Israel Privacy Protection Bill Includes Steep Sanctions – and a DPO

On January 6, 2022, the Israeli government released a long anticipated bill amending and updating Israel’s 1981 Privacy Protection Act (PPA) (the Bill). If passed, the Bill would constitute the most comprehensive update of the PPA in more than two decades. Primarily, the Bill greatly enhances the enforcement and investigation powers of the privacy regulator, the Israel Privacy Protection Authority (IPPA). While relaxing certain bureaucratic burdens on Israeli companies, most notably the dated obligation to register database, it would tighten substantive obligations and impose steep sanctions for violations, including severe criminal penalties. For the first time under Israeli law, it would require certain companies to appoint a data protection officer (DPO).

Definitions

The Bill updates several definitions under the PPA, drawing them nearer to those under the General Data Protection Regulation (GDPR) and similar global privacy laws. It introduces a new definition of “data,” which tracks that of “personal data” under GDPR, streamlining the existing definition, which comprises a list of categories of data. It recharacterizes existing “database owners” as “data controllers” and “possessors” as “processors”. And it delineates a category of “sensitive data,” which includes health and genetic information as well as information about a person’s political opinions, intimate relations, criminal record, geolocation, biometrics and more. Importantly for many businesses, sensitive data will include “information about a person’s consuming habits, which provide details about [other categories of sensitive data]” as well as “information about a person’s assets, liabilities or economic condition”.

Database Registration

Currently, the PPA sets forth a broad requirement for companies to register databases. This paradigm, while reasonable when the law was enacted in 1981, has become obsolete as businesses use dozens or hundreds of IT and cloud based systems and instances, which could be viewed as “databases”. The Bill limits the registration requirement to apply only to controllers of databases that contain sensitive data about more than 500,000 individuals, or data about more than 100,000 individuals that was collected from third parties or used to provide data brokerage services. Controllers of databases that contain sensitive data about more than 100,000 but less than 500,000 individuals must “notify” the IPPA.

Substantive Restrictions

The Bill introduces several new substantive restrictions. First, it prohibits a controller or processor from repurposing data or allowing a third party to do so. Second, it prohibits anyone from using data in a database except if authorized to do so by the controller. Third, it prohibits managing or possessing a database if the data contained therein was collected in violation of the PPA or another law.

Role of the DPO

The Bill amends an existing requirement in the PPA that certain companies appoint an information security officer with an obligation to appoint a DPO. This is the first time an Israeli law would impose a DPO obligation. Moreover, while the IPPA’s powers are limited with respect to Israel’s powerful national security agencies, including the Mossad, ISA, IDF and National Cyber Bureau, the Bill requires each of these agencies to appoint an internal privacy officer. The Bill determines the privacy officers’ term, protects them from termination, and requires them to report to the highest level of leadership. The privacy officers are charged with ensuring compliance with the PPA by their agencies. In cases of violations, they are authorized to conduct an internal investigation and report their findings to the head of the IPPA.

Enforcement Powers

The main thrust of the Bill is to arm the IPPA with investigation and enforcement powers. The scope of the powers is striking, compared not just to the authority’s current powers, which are limited, but also to the powers of data protection authorities around the world. In many respects, the search, seizure and investigatory powers under the Bill are similar to those of the Israeli police.

Importantly, the IPPA is authorized to impose administrative sanctions in amounts varying according to the nature of the violation as well as the volume and sensitivity of data involved. In serious cases, the IPPA is authorized to impose administrative sanctions in an amount up to 3.2 million NIS ($1 million). In case of continuous violations, the IPPA will be authorized to impose sanctions that accumulate daily. In fact, the Bill restricts the IPPA’s discretion to impose sanctions in an amount lower than that ascribed by the law, except under special guidelines set forth by the Minister of Justice. The IPPA will further be required to publicly name on its website any violator and list the amount of sanctions imposed. The Bill also lays out a new mechanism for enforcement notices by the IPPA and undertakings to refrain from further violation by companies.

Criminal Penalties

The criminal chapter in the Bill will be of particular concern to businesses. The Bill sets forth a list of criminal offenses and attendant sanctions, which include not only fines but also imprisonment of up to five years. For example, a person who collects data from an individual under false pretenses, including misrepresenting details in a privacy notice, with fraudulent intent, is subject to imprisonment of up to three years. A controller or processor who uses data, or allows others to use data, for a purpose other than that for which it was collected, is subject to imprisonment of up to five years. Unauthorized use or access to data in a database is subject to imprisonment of up to three years.

Next Steps

The Bill would be effective six months after it passes in parliament. Under Israel’s political system, government sponsored bills normally pass as long as the government enjoys the trust of parliament, though they may be subject to amendments through discussions in parliamentary committees, which begin now.