Data Protected - Israel

Contributed by Tene & Associates

Last updated December 2017

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws 

Privacy is a constitutional right under Article 7 of Basic Law: Human Dignity and Liberty.

In addition, the Privacy Protection Act, 5741-1981 (“PPA”), contains specific privacy legislation. Chapter B of the PPA deals with data protection.

Entry into force

The PPA entered into force in 1981.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

The Privacy Protection Authority (the “Authority”)
125 Begin Road
P.O. Box 7360
Tel Aviv 61072

https://www.gov.il/he/Departments/the_privacy_protection_authority

The Authority was formerly the Israeli Law, Information and Technology Authority (ILITA).

Notification or registration scheme and timing

Under the PPA, a “database” must be registered with the Database Registrar, a unit of the Authority, if it contains: (i) data concerning more than 10,000 data subjects; (ii) sensitive information; (iii) data which has been collected from third parties; (iv) data used for direct marketing services; or (v) data in a public sector database. The term “database” refers to a collection of data processed by computer but excludes information consisting solely of basic contact details if such details are not in themselves likely to infringe an individual’s privacy. 

The registration system is based on registration of databases, as opposed to controllers. Hence, if a controller has several databases, such as human resources, customer data, and suppliers, it must register each database separately. In 2014, the Authority amended the database registration procedures, requiring the filing of a far more detailed application form than before, specifying, amongst other things, the methods and sources of data collection and the types of data in a database. In 2017, the Israeli parliament approved a regulatory amendment cancelling database registration fees, including maintenance fees.

There is no requirement to obtain authorisation from the Database Registrar.

Exemptions to notification

Only databases meeting the conditions set out above must be registered. However, given the broad definition of the term “sensitive data”, most businesses are required to register at least one database.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

There is no provision on applicable law in the PPA, so the territorial scope of the statute needs to be determined according to general principles of choice of law. It is likely that the PPA will apply to: (i) controllers based in Israel; (ii) data processing operations in Israel; and (iii) the processing of personal data with respect to Israeli citizens, regardless of where such processing takes place.

Is there a concept of a controller and a processor?

The PPA uses the term “database owner” which is not defined in the PPA but is generally considered to be equivalent to the concept of controller

The PPA also uses the term “possessor” of a database which means “a person who has a database in his possession permanently and is permitted to use it”. This is generally considered to be equivalent to the concept of processor.

The distinction between a “database owner” and “possessor”, much like that between controller and processor, is made for the purpose of allocation of responsibility. Most obligations under the PPA, including registration, notice, purpose limitation, access and rectification, security, and right of objection to direct marketing, apply to the “database owner”. In addition, the “database owner” is the party against whom data subjects are entitled to exercise their rights. The “possessor” is subject to only confidentiality and security requirements.

The PPA also uses the term “database manager” to mean “an active manager of a body that owns or possesses a database or a person whom the aforesaid manager authorised for this purpose.”

Are both manual and electronic records subject to data protection legislation?

Chapter B of the PPA only covers electronic databases, not manual ones. This accounts for the EU adequacy decision’s restricted scope (see below). However, personal data in manual records is protected by Chapter A of the PPA, which specifies the principles of purpose limitation, confidentiality, transparency and informed consent.

As a result of this distinction, the European Commission’s approval of Israel as a country providing “adequate protection” for personal data is restricted to: (i) automated international data transfers from the EU; and (ii) non-automated data transfers that are subject to further automated processing in Israel.

Are there any national derogations?

The PPA provides broad exemptions for law enforcement and national security agencies acting within their powers and limited exemptions for certain publications in the press.

_____________________________________________________________________ Top

Personal Data

What is personal data?

The equivalent term to “personal data” is “information”, defined in the PPA as "details concerning an individual's personality, personal status, intimate relations, health condition, financial condition, vocational qualifications, opinions and religious belief".

The Israeli Supreme Court interpreted the term broadly to include information about an identifiable, though unidentified individual, such as an IP address (Civ. App. 4447/07 Rami Mor v. Barak ETC (Sup. Ct., 25 March 2010)); as well as details apparently not covered by the  definition, such as a person’s address and telephone number, bank account information and national ID number (Civ. App. 439/88 Database Registrar v. Ventura, 48(3) P.D. 808 (1994)).

The Supreme Court has also considered the standard for effective de-identification of information under the PPA. It decided that if any party holds a key that enables reverse engineering of anonymised information, i.e. can use the key to attribute the information to a specific individual, then that information should be considered personal. (Civ. App. 1697/11 Guttsman Architecture v. Vardi, at 22; cited with approval in Crim. App. 8225/12 Anonymous Company v. Jane Doe (Minor), at 14). This test implies that pseudonymised information is still personal as long as a third party has a key allowing it to re-identify the data.

Is information about legal entities personal data?

No.

What are the rules for processing personal data?

The PPA generally requires data subject consent for any processing. Such consent may, however, be implied. In addition, the PPA permits the processing of personal data under a legal obligation.

Additional rules applying to processing personal data are transparency; purpose limitation; data subject access, correction and rectification rights; data security and confidentiality.

In March 2017, the Israeli parliament approved the Privacy Protection Regulations (Data Security), 5777-2017 (the “Security Regulations”), which enter into force on 8 May 2018. While focused on data security, the Security Regulations cross over to the privacy domain with provisions on data minimisation, risk analyses, outsourcing, and more. The Security Regulations include for the first time an obligation to notify security breaches, substantive data minimisation requirements, obligations to appoint an information security officer and obligations to provide privacy and data security training (see below).

The Security Regulations adopt a risk-based approach, applying different rules to databases according to their risk profile. They set up three main risk categories: (i) databases subject to a basic level of security (a residual category under the Security Regulations); (ii) databases subject to an intermediate level of security, including databases containing sensitive categories of data enumerated in the First Addendum to the Security Regulations; and (iii) databases subject to a high level of security, comprising those intermediate-level databases that include information about more than 100,000 data subjects or provide authorised access to more than 100 personnel. In addition, the Security Regulations set forth specific rules for databases maintained by individuals or sole proprietorships.

Over the past five years, the Authority has issued guidance documents and market instructions concerning issues such as: (i) direct marketing and direct marketing services; (ii) subject access rights in audio, video and other digital records; (iii) data processing in the context of outsourcing; requirements for user authentication when providing remote access to personal data; (iv) CCTV; (v) CCTV in the workplace; (vi) smart cards in public transportation; (vii) employee screening and employment recruitment agencies; and (viii) the allocation of responsibility for databases between health insurers and primary health care providers. In addition, the Authority issued a draft instructions concerning data protection in the context of a merger or acquisition and draft guidance concerning privacy in the workplace.

Are there any formalities to obtain consent to process personal data?

Consent means “informed consent, express or implied”. There are no formalities to obtain consent.

Are there any special rules when processing personal data about children?

The Authority issued draft instructions concerning the collection of data from minors.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

The term "sensitive information" is defined broadly under the PPA to include "details concerning an individual's personality, intimate relations, health condition, financial condition, opinions and religious belief".

This definition is effectively identical to the term “information” except for two categories: “personal status” and “vocational qualifications”, which appear only in the definition of the latter term.

Under the Security Regulations, databases containing certain categories of data, effectively considered sensitive, are subject to an intermediate level of security, which is higher than the regulatory default. According to the First Addendum to the Security Regulations, databases subject to an intermediate level of security include databases containing personal information about an individual’s: intimate relations, medical, genetic, political opinion, religious beliefs, biometric, financial condition, criminal records, communications metadata, or consumer habits that may reveal any of the categories specified above. Databases subject to a high level of security comprise databases subject to an intermediate level of security that include personal information about more than 100,000 data subjects or provide authorised access to more than 100 authorised personnel.

Are there additional rules for processing sensitive personal data?

Any database containing “sensitive information” is subject to mandatory registration under the PPA.

The Security Regulations are risk based and modular. Stricter security requirements apply under the Security Regulations to databases subject to an intermediate or high level of security, which are defined in relation to the sensitivity of data, as specified above.

Are there additional rules for processing information about criminal offences?

 

Under the Security Regulations, information about criminal offences is considered sensitive. In addition, under the Criminal Records and Rehabilitation Act, 1981, criminal records constitute confidential information, access to which is permitted to only a short list of government agencies. Specifically, under this law, and subject to criminal sanctions, employers are prohibited from asking job applicants to provide their criminal record.

 

Are there any formalities to obtain consent to process sensitive personal data?

Consent means “informed consent, express or implied”. There are no formalities to obtain consent.

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

No. However, each database must have a “database manager”, who by default is the company’s CEO, unless he/she appoints an officer for that role.

In addition, under the PPA, public sector entities, financial sector entities, and companies holding five or more databases subject to mandatory registration must appoint a chief information security officer (CISO).

While not requiring organisations to appoint a chief information security officer (“CISO”), the Security Regulations provide that if an organisation appoints a CISO, whether under the PPA or voluntarily, the CISO must report directly to senior management, be independent and free of conflicts, and be sufficiently resourced.

What are the duties of a data protection officer?

The PPA specifies that data security and database registration obligations apply to the database manager in addition to the database owner. The obligations in the Security Regulations also apply to the database manager in addition to the database owner.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

Under the Security Regulations, organisations must conduct dataflow mapping, risk analyses, audits, employee training and similar measures.

Are privacy impact assessments mandatory?

There are no obligations to conduct privacy impact assessments but there is an obligation under the Security Regulations to conduct periodic data security risk assessments, including penetration testing.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

Collection of personal data from a data subject must be accompanied by notice indicating: (i) whether delivery of the information by the data subject is voluntary or subject to a legal obligation; (ii) the purposes for which the information is collected; and (iii) any prospective transferees and the purposes of such transfer.

In addition, the data subject’s consent must be “informed” and this has been interpreted by the courts to mean data subjects must have all relevant information concerning the processing of their data. Hence, while not expressly specified in the PPA, it is necessary to provide data subjects with a good understanding of which categories of personal data are being collected, used and transferred.

Rights to access information

Subject to certain limited exceptions, data subjects enjoy rights of access to their information.

Rights to data portability

No.

Right to be forgotten

Israeli courts have heard cases concerning plaintiffs’ requests that information about them be deleted from public sites, typically search engines. So far, courts have not recognized an overarching privacy right to have data erased.

Objection to direct marketing and profiling

Data subjects may object to (opt out of) direct marketing. They may also require that their personal data be deleted from a database used for direct marketing and not transferred from a database used for direct marketing services.

In June 2017, the Authority issued an instruction on the interpretation and implementation of the PPA provisions on direct marketing and direct marketing services. The instruction generally favours an opt-in regime for all unsolicited commercial communications and direct mailing services (not just those sent electronically). It considers that an opt-out is only appropriate where an individual’s details were initially collected for direct marketing purposes with informed consent.

Other rights

Subject to certain limited exceptions, data subjects enjoy rights to rectify their information.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

The PPA makes database owners, possessors and managers all responsible for the information security of a database.

Information security requirements are further specified in the Security Regulations, which requires database owners, possessors and managers to take a range of measures. In particular they must: (i) implement an information security policy; (ii) map data flows and conduct systematic risk reviews; (iii) ensure the physical security of the database; (iv) ensure that authorised personnel are duly vetted and properly trained; (v) manage access authorisations on a need to know basis and automatically monitor and log access to databases; (vi) document security incidents; and (vii) include certain terms in outsourcing agreements.

Additional sector specific data security rules continue to apply in the financial sector under the Supervisor of Banks’ Regulation No. 357 on Information Technology Management, Regulation No. 361 on Cyber Defence and equivalent instructions issued in 2016 by the Commissioner of Capital Markets, Insurance and Savings.

The Government of Israel established the Israel National Cyber Bureau in August 2011 and approved a National Cyber Defence Authority in February 2015 to oversee cyber defence actions. This includes operating an assistance centre and a national CERT (Cyber Event Readiness Team).

Specific rules governing processing by third party agents (processors)

The Security Regulations require that database owners, possessors and managers who outsource data processing to a third-party vendor to: (i) conduct a data security risk analysis; (ii) include certain provisions in the outsourcing agreement; (iii) include in its data security policy details on authorised access by the vendor; and (iv) monitor vendor compliance including by conducting regular audits.

Notice of breach laws

For the first time under Israeli law, the Security Regulations impose an industry wide data breach notification requirement to the Authority in case of a "serious security incident."  A "serious security incident” is defined as: (a) in a database subject to a high level of security, an incident where data from the database was used without authorisation or in excess of authorisation or where there was a breach of data integrity; (b) in a database subject to an intermediate level of security, an incident where data constituting a material part of the database was used without authorisation or in excess of authorisation or where there was a breach of the integrity of data constituting a material part of the database.

When required under the Security Regulations, breach notification must be immediate. In addition, the Security Regulations authorise the Authority to request, after consulting with the Head of the Israel National Cyber Authority,  that notification be made to a data subject who may be harmed by the incident.

Breach notification obligations continue to apply in the financial sector under the regulations issued by the Supervisor of Banks and the Commissioner of Capital Markets, Insurance and Savings.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

The PPA restricts data transfers to third parties, including corporate affiliates, within or outside of Israel. An additional layer of regulation applies to international data transfers under the Privacy Protection Regulations (Transfer of Data to Databases Outside of Israel), 2001 (the “Transfer Regulations”).

The Transfer Regulations apply to both inter- and intra-entity transfers of personal data outside of Israel. They permit transfers to: (i) EU Member States; (ii) other signatories of Council of Europe Convention 108; and (iii) a country “which receives data from Member States of the European Community, under the same terms of acceptance”. This has been interpreted by the Database Registrar to apply to transfers to Safe Harbor participant companies in the US.

However, following the European Court of Justice decision in Schrems, the Authority issued a statement in October 2015 revoking the Database Registrar’s prior authorisation to transfer data from Israel to the U.S. under the Safe Harbor. Responding to market concerns, the Authority issued an additional clarification in January 2016, stating it does not intend to initiate enforcement action with regard to data transfers based on Safe Harbor, but rather is awaiting the outcome of the EU-US talks. The Authority’s statement announcing the approval of the EU-U.S. Privacy Shield did not provide additional information concerning the regulator’s enforcement stance in relation to such transfers.

Transfers to other countries are permitted: (i) subject to data subject consent; (ii) from an Israeli corporate parent to a foreign subsidiary; or (iii) provided the data importer “enters into a binding agreement with the data exporter to comply with Israeli legal standards concerning the storage and use of data”.

Regardless of the basis for an international transfer, data exporters must also obtain the data importer’s written undertaking that the data importer implements sufficient safeguards to protect individuals’ privacy and promises to refrain from any onward transfer in its own country or any other country.

Notification and approval of national regulator (including notification of use of Model Contracts)

No notification of the Authority is required, other than as part of database registration.

Use of binding corporate rules

As specified above, the Transfer Regulations authorise transfers to a country “which receives data from Member States of the European Community, under the same terms of acceptance”. This provision might be interpreted to authorise transfers to entities implementing EU-approved binding corporate rules.

_____________________________________________________________________ Top

Enforcement

Fines

The Authority is authorised to impose fines that accumulate daily up to approximately USD 70,000 (258,000 NIS). Under a November 2011 government sponsored legislative bill, the Authority would be authorised to impose civil penalties in an amount up to approximately USD 850,000 (3.2 million NIS).

Imprisonment

A breach of data protection law (database registration; notification to data subjects) constitutes a strict liability criminal offense punishable by one year imprisonment and is also a civil tort.

Compensation

A violation of Chapter B of the PPA is a civil tort, creating for individuals a private cause of action. An individual whose rights are infringed not only under Chapter B but also under the general provisions of Chapter A of the PPA may be entitled to statutory damages in an amount up to NIS 50,000 (€10,000), or up to twice that amount in case of intentional infringement.

In addition, individuals may bring class action lawsuits based on privacy and data protection where the causes of action arise in the context of consumer or employment relations.

Other powers

None.

Practice

The Authority has taken several enforcement actions recently, including for breach of purpose limitation; transparency; and direct marketing requirements. A list of enforcement actions is available on the Authority’s website and a summary is contained in its annual report.

The Authority’s most important enforcement action over the past five years concerns a massive data breach involving the loss and eventual posting on the Internet of Israel’s entire population registry consisting of more than 9 million records related to every Israeli citizen as well as those recently deceased. The investigation resulted in criminal indictments, which are currently pending in court, of government contractors as well as recipients of the data. The investigation resulted in criminal indictments of government contractors as well as recipients of the data, some of whom were sentenced for up to 10 months in jail.

As an active member of the Global Privacy Enforcement Network, the Authority has over the past few years participated in global enforcement sweeps, including with respect to mobile apps and the Internet of Things.

Fines have ranged up to several thousand NIS to 258,000 NIS (70,000 USD) in a case concerning illegal trading of personal data and 176,000 NIS (50,000 USD) in a case concerning illicit use of an illegal copy of the population register. In 2017, the Authority fined a political party, Yesh Atid, more than USD 10,000 for using a database of Holocaust survivors for political messaging.

Individual lawsuits typically deal with privacy in the workplace, particularly monitoring of electronic communications, anti-spam legislation, data security breaches and privacy in the press. In an important decision from February 2011, the National Labour Court severely restricted employers’ ability to monitor employee emails. The Court made strong statements concerning the suspect nature of employee consent and mandated the implementation of principles of legitimacy, transparency, proportionality, purpose limitation, access, accuracy, confidentiality and security. It stated that given the constitutional status of the right to privacy, exemptions to the PPA must be interpreted narrowly (Lab. App. 90/08 Issakov v. State of Israel). The Court distinguished between the monitoring of (i) professional accounts that may be used by employees strictly for professional (and no other) purposes, (ii) dual-purpose accounts provided to employees for both professional and personal use, and (iii) personal accounts such as Gmail or Yahoo Mail; applying different standards and consent requirements to each type of account. In a January 2014 decision, the Jerusalem Labour Court further distinguished between two types of professional accounts, an open and a closed professional account, holding that in the case of an open account, which is not password protected, employees have provided implied consent to their account being accessed and monitored by the employer or fellow employees (Lab. (Jer.) 47674-03-10 Shoker Engineers v. Poliboy). The Supreme Court has reaffirmed the Issakov decision in Civ. App. 3661/16 Remet Ltd. v. Rami Shamir Civil Engineering Ltd. (Sup. Ct. 23 Aug. 2016).

Consumers have also brought several class action lawsuits, including against Apple for geolocation tracking mobile operator Pelephone for retention of SMS content and several Israeli companies for anti-spam violations.

In addition, contracts of adhesion (boilerplate) are subject to judicial scrutiny under the Standard Form Contract Act, 1982. In two cases, the Standard Contracts Tribunal invalidated clauses in standard form contracts purporting to secure customers’ consent to the sharing of personal data among members of banking groups. It concluded that despite customer consent, data sharing practices were overly broad and therefore void.

In an August 2012 decision, the Tel Aviv District Court upheld the validity of an instruction issued by the Authority restricting financial institutions from using information about a third party’s attachment of their client’s account for the financial institution’s own purposes. The court held that the regulator is authorised to issue market instructions interpreting the law. The decision is likely to have profound effects for the validity and weight given to this and other guidance documents and market instructions issued by the Authority. (Admin. App. 24867-02-11 IDI Insurance v. Database Registrar).

In May 2014, the Israeli Antitrust Authority issued guidance concerning the sharing of data between competitors as part of a due diligence process ahead of a contemplated merger, acquisition or joint venture. While covering additional categories of information, the guidance also applies to personal data. It requires the parties to minimize the data shared in the process and the number of employees authorised to access it, suggests having the data vetted by a trusted third party instead of being transferred in raw form and requires the execution of a confidentially agreement and documentation of the due diligence process.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

The PPA and the Telecommunications Act (Telephone and Broadcast), 1982 (“Telecom Act”).

Enacted in 2008, Section 30A of the Telecom Act is modelled after article 13 of the Privacy and Electronic Communications Directive and applies to businesses sending unsolicited commercial marketing messages by electronic means. It imposes strong civil and criminal penalties, including statutory damages, class actions, and directors’ and officers’ liability. It has also been pursued vigorously by individual plaintiffs.

In June 2017, the Authority issued an instruction on the interpretation and implementation of the PPA provisions on direct marketing and direct marketing services. The instruction generally favours an opt-in regime for all unsolicited commercial communications and direct mailing services (not just those sent electronically). It considers that an opt-out is only appropriate where an individual’s details were initially collected for direct marketing purposes with informed consent.

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

No specific cookies legislation. If the cookie contains personal information it will be subject to the general provisions of the PPA.

Regulatory guidance on the use of cookies

None.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

Section 30A of the Telecom Act prohibits the transmission of “advertising material” by electronic means without the recipient’s prior explicit consent. That consent must be in writing.

Conditions for direct marketing by e-mail to corporate subscribers

Section 30A of the Telecom Act prohibits the transmission of “advertising material” by electronic means without the recipient’s prior explicit consent. That consent must be in writing.

Exemptions and other issues

The Telecom Act provides two important exemptions. First, advertisers may contact a business (as opposed to an individual recipient) once to solicit consent for future communications.

Second, advertisers may transmit advertising material to an individual recipient if conditions very similar to the similar products and services exemption applies. 

The Telecom Act regulates not only the means of transmission but also the content of advertising messages. Under the Telecom Act, an advertising message must be clearly labelled as such, using the word “advertisement” at the beginning of the message or, in case of an email message, the subject line. In addition, an advertising message must specify the name and contact details of the advertiser as well as the recipient’s right to notify the advertiser at any time and by reasonable means of his or her refusal to receive additional messages. To avoid exceedingly long messages, the senders of SMS need only specify their name and contact details.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

Under the PPA, individuals must be provided the opportunity to opt out of direct marketing, including having their personal data deleted from the database used to contact them.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

The PPA applies only to individuals.

Exemptions and other issues

Transparency obligations under the PPA apply, as discussed above. In addition, the caller must disclose to the individual called the name and address of the controller of the database from which her contact details were drawn and the sources from which the controller of the database collected such information. In addition, databases should not be used for direct marketing services unless the person managing or possessing it has a record indicating the source from which the data was received, the date it was received, and to whom it was delivered.

_____________________________________________________________________ Top