The Draft Privacy Protection Law (Amendment No. 14) – a real change or just a technical update of the existing situation?

On January 5 ,2022, the Ministerial Committee on Legislative Affairs approved the draft amendment No. 14 to the Privacy Protection Law 5741-1981, which is awaiting approval by the Knesset Constitution Committee for a second and third reading.

On first examination of the draft amendment, it could be assumed that it refers mainly to detailed arrangements that were designed to improve the oversight and enforcement capabilities of the Privacy Protection Authority and, therefore, database owners are ostensibly required ‘only’ to continue to meet the requirements of the law.

In our opinion, however, one of the significant parts of the amendment to the law is an extensive update of its ‘Definitions’ section; an update that companies that collect personal information in their digital interfaces must take into account.

Firstly, the definitions that determine who is a database ‘owner’ and ‘holder’ have been updated in the spirit of new, similar regulations in other countries[1], in  a manner that creates a distinction between one who has control over a database (as opposed to one who is the ‘owner’ of a database, in the existing law) and a holder of a database (i.e., someone who has access to the database for various purposes, such as applications of third parties that perform various actions on the data in the database, etc.). This distinction sets the boundaries of liability between these factors more clearly than in the existing law. This division is also significant with regard to the administrative fines that are proposed to be set in the amendment. Pursuant to the draft law the controller of the database will, at the very least, need to explicitly define the service being provided to it and the responsibility of each of the parties within their contractual relationship, similar to the data processing agreements (DPAs) that are being made since the GDPR has come into effect.

In addition, the amendment to the law redefines ‘use of information’ and even adds a definition to the term ‘processing’, which does not exist in the law in its current form, and in fact expands the application of the law in relation to actions performed on the information in the database by the controller and the holder of the database.

There is no doubt that the fundamental change in the draft amendment is the strengthening of the supervisory tools and enforcement powers vested in the head of the Privacy Protection Authority. The proposed enforcement arrangements also address violations with regard to the manner in which the information is collected. The significance of this is that these parties, the ‘controller’ and the ‘holder’ of a database, must ensure that the definitions of the duties and the responsibility imposed on them, also in everything related to the collection of information, are addressed in the agreement between them. The significance of this important addition, if it will be made in the manner in which the laws in other countries, such as the GDPR, are formulated, is the increase in the obligation of database owners regarding the obtaining of consent from information subjects (the users who provide the information) and dealing with a reality where there is a real limit on the ability to collect information.

To summarise, on face value, it seems that for the owners of databases this is not a far-reaching change that goes up to the level of the GDPR, but in fact if this draft law is passed, then it will impose obligations on Israeli database owners, even those who have not previously been exposed to the GDPR and other foreign laws. From now on they will have to update their agreements with holders, so as to bring them in line with the new privacy requirements in Israel as they are also reflected in the modern legislation in Europe, California and other countries, as well as prepare and implement procedures in order to meet the updated requirements of Israeli law.

 

This article was written by Adv. Yariv Kesner and Adv. Hila Izhaki from the Corporate and High-Tech department of Nov, Kesner, Snir & Co. – Law office. Our High-Tech and VC practice also maintains an in-depth knowledge of local and international privacy legislation.

 

For consultation regarding all legal aspects of your startup please contact us at: 03-5441411 / office@novlaw.com

 

[1] Such as the European GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Related Post