Israel's data protection framework is undergoing its most significant overhaul in decades. The existing Protection of Privacy Law (חוק הגנת הפרטיות, 1981) is being supplemented and gradually replaced by a comprehensive reform that aligns Israeli law with GDPR-level standards, while preserving distinct local requirements that frequently catch international operators off guard. For any business processing personal data of Israeli residents, or transferring data to or from Israel, understanding the current dual-layer regime - legacy statute plus reform amendments - is not optional. This article maps the legal landscape, identifies the key compliance tools, explains enforcement exposure, and outlines practical strategies for managing data protection risk in Israel.
The Protection of Privacy Law (PPL) is the primary statute governing personal data in Israel. Enacted in 1981 and amended multiple times, it establishes the right to privacy as a constitutional value under Basic Law: Human Dignity and Liberty (חוק יסוד: כבוד האדם וחירותו). The PPL covers the collection, use, disclosure and transfer of personal information held in databases. Any entity that holds a database containing personal information on more than ten individuals and uses it for a business purpose must register that database with the Israeli Registrar of Databases (מרשם מאגרי המידע), which operates under the Privacy Protection Authority (PPA, formerly the Israeli Law, Information and Technology Authority - ILITA).
The PPL defines 'personal information' broadly: any data about an individual that allows identification, including sensitive categories such as health data, financial information, political opinions and criminal records. The concept of a 'database' (מאגר מידע) is equally broad and covers any structured collection of personal data, whether digital or paper-based. This breadth means that CRM systems, HR files, marketing lists and customer transaction records all fall within the registration obligation.
The Privacy Protection Regulations (Conditions for Holding Data and Its Transfer Between States) (תקנות הגנת הפרטיות, 2001) govern cross-border data transfers. Israel has been recognised by the European Commission as providing an adequate level of data protection, which facilitates transfers from the EU to Israel without additional safeguards. However, the reverse - transfers from Israel to third countries - requires the controller to verify that the destination country provides a comparable level of protection or to implement contractual safeguards.
The reform package, advanced through the Privacy Protection Authority and the Knesset legislative process, introduces concepts familiar from the GDPR: data minimisation, purpose limitation, mandatory data protection impact assessments (DPIAs), the appointment of data protection officers (DPOs) in certain circumstances, and significantly higher administrative fines. Until the reform is fully enacted and in force, businesses must comply with both the existing PPL regime and anticipate the incoming obligations.
A common mistake among international clients is to assume that GDPR compliance automatically satisfies Israeli law. The two regimes overlap substantially but diverge on registration obligations, specific consent requirements, and the procedural rules for exercising data subject rights. Operating on the assumption of full equivalence creates compliance gaps that regulators have begun to scrutinise more actively.
Database registration is a mandatory pre-condition for operating many categories of database in Israel. The PPL and the Privacy Protection Regulations (Database Registration) (תקנות הגנת הפרטיות (רישום מאגרי מידע), 1985) specify which databases must be registered and which are exempt. Exemptions apply to databases held for personal use, databases containing publicly available information only, and certain databases held by public bodies for defined statutory purposes.
For databases that must be registered, the controller submits an application to the Registrar of Databases detailing the purpose of the database, the categories of data held, the identity of the database owner and manager, and the security measures in place. The Registrar may refuse registration or impose conditions. Operating an unregistered database that requires registration is a criminal offence under PPL Article 31A, exposing the controller to fines and, in aggravated cases, imprisonment.
The Privacy Protection Authority (PPA) is the primary supervisory body. It has powers to conduct audits, issue guidance, investigate complaints and impose administrative sanctions. Following amendments to the PPL, the PPA's enforcement powers have been strengthened: it can issue binding orders, impose fines and publish findings. The PPA has published detailed guidelines on topics including information security, consent, direct marketing and cross-border transfers, and these guidelines carry significant practical weight even where they are not formally binding.
In practice, it is important to consider that the PPA has shifted from a primarily advisory role to an active enforcement posture. Businesses that treated database registration as a formality and paid little attention to the PPA's guidance are now finding themselves subject to audits and formal investigations. The PPA has the authority to inspect databases, require the production of documents and interview personnel.
A non-obvious risk is that the database owner and the database manager are treated as separate legal persons under the PPL, each with distinct obligations. Where a foreign parent company holds data processed by an Israeli subsidiary, the question of who is the 'owner' and who is the 'manager' for PPL purposes requires careful analysis. Getting this wrong affects both registration obligations and liability exposure.
To receive a checklist on database registration and PPA compliance requirements for Israel, send a request to info@vlo.com.
The PPL does not replicate the GDPR's six-basis model for lawful processing. Under the PPL, the primary lawful basis for processing personal information is consent (הסכמה), which must be informed, specific and freely given. The PPL also permits processing without consent in certain circumstances: where processing is required by law, where it is necessary for the performance of a contract to which the data subject is a party, or where it falls within a recognised public interest exception.
Consent under the PPL must meet substantive requirements. The data subject must be informed of the identity of the database owner, the purpose of the database, the categories of recipients to whom data may be transferred, and whether providing the data is voluntary or mandatory. These disclosure requirements are set out in PPL Article 11. Failure to provide adequate disclosure at the point of collection renders the consent defective and the subsequent processing unlawful.
For sensitive data categories - health information, financial data, criminal records, political and religious beliefs - the PPL imposes heightened requirements. Processing sensitive data without explicit, informed consent is prohibited except in narrowly defined circumstances. Many international businesses underappreciate this point: a general privacy notice that is adequate for GDPR purposes may not satisfy the PPL's specific disclosure and consent requirements for sensitive categories.
Data subjects in Israel have the right to access their personal information held in a database (PPL Article 13), the right to correct inaccurate information (PPL Article 14), and the right to object to the use of their data for direct marketing purposes. The right to erasure, as understood in the GDPR, does not exist in the same form under the current PPL, though the reform package is expected to introduce a more comprehensive erasure right. Controllers must respond to access requests within 30 days under the current regime.
Practical scenarios illustrate the compliance challenge. A European e-commerce company selling to Israeli consumers collects email addresses and purchase history. Under the PPL, it must register a database if the threshold conditions are met, provide PPL-compliant disclosures at the point of collection, and respond to access requests within the statutory period. A US-based SaaS provider processing HR data for an Israeli corporate client must address both the contractual allocation of owner/manager responsibilities and the cross-border transfer requirements. An Israeli fintech startup sharing customer financial data with a foreign investor for due diligence purposes must assess whether the transfer is lawful under the PPL's transfer rules and whether the investor's jurisdiction provides adequate protection.
Cross-border data transfers are one of the most commercially significant aspects of Israeli data protection law for international businesses. The PPL and the 2001 Regulations establish a framework that mirrors, but does not replicate, the GDPR's transfer mechanism.
Transfers from Israel to a foreign country are permitted where the destination country provides a level of data protection that is not lower than that provided under Israeli law. The PPA maintains a list of countries considered to provide adequate protection. EU member states, EEA countries and a number of other jurisdictions with GDPR-equivalent regimes are generally treated as adequate. Transfers to countries not on the adequate list require the controller to implement one of the permitted safeguards: contractual clauses approved by the PPA, binding corporate rules, or the data subject's explicit consent to the specific transfer.
Israel's own adequacy status under the GDPR - granted by the European Commission - means that transfers from EU controllers to Israeli processors or controllers do not require additional safeguards. This is commercially valuable for Israeli technology companies and service providers operating in the EU market. However, this status is subject to periodic review, and Israeli businesses should not treat it as permanent or unconditional.
A common mistake is to use EU standard contractual clauses (SCCs) for transfers from Israel to third countries without verifying whether the PPA has approved those specific clauses or issued equivalent Israeli-law instruments. The PPA has published its own model contractual clauses for cross-border transfers, and using EU SCCs without adaptation may not satisfy the PPL's requirements.
The reform package is expected to introduce a more structured transfer mechanism, including a formal adequacy decision process, updated model clauses and a clearer framework for binding corporate rules. Until the reform is fully in force, businesses should document their transfer basis carefully, maintain records of the adequacy assessment for each destination country, and review transfer arrangements whenever the PPA updates its guidance.
To receive a checklist on cross-border data transfer compliance for Israel, send a request to info@vlo.com.
Data breach response is an area where Israeli law has moved significantly closer to GDPR standards, and where enforcement risk is most acute. The PPL, as amended, and the Privacy Protection Regulations (Information Security) (תקנות הגנת הפרטיות (אבטחת מידע), 2017) impose mandatory security standards and breach notification obligations on database owners and managers.
The 2017 Information Security Regulations classify databases into three tiers based on sensitivity and volume. Each tier carries specific technical and organisational security requirements: access controls, encryption standards, audit logs, employee training, and periodic security assessments. The highest tier - covering databases with sensitive data or large volumes of personal information - requires the appointment of an information security officer and the implementation of a formal information security programme.
Where a security incident occurs that results in, or is likely to result in, a serious violation of privacy, the database owner must notify the PPA. The notification obligation is triggered by a 'serious incident' (אירוע אבטחה חמור), defined by reference to the sensitivity of the data, the number of individuals affected and the nature of the breach. The PPL does not specify a fixed notification deadline in the same way as the GDPR's 72-hour rule, but the PPA's guidance indicates that notification should occur without undue delay and in any event promptly after the controller becomes aware of the incident.
In addition to notifying the PPA, the controller must assess whether affected data subjects need to be notified. The obligation to notify individuals arises where the breach is likely to cause them significant harm. The PPA has published guidance on the factors relevant to this assessment, including the nature of the data, the likelihood of misuse and the vulnerability of the affected individuals.
The risk of inaction is significant. Failure to notify the PPA of a serious incident, or delay in doing so, is an aggravating factor in any subsequent enforcement action. The PPA has the power to impose administrative fines, issue public reprimands and refer cases to the State Attorney's Office for criminal prosecution. Under the reform package, maximum administrative fines are expected to increase substantially, bringing them closer to GDPR-level penalties.
A practical scenario: an Israeli cloud services company suffers a ransomware attack that encrypts customer data. The company must simultaneously manage the technical response, assess whether the incident meets the 'serious incident' threshold, notify the PPA, evaluate whether individual notification is required, and preserve evidence for any subsequent regulatory or civil proceedings. Each of these steps has legal implications, and the sequence in which they are handled affects both regulatory exposure and litigation risk.
Loss caused by an incorrect breach response strategy can be substantial. A controller that notifies the PPA prematurely, before completing its internal assessment, may create a public record of a breach that turns out to be less serious than initially assessed. Conversely, a controller that delays notification while conducting an extended internal investigation risks a finding of non-compliance with the notification obligation. Calibrating the response requires legal judgment, not just technical expertise.
The Israeli data protection reform is the most consequential development in this field since the PPL was enacted. The reform, advanced through a series of legislative amendments and regulatory instruments, introduces obligations that will require significant compliance investment from businesses currently operating under the legacy PPL regime.
The reform introduces mandatory data protection impact assessments (DPIAs) for high-risk processing activities. The categories of processing that trigger a DPIA obligation are broadly aligned with GDPR Article 35 but include Israel-specific additions. Controllers must complete a DPIA before commencing high-risk processing, document the assessment, and implement the measures identified to mitigate risk.
The appointment of a data protection officer (DPO) becomes mandatory for certain categories of controller under the reform: public bodies, controllers processing sensitive data at scale, and controllers whose core activities involve systematic monitoring of individuals. The DPO must have sufficient expertise in data protection law and practice, must be given adequate resources, and must report directly to senior management. The DPO role under Israeli law is substantively similar to the GDPR DPO, but the specific triggers for mandatory appointment differ.
The reform also introduces a formal accountability principle: controllers must be able to demonstrate compliance, not merely assert it. This requires maintaining records of processing activities, documenting lawful bases, retaining consent records, and implementing data governance policies. Many businesses that have implemented GDPR compliance programmes will find that their existing documentation provides a useful foundation, but Israeli-specific elements - registration obligations, the owner/manager distinction, local consent requirements - must be addressed separately.
The reform strengthens individual rights, including introducing a more robust right to erasure, a right to data portability, and enhanced rights in relation to automated decision-making. These rights are not yet fully in force under the current PPL, but businesses should begin designing their systems and processes to accommodate them in anticipation of the reform's full implementation.
A non-obvious risk is that the reform does not simply add new obligations on top of the existing PPL: it modifies and in some cases replaces existing provisions. Businesses that have built their compliance programmes around the legacy PPL without tracking the reform's progress may find that their programmes are based on superseded requirements. Regular review of PPA guidance and legislative developments is essential.
We can help build a strategy for navigating the transition from the legacy PPL regime to the reform framework, including gap analysis, documentation review and regulatory engagement. Contact info@vlo.com.
To receive a checklist on reform readiness and DPO appointment requirements for Israel, send a request to info@vlo.com.
What is the most significant practical risk for a foreign company processing Israeli personal data without a local compliance programme?
The most significant risk is operating an unregistered database that requires registration under the PPL, which is a criminal offence. Beyond criminal exposure, the PPA has the authority to order the cessation of processing, impose administrative sanctions and publish findings. Foreign companies often assume that their GDPR compliance programme covers Israeli requirements, but the PPL's registration obligation, the owner/manager distinction and the specific consent disclosure requirements are not addressed by GDPR compliance alone. The PPA has increased its scrutiny of foreign operators following the expansion of its enforcement powers, and the absence of a local compliance programme is treated as an aggravating factor in enforcement proceedings.
How long does it take and what does it cost to establish a compliant data protection programme in Israel?
The timeline depends on the complexity of the business's data processing activities. For a mid-sized company with multiple databases, a compliance programme covering registration, security measures, consent mechanisms and transfer arrangements typically takes between three and six months to implement properly. Legal and advisory fees for a comprehensive programme usually start from the low thousands of USD and can reach the mid-to-high tens of thousands for complex, multi-database operations. The cost of non-compliance - regulatory fines, litigation exposure, reputational damage and the cost of remediation under regulatory supervision - substantially exceeds the cost of proactive compliance in most cases.
When should a business appoint a DPO under Israeli law, and is a GDPR DPO sufficient?
Under the current PPL, there is no mandatory DPO requirement, though the reform package introduces one for specific categories of controller. A GDPR DPO is not automatically sufficient for Israeli purposes: the Israeli DPO role, once the reform is in force, will have specific local obligations, including familiarity with the PPL, the reform legislation and PPA guidance. Businesses that already have a GDPR DPO should assess whether that individual has the necessary knowledge of Israeli law or whether a local expert needs to be appointed or engaged as a resource. In the interim, appointing a voluntary DPO or information security officer with Israeli law expertise is a practical risk management measure that the PPA views favourably.
Israel's data protection regime presents a layered compliance challenge: the legacy PPL with its registration and consent requirements, the 2017 security regulations, the cross-border transfer framework, and the incoming reform package that will fundamentally reshape the landscape. International businesses that treat Israeli compliance as a subset of GDPR compliance will encounter gaps that carry real regulatory and legal risk. The PPA's increasingly active enforcement posture means that those gaps are more likely to be identified and acted upon than at any previous point.
Our law firm Vetrov & Partners has experience supporting clients in Israel on data protection and privacy matters. We can assist with database registration, compliance programme design, DPO advisory services, breach response, cross-border transfer structuring, and regulatory engagement with the Privacy Protection Authority. To receive a consultation, contact: info@vlo.com.