Israel Protection of Privacy Law, 5741-1981
Israel's Protection of Privacy Law (1981) governs databases of personal information and is recognized as EU-adequate. Amendment 13 of 2024 modernizes it toward GDPR alignment, narrowing registration, adding a DPO duty, and introducing substantial administrative penalties.
Israel Protection of Privacy Law, 5741-1981
Israel's Protection of Privacy Law, 5741-1981 (PPL), is the country's foundational privacy statute. It took effect on April 8, 1981 and has been developed through regulations and amendments, most importantly the Privacy Protection Regulations (Data Security) of 2017 and Amendment 13 of 2024, which substantially modernized the regime. Israel is recognized by the European Commission as providing an adequate level of data protection, which facilitates data transfers from the EU.
Who It Applies To
The law governs the management and use of databases containing personal information and protects individuals against infringements of their privacy. Amendment 13 modernizes core definitions, recalibrates the database registration regime, and strengthens the powers of the Privacy Protection Authority (PPA), the supervisory body. The reforms align Israeli law more closely with the GDPR and apply broadly to controllers and processors handling personal data.
Key Requirements
Controllers must process personal information lawfully and for legitimate purposes, generally with the individual's consent. Under the long-standing framework, certain databases must be registered with the Database Registrar, though Amendment 13 narrows mandatory registration to higher-risk databases. The 2017 Data Security Regulations impose tiered security obligations based on the sensitivity and scale of the database, including access controls, documentation, and incident handling. Individuals have rights to access and correct their data. Amendment 13 adds requirements such as appointing a data protection officer for certain organizations and clarifies controller and processor roles and notification duties.
Penalties for Non-Compliance
The PPL provides for civil and, in some cases, criminal liability. Amendment 13 significantly increases enforcement powers, introducing substantial administrative monetary penalties that can scale with the size of the database and the nature of the violation, alongside the PPA's expanded investigatory and corrective authority.
How to Comply
Determine which databases require registration under the updated rules and register them. Apply the appropriate tier of the Data Security Regulations based on database sensitivity and scale. Obtain consent, honor access and correction rights, appoint a data protection officer where required, and maintain documentation and incident-response procedures to meet the strengthened standards.
Practical Notes
Israel's EU adequacy status is a significant advantage for transatlantic data flows, and Amendment 13 strengthens the regime to preserve and modernize that standing. Organizations should reassess which databases require registration under the narrowed rules, apply the correct tier of the 2017 Data Security Regulations, and prepare for expanded PPA enforcement powers and administrative penalties.
Building a Durable Program
Organizations operating across borders should treat this regime as one input into a unified, principles-based privacy program rather than a standalone checklist. Practical foundations include maintaining a current record of processing activities that documents purposes, lawful bases, data categories, recipients, retention periods, and any cross-border transfers; classifying data so that sensitive categories receive heightened safeguards by default; and embedding privacy-by-design reviews into product and engineering workflows so that new features are assessed before launch. Robust consent and preference management, demonstrable through audit logs, is essential where the law is consent-centric, since the burden of proving a valid lawful basis typically rests on the controller. Incident-response runbooks should encode the applicable breach-notification timelines and decision criteria so that the organization can act within tight windows. Vendor management should ensure processors are bound by contracts that flow down core obligations, and periodic audits should verify that controls remain effective. Aligning to recognized frameworks such as ISO 27701 and privacy-by-design principles helps satisfy overlapping obligations across jurisdictions while reducing duplicated effort and the risk of gaps.