Israel marks a new era in privacy law: Amendment 13 ushers in sweeping reform

On 14 Aug., Israel enters a new chapter in its data protection regime. With the enactment of Amendment 13 to the Protection of Privacy Law, 5741-1981, the country has introduced a comprehensive overhaul of its privacy framework. This reform not only modernizes statutory obligations but also significantly expands the enforcement powers of the Protection of Privacy Authority, signaling a decisive shift toward proactive governance and regulatory assertiveness.

A turning point in Israel's privacy law

Amendment 13 is not merely a legislative update. It is a structural transformation that introduces the mandatory appointment of privacy protection officers, enhanced transparency obligations, specific requirements for data brokers and a new broad perception of sensitive data. It also empowers the PPA to impose hefty fines, order the suspension of data processing and conduct criminal investigations. As an especially active regulator, the PPA has indicated that they will enforce their many quasi-legislative guidelines and directives as if they were binding law.

Radarfirst Ad - Don't let the first warning come from a regulator: Audit-proof your AI

The reform reflects Israel’s intent to align with global privacy standards while preserving its unique regulatory identity. Previous analysis of the reform noted that Israel is “charting its own path” by combining European adequacy with a strong focus on cybersecurity.

Risks and liabilities: A new compliance landscape

The consequences of non-compliance under Amendment 13 are severe. The PPA will soon have the authority to impose administrative orders, monetary sanctions and cease-and-desist directives. Fines can reach millions of shekels, with multipliers for large-scale databases or sensitive data processing.

Organizations may also face civil litigation, including class actions and criminal liability for offenses such as breaches of confidentiality, unauthorized data processing and misleading the regulator. Statutory damages of up to ILS100,000 may be awarded without proof of harm; courts can order the deletion of unlawfully obtained data or prohibit further processing.

Legislative history: From fragmentation to cohesion

Israel’s privacy law, originally enacted in 1981, has undergone piecemeal amendments over the years. Amendment 13 represents the most comprehensive reform to date. It consolidates prior updates, introduces new legal terminology and establishes mechanisms for proactive supervision, oversight and administrative inquiry.

The legislative process was shaped by extensive consultation with stakeholders, including legal experts, civil society and industry representatives. The reform reflects a deliberate effort to balance innovation with individual rights and to equip the PPA with the tools necessary for effective enforcement.

Key changes introduced by Amendment 13

1. Mandatory appointment of a privacy protection officer

Entities meeting specific thresholds, such as processing sensitive data at scale or engaging in systematic monitoring, alongside public authorities and data brokers must appoint a qualified privacy protection officer. The officer operates independently, reports directly to senior management and must possess legal expertise, comprehensive knowledge of IT and cybersecurity, and organizational knowledge.

The PPA’s recent guidance clarifies that individuals with decision-making authority cannot assume the position of the privacy officer, and that the role must be distinct from the chief information security officer to avoid conflicts of interest.

Organizations must ensure that the PPO is involved in all matters related to privacy matters — not limited to personal data processing — and has access to necessary resources.

2. Enhanced disclosure and consent requirements

Organizations must provide clear, accessible information about data collection, processing purposes and recipients; specific disclosure requirements apply to the processing of sensitive data, particularly when biometrics or AI systems are involved.

Consent must be informed, freely given and, in most cases, explicit, particularly for sensitive data and direct marketing. The PPA’s guidelines on consent require granular disclosures and prohibit bundled or vague consent mechanisms.

The PPA has emphasized that its directives on consent will be enforced as binding obligations. This includes requirements for opt-in mechanisms, transparency about data uses, and documentation of consent flows

3. Obligations for data brokers and direct mailing services

Entities engaged in data brokerage or direct mailing must register their databases, maintain detailed records of data sources and transfers, and honor opt-out requests. Communications must include database registration numbers and deletion instructions. Failure to comply may trigger administrative alerts or monetary sanctions.

4. Submissions to the PPA and preliminary opinions

Controllers must notify the PPA of any database containing sensitive data on more than 100,000 individuals and submit a database definitions document — a statutory equivalent to the EU General Data Protection Regulation's records of processing activities — along with the details of the PPO.

The PPA offers a preliminary opinion mechanism, allowing entities to seek regulatory guidance before launching new data initiatives. This mechanism enhances transparency and reduces regulatory uncertainty, particularly for start-ups and multinational corporations navigating Israel’s privacy landscape.

5. AI and automated decision-making

The PPA has signaled its intent to regulate artificial intelligence systems that process personal data. Entities must assess the impact of automated decision-making, ensure transparency, and implement safeguards against bias and discrimination. These requirements echo global trends and reflect Israel’s cautious yet proactive stance on AI governance.

The regulator’s publications on AI emphasize the need for explainability, fairness and accountability in algorithmic processing. Organizations must document their AI systems and conduct impact assessments to demonstrate compliance. Further context is available in this analysis of Israel’s approach to AI regulation.

6. Security assessments and penetration testing

Organizations holding large sensitive databases must conduct risk assessments and penetration tests at least every 18 months. They must document findings, update security procedures and report serious incidents to the PPA. Failure to do so may result in fines up to ILS320,000 per violation.

The Data Security Regulations, 5777-2017, remain in force and are soon to be reinforced by the PPA’s enhanced enforcement powers under Amendment 13. Organizations must maintain updated database structure documents, access control logs, incident response protocols, secure coding, encrypted data storage and transmission, and more.

7. Vendor management

Controllers must conduct privacy and cybersecurity reviews before engaging processors, sign thorough data processing agreements with strong security clauses, monitor processor compliance, and obtain annual cybersecurity implementation reports.

8. Trans-border data transfers

Under 2001 regulations, transfers of personal data to countries that did not ratify Convention 108 are subject to alternate data transfer mechanisms, including a contractual statement of the data recipient to comply with applicable provisions under Israeli privacy laws, or the data subject’s informed and freely given consent. With Amendment 13 taking effect, the PPA will have substantial powers to enforce these regulations.

Furthermore, under specific regulations enacted in 2023 in an effort to maintain the European Commission’s adequacy status of Israeli privacy laws, personal data transferred to Israel from the European Economic Area is subject to additional obligations. Controllers must ensure data accuracy, limit retention and provide deletion mechanisms. Violations may incur per-person fines.

9. Enforcement powers of the PPA

The PPA now has authority to conduct administrative inquiries, appoint inspectors and issue binding orders. The authority may publish enforcement actions, including the names of violators, and escalate cases to criminal prosecution. The regulator’s directives and guidelines are treated as de facto law, with non-compliance subject to penalties.

The PPA’s annual report will include detailed statistics on enforcement actions, complaints, and sectoral audits, enhancing public accountability and regulatory visibility.

Call to action: Compliance is no longer optional

Organizations are already seeking expert counsel to navigate the complexities of Amendment 13 and prepare for its implementation. Doing business in Israel requires swift action to align with the new legal regime. This includes:

Conducting gap analyses and updating privacy notices.
Appointing qualified DPOs and ensuring their independence.
Reviewing consent mechanisms and marketing practices.
Implementing robust security controls and documentation protocols.
Preparing for regulatory submissions and potential audits.

Amendment 13 marks a pivotal moment in Israel’s privacy journey. It elevates the country’s data protection standards, empowers the regulator and imposes meaningful obligations on data controllers and processors. As the global privacy landscape continues to evolve, Israel’s reform positions it as a jurisdiction committed to transparency, accountability and the protection of individual rights.

Dan Or-Hof, CIPP/E, CIPP/US, CIPM, FIP, is founder and owner of Or-Hof Law, and a founding member and owner of the Strand Alliance. As a member of the Privacy Protection Council, he took part in the Constitutional Committee's Bill No. 13 hearings and the preparation of the bill for enactment.

This article is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.

Submit for CPEs

Interested in writing for us? Visit our Contributor Guidelines Page