We would like to bring your attention to the following:
On November 28, 2018 the Protection of Privacy Authority (the "PPA") issued a statement of opinion reflecting its position, according to which a list of names and email addresses constitutes a "database" as defined under the Protection of Privacy Law, 1981 (the "Law"). In its statement, the PPA determines that although the Law excludes a collection which includes only names, addresses and means of communication from the definition of a "database", a more suitable interpretation of the Law should be that if a person can be characterised based on his/her email address, the exclusion does not apply.
According to the opinion of the PPA, the reason for this position lies in the fact that in many cases it is possible to infer additional personal data regarding a person from the email address, which falls under one or more data types classified as "data" under the Law; for example, data regarding a person's "professional qualification" in case of work email address; data regarding a person's "personal status", when the email address is jointly owned by life partners, etc., information which necessarily signifies that the email address should not be classified as a mere "means of communication" as the exclusion under the Law stipulates. The PPA states that in recent years, email addresses have evolved into a "key" enabling the identification of a person with greater certainty and it is possible to cross-reference one's email address with different information held on various databases. The PPA notes that this logic matches the interpretation given by the European Union regarding the classification of an email address as "Personal Data".
In the opinion of the PPA, although the language of the Law could bear an interpretation according to which email addresses only constitute a "means of communication", there is room for broader interpretation of the Law, which will protect user privacy in databases, prevent the misuse of personal data and defend the rights of data subjects.
Therefore, it is the position of the PPA that a collection of email addresses constitutes a "database" according to the Law, and said database should adhere to all requirements under the Law, including registration, security, etc.
To read the full statement of the PPA (in Hebrew), please click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.