What is PPL?
The Protection of Privacy Law 5741 - 1981 (PPL) is Israel’s governing data privacy law, covering the way personal and sensitive information is collected and used, as well as the way it is handled securely. It is supplemented by the Protection of Privacy Regulations 5777-2017 which, according to Article 36 of the law, have to be issued by the Minister of Justice in order to help implement the text of the law. Covered organizations have to be registered in a Register of Databases, based on requirements set forth in this law.
At this time a new draft bill is under revision, which would both update the current data privacy law and help keep Israel’s status as an adequacy decision state in place. However, it is as of yet unknown when or if this new law will go into effect.
What is Personal Information and what are other key definitions?
The PPL, alongside the Regulations, offers a series of definitions. As far as ‘personal information’ is concerned, the law uses the general term ‘information’ and defines it as “data on the personality, personal status, intimate affairs, state of health, economic position, vocational qualifications, opinions and beliefs of a person.” The term ‘sensitive information’ becomes difficult to distinguish from personal information as the law defines this to mean “data on the personality, intimate affairs, state of health, economic position, opinions and beliefs of a person” as well as any information that “the Minister of Justice determined by order, with the approval of the Constitution, Law and Justice Committee of the Knesset, is sensitive information.” The Regulations also define ‘biometric data’ as “information used to identify a person which is a unique physiological human characteristic that can be measured by a computer.”
The law does not mention the idea of a ‘data controller’ or ‘data processor’ but instead defines, on the one hand, a ‘possessor, for the purpose of a database’ as “a person who has a database in his possession permanently and is permitted to use it,” and on the other hand, a ‘manager of database,’ which is “an active manager of a body that owns or possesses a database or a person whom the aforesaid manager authorized for this purpose.”
The law also clarifies what ‘public body’ means, as it later on details which organizations are covered. A public body then is any body within the following:
- “a Government Department and any other State institution, a local authority and any other body carrying out public functions under any law;
- a body designated by the Minister of Justice, by order, with the approval of the Constitution, Law and Justice Committee of the Knesset, provided that the order shall prescribe the categories of information and data items which the body may impart and receive.”
One last definition relevant here is that of ‘database’ which is “a collection of data, kept by a magnetic or optic means and intended for computer processing.”
Who has to comply with the PPL?
PPL applies to any organization in Israel, whether business, public, or private, that either holds or processes personal data. On a more specific level, it covers any database that meets the following criteria, which must be registered:
- it contains the information of more than 10,000 individuals;
- it contains sensitive information;
- it contains information on data subjects whose information was not disclosed to the database directly by the data subject, by someone else on their behalf, or with the data subject’s consent;
- it belongs to public bodies, as defined by the law;
- it is used for direct mailing purposes, as defined by the law.
There are no mentions of territorial or extra territorial scope and with no clear determination of jurisdiction, it also doesn’t state whether the data subject has to be either a citizen or resident of Israel.
Who is excluded from PPL compliance?
The PPL excludes from compliance any person which, in performing an action empowered by law, violates this data privacy law.
Additionally, it excludes databases that refer to either “a collection for personal use that is not for business purposes” or “a collection that includes only the name, address and method of communication, which in itself does not produce a characterization which infringes the privacy of the persons whose names are included therein, provided that the owner of the collection or the body corporate under his control does not have another collection.”
How can I keep my organization PPL compliant?
Your organization has a series of obligations, outlined in the text of the law or the text of the Regulations.
As a database owner, you are required to register your database in the Registry. You are also required to appoint a ‘security supervisor,’ the law’s term for Data Protection Officer, if you meet one of the following criteria:
- you possess five databases which require registration;
- you are a public body as defined by the law;
- your organization is a bank, an insurance company, or a business involved in credit rating or evaluation.
Once registered, in the event of a change in ownership of the database, such as in the event of a merger or acquisition, you are required to inform both the Registrar and the data subject(s) of this change. Other requirements include:
- Implementation of security measures: there are no specific measures offered on how to implement these.
- Conducting data protection impact assessments: in some cases, such as where there is a high risk of security breaches, the assessment has to be done every 18 months.
- Documenting any security incident, and where a severe incident has occurred, informing the regulating authority.
What data access rights does PPL grant?
The PPL grants data subjects two rights, namely the Right to Access and the Right to correct inaccurate data.
A data subject access request can be submitted either by the data subject or by a representative that has been authorized by the data subject or by the data subject’s legal guardian to do so. In the case of a data subject request to correct inaccurate information, if the data subject finds that the data is incorrect, incomplete, unclear or, not up to date, they can request the possessor of the database to make the proper corrections, even if the data subject is not a resident.
How to address data subject access requests under PPL?
There are no requirements relating to a timeline for answering data subject requests or to any other aspects. The law’s only requirement is that when a data subject access request is made, the database owner is required to enable the data subject to access their data in Hebrew, English, or Arabic.
Enforcement and penalties
The regulating authority is the Privacy Protection Authority (PPA) and it is part of the Ministry of Justice of Israel.
Penalties vary as follows:
- ILS 2,000 (approx. $598) for violations such as failing to register a database that requires registration, or providing false information in the application for registration;
- ILS 3,000 (approx. $896) for violations such not complying with the data subjects’ right to access, or failing to appoint a DPO;
- ILS 5,000 (approx. $1493) for using the information in a database for purposes other than those for which it was registered.
- A five fold fine for any of the above if the violation is committed by a corporation.
In addition to these, the violations may also be charged with criminal liability and subject to imprisonment for 1 year. For more serious violations, such as disclosing sensitive information, the period can go up to 5 years imprisonment, and data subjects have a private right of action in court for violations, as a civil wrong, where damages may be claimed.
Data Subject Rights - GDPR vs. PPL
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
- Right to access
- Right to correct
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.