Will a serious reform that’s about to come back into pressure severely injury the numerous companies which can be unprepared for it? Modification 13 to the Safety of Privateness Legislation, handed a 12 months in the past and as a result of be carried out from August 14, represents nothing lower than a revolution in privateness safety and knowledge safety in each public organizations and personal enterprises. That is essentially the most in depth reform on this subject for the reason that legislation was enacted in 1981.
The background to the modification is the burgeoning of cyber assaults since October 7, 2023. Based on figures from the Israel Nationwide Cyber Directorate, there have been some 17,000 cyber incidents final 12 months, 24% greater than in 2023. 41% of those had been phishing assaults, messages designed to provide entry to the sufferer’s laptop system.
The modification is supposed to convey Israel into line with worldwide regulation on privateness, and to make sure that the usual in Israel comes as shut as attainable to the EU Common Information Safety Regulation (GDPR), thought of essentially the most superior customary on this planet.
A regulator with tooth
At first, the modification dramatically strengthens to powers of the Privateness Safety Authority within the Ministry of Justice. The Authority will turn into an enforcement company “with tooth”, empowered to hold out investigations, demand paperwork, and impose penalties. The Authority will have the ability to make use of investigators and use administrative enforcement in opposition to industrial firms and public our bodies, together with safety companies.
That, nonetheless, is the minor concern. The worrying information for companies is that the Privateness Safety Authority will have the ability to impose excessive penalties on organizations that breach knowledge safety guidelines.
For instance, a corporation during which a cyber break-in has occurred on account of breaches of the legislation’s necessities might be fined NIS 320,000 for every breach. If the database that has been hacked is very giant, the wonderful per breach might be doubled to NIS 640,000, and might attain as much as 5% of the group’s income. That will not appear very a lot, however for a lot of enterprises it may signify their total revenue, which implies that the penalties may have a dramatic influence on them and will go away them destitute.
As indicated, every incident may contain quite a lot of breaches: not simply the leak of knowledge, however the failures that led as much as it, similar to not finishing up a threat survey or an absence of an information safety coverage. Cumulatively, due to this fact, the fines may quantity to thousands and thousands of shekels.
The modification additionally strengthens the potential for receiving compensation for hurt to privateness in civil fits. Liquidated damages of NIS 10,000 might be awarded with out proof of hurt, for instance in a case during which an individual discovers that details about her or him is contained in a database that has not been registered in keeping with legislation, or that private details about her or him has been accessed in breach of the situations that enable it. The prescription interval for such lawsuits, which was two years, has been prolonged to seven years.
The concern of penalties additionally pertains to the requirement that organizations ought to erase previous data that they maintain. “A enterprise that has an Web website with cookies has a 12 months during which to erase data, however in complicated methods similar to at banks and insurance coverage firms it’s troublesome to erase data on prospects that’s years previous,” says Adv. Dalit Ben-Israel, a associate, head of IT Privateness and Information Safety, and co-head of AI, on the legislation agency of Naschitz Brandes Amir, who participated within the Knesset discussions on Modification 13. She says that firms that aren’t but ready are liable to be targets for gathering “straightforward cash” in fines.
A 12 months to prepare
The Privateness Safety Authority is conscious of the fears, however factors out that organizations have had a 12 months during which to gear up for implementation of the legislation, and recommends anybody who has not but achieved so to behave rapidly to fill any gaps. Beneath the modification, the Authority can problem a warning to a corporation that except a breach of privateness ceases, a wonderful will likely be imposed. It might probably require a money deposit as a assure that the breach will likely be halted, and might even apply to the courtroom for an order to close down the database.
Massive organizations will likely be required to nominate an officer accountable for privateness safety. This will likely be required in banks and insurance coverage firms, telecommunications firms, authorities ministries and native authorities, hospitals and well being funds, universities and faculties, and any group “the principle enterprise of which incorporates processing of extremely delicate data on a considerable scale.”
The modification modifications the definition of “extremely delicate data”, and contains in it medical, genetic and biometric data, prison information, private assessments in the middle of recruitment, details about pay, political beliefs, non secular religion, and site companies.
Modification 13 relaxes the necessities for registration of databases. Registration is not going to apply to a lot of the personal sector, however solely to public our bodies, and to databases containing data on greater than 10,000 folks to which there’s paid entry.
The Ministry of Justice is already engaged on additional amendments to the legislation. Adv. Ben-Israel believes that that is very important, for instance for the event of synthetic intelligence methods. “Beneath the present legislation, processing data is allowed solely by consent, or if the legislation explicitly authorizes it, for instance in enforcement of cash laundering prohibitions,” she explains. “However how can a financial institution that wishes to develop an AI system receive the consent of shoppers from 5 years in the past? Subsequently, in circumstances during which there isn’t any substantial hurt to privateness, the legislation will should be amended in order to permit the usage of data when there’s a respectable curiosity in doing so, as in Europe.”
The privateness revolution that may get underway in August, and which may precise a heavy monetary worth from companies, is thus solely the primary stage on the way in which to a extra complete reform within the coming years.
Printed by Globes, Israel enterprise information – en.globes.co.il – on July 29, 2025.
© Copyright of Globes Writer Itonut (1983) Ltd., 2025.
