On July 23, the Ministry of Justice published a draft amendment to the Privacy Law, 1981, Protection of Privacy Law (Amendment no. X) (Definitions and Limitation of Registration Obligations), 2020 (the “Bill”). The full text of the Bill is available here.
The primary goals of the draft are (a) to update the outdated Israeli Privacy Law and bring it into line with Israeli case law, technological innovations and the privacy laws of other countries, in particular the European Union (EU) General Data Protection Regulation (the “GDPR”); and (b) to scale back the applicability of the database registration requirement, as it is universally acknowledged that the registration obligation does not achieve its regulatory purpose. We note that while non-governmental bodies such as the Israel Democracy Institute have published draft bills which would produce a much more extensive overhaul of the Privacy Law, the Ministry of Justice has taken a more limited, conservative approach in the current Bill.
The prevailing assumption is that the Bill was motivated by the concern that Israel might lose its coveted status as a country recognized by the EU Commission as providing adequate legal protection to data originating in the EU. This adequacy ruling is deemed a sufficient legal basis for transfer of personal data from the EU to Israel without the need to rely on legal bases such as signing the Standard Contractual Clauses, and is relied upon by many Israeli companies which process the data of EU nationals. The risk that the EU Commission may rescind Israel’s adequacy ruling is perceived as being more immediate in the wake of the European Court of Justice’s decision this month in the Schrems II case, which ruling invalidated the Privacy Shield self-certification regime used by many US companies as a mechanism for transferring personal data from the EU to the US.
The Bill is open for public comment until August 6, 2020.
Certain Proposed Changes
The draft Bill makes various changes and additions to the core definitions in the Privacy Law, including to the following terms: database owner, personal data, sensitive data (which will now be termed “data of special sensitivity”), biometric data, database holder, database, processing, etc. While the GDPR is referenced many times in the “Explanation” section of the Bill as the impetus for the proposed amendment, in some cases, such as in the definition of “data of special sensitivity”, the Ministry of Justice has decided to retain elements of the Privacy Law which differ from the GDPR. For example, financial data is deemed “data of special sensitivity” under the Bill, while such data is not so designated under the GDPR. Other data types deemed 'data of special sensitivity' include biometric, ethnicity and health data.
The Bill scales back the scope of databases which are subject to mandatory registration with the Database Registrar. The Privacy Law currently requires the registration of a database which fulfill any of the following criteria: (a) the database contains data about more than 10,000 people; (b) the database contains sensitive data; (c) the database contains data about natural persons not provided by them, on their behalf or with their consent; (d) the database belongs to a public body; or (e) the database is used for direct mail services. Under the proposed Bill, a databases will only require registration if it includes data of more than 100,000 data subjects and meets one of the following criteria: it includes data of special sensitivity or data collected other than by, on behalf of or with the consent of data subjects, is owned by a public body or includes data collected for purposes of sharing for business purposes, including direct mail services. This proposal reflects the Privacy Protection Authority’s (the “PPA”) position that the overly broad registration requirement has not fulfilled its goals, is an unnecessary drain on the PPA’s limited resources and is largely unenforced.
The proposed amendment to the Privacy Law is a first step towards broader legislative reform that would include re-introduction of "Amendment 13" to the Privacy Law which was previously introduced to the Israeli Parliament but was not enacted as law due to dissolution of the previous Israeli Parliament. Amendment 13, if passed, would vest the data protection authority with enhanced supervisory powers and authorize exponentially higher penalties for Privacy Law violations than those currently in effect. The broader legislative reform contemplated by the Ministry of Justice also includes an additional bill addressing the legal bases for data processing and data subject rights, which is intended to further harmonize the Privacy Law with the GDPR.
This memo is intended to serve as a general overview and does not constitute a replacement for legal counsel on the matters discussed herein.