Data Protection & Cybersecurity 2019

Author:Ms Yoheved Novogroder-Shoshan, Eli Greenbaum and Miriam Friedmann
Profession:Yigal Arnon & Co
  1. Basic National Legal Regime

    1.1 Laws

    The primary sources of privacy and data protection law in the State of Israel are the Protection of Privacy Law 1981 (the 'Privacy Law') and the quasi-constitutional Basic Law: Human Dignity and Liberty (the 'Basic Law').

    The Privacy Law protects the privacy of individuals by regulating the storage and dissemination of information relating to individuals, prohibiting infringement of a person's privacy without consent and providing for both civil and criminal liability for such infringement.

    Section 2 of the Privacy Law identifies activities that constitute an infringement of privacy if carried out without consent, which are:

    spying on or trailing a person in a manner likely to harass him or her, or any other harassment; eavesdropping prohibited under any law; photographing a person while he or she is in a private domain; publishing a person's photograph under circumstances in which the publication is likely to humiliate him or her, or to bring him or her into contempt; publishing a photograph of a person who has been physically or psychologically injured in a manner such that it is possible to identify that person, where the photograph was taken at the time of the injury or shortly thereafter and under circumstances in which the publication is likely to cause embarrassment, excluding publication of photographs immediately following the photographing thereof without unreasonable delay under the circumstances; copying a letter or electronic message not intended for publication or use of its contents without the permission of the sender or the recipient, provided that the letter or electronic message does not have historic value and 15 years have not passed from the date it was written; using a person's name, appellation, picture or voice for profit; infringing an obligation of secrecy laid down by law in respect of a person's private affairs; infringing an obligation of secrecy laid down by explicit or implicit agreement in respect of a person's private affairs; using, or passing on to another, information regarding a person's private affairs, other than for the purpose for which it was given; publishing or passing on anything that was obtained by way of an infringement of privacy under bullet points (1) to (8) or (10) above; publishing any matter that relates to a person's intimate life, state of health or conduct in 'the private domain'; and publication of photographs of a person's identifiable corpse unless: 15 years have passed from the time of death; consent was obtained from the deceased or his or her relatives identified in the Privacy Law under the conditions specified in the Privacy Law; or a court order is obtained under conditions set forth in the Privacy Law. These privacy protections apply regardless of whether personal data is stored in a database.

    The Privacy Law also governs use of information stored in databases. A 'database' is defined in the Privacy Law as "a collection of data, stored by magnetic or optical means and intended for computer processing," subject to certain exceptions.

    The Privacy Law does not use the term 'data subject'; however, the definitions of 'data' and 'database' indicate that the Privacy Law's database provisions apply only to databases containing information about natural persons, although case law has extended certain privacy (but not database-related) protections to legal entities.

    The Basic Law provides that "every person is entitled to privacy and to the confidentiality of his life" and "there shall be no infringement of the confidentiality of a person's conversations, correspondence and writings."

    Judicial precedent also represents a key source of privacy law in Israel.

    A key recent development is the passage of the Protection of Privacy Regulations (Data Security) 2017 (the 'Data Security Regulations'), which became effective in May 2018. While the Privacy Law as originally enacted included provisions relating to databases, these provisions were technologically outdated. Following a full reappraisal and reassessment by the regulator, the Data Security Regulations were promulgated to supplement existing data security provisions under the Privacy Law and the Protection of Privacy Regulations (Conditions for Possessing and Protecting Data and Procedures for Transferring Data Between Public Bodies) 1986. The Data Security Regulations establish specific, granular requirements with respect to personal data collected and maintained in databases, and represent a significant increase in compliance obligations relating to data security.

    One of the most notable provisions of the Data Security Regulations is the addition of a data breach notification requirement for 'serious data breaches.' A 'serious data breach' is defined as either unauthorised use or compromise of data integrity of a substantial portion of the database for a medium-security database, or any unauthorised use or any compromise of data security for a high-security database. Serious data breaches require immediate notification to the Database Registrar, an entity appointed by the government pursuant to the Privacy Law to supervise compliance with provisions of the Privacy Law and the regulations issued thereunder. While there is no uniform obligation to notify affected data subjects of these breaches, the Database Registrar, after consultation with the National Cyber Bureau Chief, has the authority to order the database-owner to notify affected data subjects.

    Criminal and/or civil proceedings may be brought based on an infringement of privacy under the Privacy Law. Criminal sanctions include fines or jail terms, and civil remedies include injunctive relief and/or monetary compensation. Details regarding fines are described in the Administrative Offence Regulations (Administrative Fine - Protection of Privacy) 2004. Additionally, the Registrar may apply to the District Court for an order cancelling the registration of a database or suspending the registration's validity for a specific period.

    Certain sector-specific laws impose obligations of secrecy which, if breached, could constitute an infringement of privacy, such as the Banking Ordinance 1941, the Patients' Rights Law 1996 and the Income Tax Ordinance (new version).

    Amendment 13 to the Privacy Law is currently pending before the Israeli Knesset. If passed, the proposed amendment will vest the regulator - the Privacy Protection Authority (PPA) - with enhanced supervisory powers and authorise exponentially higher penalties for Privacy Law violations. While penalties for Privacy Law violations under existing regulations impose fines of ILS10,000-25,000 (approximately USD2,700-6,800) (excluding incremental penalties for ongoing violations), under Amendment 13, fines for violations will be increased up to a maximum amount of ILS3.2 million (approximately USD876,000), with daily increases of 2% for ongoing unmitigated breaches. Amendment 13 also adds a number of criminal violations to those already included in the Privacy Law, including:

    interference with the monitoring or enforcement activities of PPA personnel; provision of false information in the context of such enforcement activities; violations of certain obligations in connection with database registration obligations; fraudulent breaches of notification requirements in connection with collection of data from the data subjects; use of data in violation of the purpose limitation principle; and failure to properly respect data subjects' access rights.

    1.2 Regulators

    The PPA is the primary regulator for matters relating to privacy and data security. The PPA sits within the Israeli Ministry of Justice, and is headed by the Registrar of Databases (discussed below). The PPA conducts criminal investigations, administrative investigations and audits, publishes guidelines, conducts research and initiates new regulations. The PPA prepares an annual report about its activities for the review and oversight of the Israeli Knesset. It regulates and enforces data privacy and protection laws and regulations across all sectors, private and public, and may initiate enforcement actions based on information it receives from sources that can include other regulators and public bodies and the media, as well as complaints of aggrieved citizens.

    The Registrar of Databases is appointed by the government pursuant to the Privacy Law. The Registrar maintains the Registry of Databases and supervises compliance with the Privacy Law and associated regulations. The Registrar may refuse to register a database if it has reasonable grounds to assume that the database is used or is liable to be used in connection with illegal activities or the data included in the database has been obtained, accrued or collected in breach of the Privacy Law or in breach of the provisions of any order. The Registrar is also authorised to appoint inspectors who have broad authority to inspect information and documents related to databases and search and seize objects from any place where they reasonably believe a database is being operated, provided that entry into a private residence requires a court order.

    Regulated industries are subject to industry-specific requirements as well as general privacy, data protection and cyber-security requirements. For example, the Supervisor of Banks has issued privacy and cyber-security requirements for the banking industry, the Ministry of Finance has issued cyber-security guidance for insurance companies, and the Ministry of Health has issued guidance for healthcare institutions.

    Under the Law for the Regulation of Security in Public Entities 1998, the General Security Service (GSS) and the National Cyber Security Authority may instruct certain entities (such as licensed telecommunications operators) to take specified cyber-security defensive actions.

    1.3 Administration and Enforcement Process

    The PPA has several enforcement tools that...

To continue reading