Q. Do you believe companies fully understand their duties of confidentiality and data protection in an age of evolving privacy laws?
RAVIA: Media and industry coverage of two pieces of legislation that took effect in May 2018 have raised awareness of data protection issues among Israeli companies. The first, the Protection of Privacy Regulations (Data Security), set out detailed and prescriptive information security requirements for all companies processing personal data. Although the Israeli privacy regulator is currently experiencing organisational instability, the effect of the new regulations has not subsided. The second piece of legislation is the EU General Data Protection Regulation (GDPR), the extraterritorial reach of which affects many Israeli companies. Awareness within companies was further reinforced recently with the Israeli government laying down a proposal for a Cyber Defence and National Cyber Directorate Bill, which aims to establish a national body whose objective is to safeguard against cyber threats. Furthermore, the looming California Consumer Privacy Act (CCPA), with its extraterritorial effect, is also elevating awareness of data protection.
Q. As companies increase their data processing activities, including handling, storage and transfer, what regulatory, financial and reputational risks do they face in Israel?
RAVIA: The financial risks are limited. First, the Israeli privacy regulator is only authorised to impose smaller penalties in limited circumstances. Second, regulatory fines are not enforceable in cases of data breaches resulting from an organisation's failure to implement the data security safeguards required under the Israeli data security regulations. Legislative attempts to improve the enforceability of the Protection of Privacy Law and the Data Security Regulations have been unsuccessful to date. The main financial risk arises from class action lawsuits, but these are not yet widespread and usually do not survive through to final judgment. That said, regulatory oversight of a company can be a painful process. The regulator can seize documents and digital evidence, investigate personnel and issue an investigative report that the company must face and address. The regulator's primary enforcement tool lies in publicly disclosing investigations, findings and conclusions about an organisation. This, in tum, www.financierworldwide.com ISRAEL· HAIM RAVIA· PEARL COHEN ZEDEK LATZER BARATZ can result in...