-obtained for any change in the purpose of use.

Any request for consent from a data subject to have his or her personal data stored and used within a database must be accompanied by a notice indicating:

  • whether there is a legal requirement to provide the information
  • the purpose for which the information is requested
  • the recipients of the data, and
  • the purpose(s) of use of the data.

Retaining outsourcing services for the processing of personally identifiable information is subject to the ILITA's Guidelines on the Use of Outsourcing Services of Processing Personal Information (Guideline 2 2011) dated 10 June 2012 ('Outsourcing Guidelines'). The Outsourcing Guidelines include, inter alia, factors to be taken into consideration when deciding to use outsourcing services, specific provisions to be included within the data transfer agreement and data security requirements. Processing of personally identifiable information in certain sectors is subject to additional outsourcing requirements.

Entities subject to separate outsourcing guidelines are for example entities supervised by the Commissioner of the Capital Market, Insurance and Savings and entities supervised by the Banking Supervision Department of the Bank of Israel. On 10 September 2014, the Banking Supervision Department of the Bank of Israel issued draft guidelines regarding risk management in cloud computing services used by Israeli banking corporations. Among other various restrictions, the draft guidelines set forth an obligation on supervised entities to receive the approval of the Supervisor of Banks prior to using cloud computing services.

Last modified 25 Jan 2017
Transfer

The transfer of personal data abroad is subject to the Privacy Protection Regulations (Transfer of Data to Databases Abroad), 5761‑2001, pursuant to which personal data may be transferred abroad only to the extent that:

  • the laws of the country to which the data is transferred ensure a level of protection, no lesser than the level of protection of data provided for by Israeli Law; or

  • one of the following conditions is met:

    • the data subject has consented to the transfer;

    • the consent of the data subject cannot be obtained and the transfer is vital to the protection of his or her health or physical well‑being;

    • the data is transferred to a corporation under the control of the owner of the database from which the data is transferred, provided that such corporation has guaranteed the protection of privacy after the transfer;

    • the data is transferred to an entity bound by an agreement with the database owner, to comply with the conditions governing the use of the data as applicable under Israeli Laws, mutatis mutandis;

    • data was made available to the public or was opened for public inspection by legal authority;

    • transfer of data is vital to public safety or security;

    • the transfer of data is required by Israeli Law; or

    • data is transferred to a database in a country:

      • which is a party to the European Convention for the Protection of Individuals with Regard to Automatic Processing of Sensitive Data; or

      • which receives data from Member States of the European Community, under the same terms of acceptance*, or

      • in relation to which the Registrar of Databases announced, in an announcement published in the Official Gazette (Reshumot), that it has an authority for the protection of privacy, after reaching an arrangement for cooperation with that authority.

        * Following the decision of the ECJ in Case C-362/14 Maximillian Schrems v Data Protection Commissioner, ILITA issued a statement on October 15, 2015, according to which US safe harbour certified entities would not fall under the foregoing condition, without derogating from all other conditions.

When transferring personal data abroad, the database owner is required to enter into a data transfer agreement with the data recipient, pursuant to which the recipient undertakes to apply adequate measures to ensure the privacy of the data subjects and guarantees that the data shall not be further transferred to any third party.

The foregoing data transfer agreement must also comply with additional restrictions, to the extent that the recipient provides outsourcing services, as set forth in the Outsourcing Guidelines.

On January 31, 2011, the European Commission, on the basis of Article 25(6) of directive 95/46/EC, determined that the State of Israel ensures an adequate level of protection with regard to automated processing of personal data.

Last modified 25 Jan 2017
Security

The owner, possessor, manager and Data Protection Officer (if applicable) of a database, are each responsible for the data security of the database. ILITA has circulated to the public a draft bill for Protection of Privacy Regulations (Information Security in Databases) 2010 (updated version dated June 3, 2012) imposing detailed data security obligations in respect of databases ('Draft Regulations'). Currently, these are considered best practices; however, if the regulations are passed they will become law

Last modified 25 Jan 2017
Breach Notification

Currently there is no Israeli statute which requires breach notification. However, ILITA's Outsourcing Guidelines refer to the Draft Regulations as a model for drafting a security protocol to be applied on data processing outsourcing agreements. Pursuant to the Draft Regulations, notice of security breaches of databases should be made to both to the database owner and to ILITA.

Last modified 25 Jan 2017
Enforcement

ILITA has the authority and obligation to supervise compliance and enforce the provisions of the PPL and appoint inspectors to carry out those activities.

Breach of the PPL may result in both civil and criminal sanctions, including administrative fines, 1-5 years of imprisonment, and the right to receive statutory damages under civil proceedings without the need to prove actual damages.

The current draft bill for the 12th Amendment of the PPL provides ILITA with the ability to conduct criminal investigations and to impose monetary sanctions in the amount of up to NIS 3.2 million. The draft bill has passed its first reading, but has yet to pass the approval of the Knesset Constitution, Law and Justice Committee; thereafter it would need to also pass the second and third readings, in order to become a binding piece of legislation.

Last modified 25 Jan 2017
Electronic Marketing

Unsolicited marketing is regulated under the Communications Law (Telecommunications and Broadcasting), 1982 (the 'Anti Spam Act'). The Anti Spam Act prohibits, subject to certain exceptions, advertising by means of automated dialing, fax or text messages without first obtaining the recipient's initial opt-in prior consent; all such communications also must contain an opt-out/ unsubscribe option.

Furthermore, the PPL governs the possession and management of databases intended for direct mailing service and imposes restrictions in connection therewith, including a database registration requirement specifying the purpose of direct mailing and specific record-keeping requirements.

Last modified 25 Jan 2017
Online Privacy

The PPL does not specifically address online privacy, cookies and/or location data, all of which are governed by the general restrictions detailed above, including the requirements imposed on processing databases and direct marketing and the consent, purpose and proportionality restrictions.

The PPL governs information "about a person", as such depending upon the circumstances at hand, any non-identifiable and anonymous information (which cannot be re-identified) may reasonably be interpreted as falling outside the confines of the PPL limitations.

Last modified 25 Jan 2017
Contacts
Sharon Aloni
Sharon Aloni
Partner
T +972 (3) 608 9834
Last modified 25 Jan 2017