On July 23, the Ministry of Justice published a draft bill [ https://www.tazkirim.gov.il/s/tzkirim?language=iw&tzkir=a093Y00001RdRNXQA3#commnets] to amend Protection of Privacy Law, 1981 (the "Privacy Law") for purposes of public comment. The published bill is named Protection of Privacy Law (Amendment no. X) (Definitions and Limitation of Registration Obligations), 2020 (the "Bill"). The Ministry of Justice intends to promote the Bill in conjunction with two other pieces of legislation: the existing draft Privacy Protection Bill (Amendment No. 13), 2018 ("Amendment 13"), as well as a further amendment to the Privacy Law (the "Next Bill"), which has yet to be published. The draft Bill is open to public comment until August 6, 2020.
The primary goals of the draft Bill are (a) to update the outdated Israeli Privacy Law and bring it into line with Israeli case law, technological innovations and the privacy laws of other countries, especially the Regulation (EU) 2016/679 (General Data Protection Regulation) (the "GDPR") and (b) to scale back the applicability of the database registration requirement, as it is universally acknowledged that the registration obligation does not achieve its regulatory purpose. We note that while non-governmental bodies such as the Israel Democracy Institute have published draft bills which would produce a much more serious overhaul of the Privacy Law, the Ministry of Justice has taken a more limited, conservative approach to changing the Privacy Law.
The prevailing assumption amongst privacy professionals is that part of the urgency in updating the Privacy Law is a concern that Israel might lose its coveted status as a country recognized by the EU Commission as providing adequate legal protection to data originating in the EU. This adequacy ruling is deemed a sufficient legal basis for transfer of personal data from the EU to Israel, without the need to rely on legal bases such as signing the Standard Contractual Clauses, and is relied upon by many Israeli companies which process the data of EU nationals. The risk that the EU Commission may rescind Israel's adequacy ruling is perceived as being more immediate in the wake of the European Court of Justice's decision this month in the Schrems II case, which ruling invalidated the Privacy Shield self-certification regime used by many US companies as a mechanism for transferring personal data from the EU to the US.
The draft Bill makes various changes and additions to the core definitions in the Privacy Law, including to the following terms: database owner, personal data, sensitive data (which will now be termed "data of special sensitivity"), biometric data, database holder, database, processing, etc. While the GDPR is referenced many times in the "Explanation" section of the Bill, as the impetus for the proposed amendment, in some cases, such as in the definition of "data of special sensitivity", the Ministry of Justice has decided to retain elements of the Privacy Law which differ from the GDPR, for example, the designation of financial data as "data of special sensitivity" together with other data types that are deemed sensitive data under the GDPR, such as biometric, ethnicity and health data.
The Privacy Law currently requires the registration of a database which fulfill any of the following criteria: (a) contains data about more than 10,000 people; (b) the database contains sensitive data; (c) the database contains data about natural persons not provided by them, on their behalf or with their consent; (d) the database belongs to a public body; or (e) the database is used for direct mail services. Under the proposed Bill, databases will only require registration if they include data of more than 100,000 data subjects and satisfy one of the additional criteria (as amended) set forth in sub-sections (b) – (e) above. This proposal reflects the Privacy Protection Authority's (the "PPA") position that the overly broad registration requirement has not fulfilled its goals, is an unnecessary drain on the PPA's limited resources and is largely unenforced.
As we noted above, the proposed amendment to the Privacy Law is a first step towards broader legislative reform that would include re-introduction of proposed Amendment 13 to the Privacy Law. If passed, the proposed Amendment 13, which was not enacted as law due to dissolution of the previous Israeli Parliament, would vest the PPA with enhanced supervisory powers and authorize exponentially higher penalties for Privacy Law violations than those currently in effect. The broader legislative reform contemplated by the Ministry of Justice would also include an additional bill addressing the legal bases for data processing and data subject rights in light of the GDPR.
Originally published 27 July, 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.