Jay Donde and Miriam H. Wugmeister
Israel and Privacy + Data Security
After years of deliberation, the Israeli Parliament (the “Knesset”) approved the most significant expansion of Israel’s data security laws in over two decades. The Protection of Privacy Regulations (Data Security), 5777-2017 (the “Regulations”), apply to any business that owns, manages or has access to a database in Israel containing personal information. The Regulations will come into effect in March 2018 and impact a wide range of data security practices, from breach notification to access monitoring. Entities with operations in Israel should carefully review the Regulations.
The collection, use and disclosure of personal information stored on electronic databases in Israel is governed by the Protection of Privacy Law, 5741-1981 (the “Privacy Law”). In addition to baseline privacy protections, the Privacy Law also mandates security standards for specific types of personal information, including credit history, medical records and biometric data. Despite its extensive coverage, the Privacy Law has remained relatively static since 1996, when its most recent significant amendment was enacted. The Regulations are viewed as necessary to ensure the continued “adequacy finding” of Israel’s privacy framework in the eyes of EU regulators ahead of the EU General Data Protection Regulation coming into force.
As described in the Explanatory Notes to the draft version of the Regulations, multiple layers of privacy defense are included in the Regulations’ text:
Among the Regulations’ numerous provisions, a few stand out as particularly significant:
It remains to be seen how aggressively the Regulations will be enforced upon effectiveness. In some circumstances, such as when an entity is otherwise complying with the provisions of a security plan imposed by another authorized agency, ILITA may temporarily waive compliance with certain of the Regulations. However, it is also expressly stated in the Regulations that compliance is a shared responsibility among each of a database’s owners, managers and users. Therefore, all businesses with a presence in Israel should actively engage and cooperate with partner stakeholders and closely watch for further guidance as March 2018 approaches.
 Protection of Privacy Regulations (Data Security), 5777-2017, available at: http://main.knesset.gov.il/Activity/committees/huka/Pages/CommitteeMaterial.aspx?ItemID=2015728.
 Protection of Privacy Law, 5741-1981 (as amended), English translation available at: http://www.justice.gov.il/En/Units/ILITA/Documents/ProtectionofPrivacyLaw57411981unofficialtranslatio.pdf.
See Rafaela Gwickman, The Knesset Delays Regulation – and Our Data Remains Exposed (January 10, 2017), available at: http://www.themarker.com/misc/article-print-page/1.3229888.
 Protection of Privacy Regulations, May 11, 2016, Hatza’ot Hok.
©1996-2017 Morrison & Foerster LLP. All rights reserved.