Israel Data Privacy Laws: Privacy Protection Law Guide (2026)
Last updated: March 21, 2026
Israel has one of the oldest data protection frameworks in the world. The Protection of Privacy Law (PPL), enacted in 1981, predates the European Union's first Data Protection Directive by more than a decade. But for most of its history, Israeli data privacy enforcement lagged behind the ambition of the statute.
That changed dramatically in August 2025 when Amendment 13 took effect. The amendment represents the most significant overhaul of Israeli privacy law since the original act was passed. It strengthens enforcement powers, introduces mandatory Data Protection Officers, expands the definition of sensitive data, and gives individuals the right to sue for privacy violations without proving actual harm.
This guide covers everything you need to know about Israeli data privacy law as it stands in 2026, including the original PPL framework, the Amendment 13 reforms, enforcement and penalties, EU adequacy status, and practical compliance requirements.
History and Legal Framework
Israel's data protection regime rests on two foundational pillars: a constitutional guarantee and a comprehensive statute.
Constitutional Foundation
In 1992, the Israeli Knesset passed the Basic Law: Human Dignity and Liberty, which elevated the right to privacy to constitutional status. Section 7 of that Basic Law states that every person has the right to privacy and to the confidentiality of their intimate affairs.
This constitutional grounding gives Israeli privacy protections a legal weight that few other countries match. Courts can strike down legislation or government action that infringes privacy rights without adequate justification.
The Protection of Privacy Law, 5741-1981
The Protection of Privacy Law (PPL) is the primary statute governing data protection in Israel. Originally enacted in 1981, it was one of the first comprehensive data protection laws anywhere in the world. The law governs the collection, use, storage, and disclosure of personal data.
The PPL applies to both the public and private sectors. Any entity that maintains a database containing personal information about individuals falls within its scope.
Key elements of the original PPL include:
- Database registration requirements for databases meeting certain thresholds
- Purpose limitation restricting use of personal data to the purpose for which it was collected
- Data subject rights including access, correction, and deletion
- Confidentiality obligations for anyone managing personal data
- Criminal penalties for willful privacy violations
Supporting Regulations
Several sets of regulations supplement the PPL:
- Privacy Protection (Data Security) Regulations, 5777-2017 establish tiered security requirements based on database classification (basic, medium, or high security level)
- Privacy Protection (Transfer of Data to Databases Abroad) Regulations, 5761-2001 govern cross-border data transfers
- Privacy Protection (Instructions Regarding Data in Databases Used for Direct Mail) Regulations address direct marketing databases
The Data Security Regulations are particularly important. They classify databases into four tiers based on the type of data processed, the number of data subjects, and the number of authorized users. Higher-tier databases face stricter obligations including penetration testing, risk assessments, and physical access controls.
Timeline of Key Developments
| Year | Development |
|---|---|
| 1981 | Protection of Privacy Law enacted |
| 1992 | Basic Law: Human Dignity and Liberty establishes constitutional privacy right |
| 1996 | Comprehensive data protection chapter added to the PPL |
| 2006 | Israel's Privacy Protection Authority (PPA) established |
| 2011 | European Commission grants Israel EU adequacy status |
| 2017 | Data Security Regulations (5777-2017) modernize security requirements |
| 2024 | Knesset approves Amendment 13 (August) |
| 2025 | Amendment 13 enters into force (August 14) |
| 2025 | EU renews Israel's adequacy status |
The Privacy Protection Authority (PPA)
The Privacy Protection Authority (PPA) is the independent regulator responsible for enforcing the PPL. It operates under the Israeli Ministry of Justice.
PPA Responsibilities
The PPA's core functions include:
- Policy development for data protection across all sectors
- Enforcement through investigations, audits, administrative fines, and criminal referrals
- Database registration management and oversight
- Guidance on privacy best practices and compliance
- Advisory role to the Knesset on privacy-related legislation
- Promotion of privacy-by-design principles across the Israeli economy
Enforcement Powers Before Amendment 13
Historically, the PPA's enforcement tools were limited. The Registrar of Databases could conduct criminal investigations and audits, suspend or erase database registrations, and impose relatively modest fines. The limited financial penalties meant that many organizations treated data protection as a low-priority compliance matter.
Expanded Powers Under Amendment 13
Amendment 13 transformed the PPA into a regulator with real teeth. The authority can now:
- Issue administrative orders requiring organizations to change data processing practices
- Impose administrative fines reaching into millions of shekels
- Issue cease-and-desist directives halting data processing
- Conduct criminal investigations with expanded scope
- Order suspension of data processing for serious violations
The PPA has already demonstrated its intent to use these new powers. In one of its first enforcement actions under Amendment 13, the PPA fined HOT (an Israeli telecommunications company) NIS 70,000 for privacy violations, signaling that enforcement would be active from the start.
Amendment 13: The 2025 Privacy Reform
Amendment 13 to the Protection of Privacy Law (officially Amendment No. 13, 5774-2024) is the most consequential change to Israeli data protection in the law's history. Approved by the Knesset in August 2024, it entered into force on August 14, 2025.
The amendment aligns the PPL more closely with international standards, particularly the EU's General Data Protection Regulation (GDPR), while maintaining Israel's distinct regulatory approach.
Expanded Definition of Sensitive Data
Amendment 13 introduces the concept of "Information of Special Sensitivity" (ISS), which includes personal data about:
- Health and genetic information
- Biometric identifiers used for identification or verification
- Sexual orientation and family life
- Political views and opinions
- Ethnic or racial origin
- Criminal record
- Geolocation data
Organizations processing ISS face heightened obligations including stricter security measures, explicit consent requirements, and additional notification duties.
Mandatory Data Protection Officers
Amendment 13 introduced a mandatory DPO requirement for certain organizations. The following entities must appoint a Data Protection Officer:
- Public bodies as defined under the PPL (excluding security bodies)
- Data brokers whose main business involves collecting personal data to transfer to third parties, where the database contains data on more than 10,000 individuals
- Organizations whose primary activity involves large-scale processing of Information of Special Sensitivity (such as hospitals, health funds, banks, and insurance companies)
- Entities conducting systematic monitoring of individuals on a large scale
The DPO must act independently, free from conflicts of interest. They cannot hold positions that determine data processing purposes, such as head of marketing, CFO, IT manager, or CTO. The DPO should report directly to the CEO or a senior executive.
The PPA initially granted a grace period for DPO appointments until October 31, 2025. That grace period has since expired, and DPO compliance is now a 2026 enforcement priority.
Overhauled Database Registration
One of Amendment 13's most practical changes is the streamlining of database registration requirements. Previously, most organizations maintaining databases with personal data about more than 10,000 individuals had to register with the PPA.
Under the new framework:
- Most organizations are no longer required to register their databases
- Registration is still mandatory for data brokers (entities whose primary purpose is collecting personal data for transfer to third parties as a business) where the database contains data on more than 10,000 individuals
- Public agencies must still register
- Notification requirement: Organizations processing ISS about more than 100,000 individuals that are not otherwise required to register must notify the PPA of their identity, contact details, and their DPO's identity
Strengthened Consent and Transparency
Amendment 13 tightened requirements for obtaining and managing consent:
- Explicit consent is required for processing Information of Special Sensitivity
- Enhanced transparency obligations require organizations to inform data subjects about the purpose of collection, who will receive the data, the consequences of refusing consent, the identity of the data controller, and data subject rights
- Consent must be informed and organizations must clearly explain what they are collecting and why
Board-Level Accountability
Amendment 13 introduced board-level responsibility for data protection. Boards of directors must now take an active role in overseeing data protection policies and ensuring organizational compliance.
Data Subject Rights
Israeli law provides individuals with several rights regarding their personal data, though these rights are narrower than those available under the GDPR.
Right of Access
Data subjects have the right to request access to their personal data held in any database. The database controller must respond to access requests and provide the information in an intelligible format.
Right to Rectification
Individuals can request the correction of personal data that is incorrect, incomplete, unclear, or outdated. If the database controller refuses, the individual can appeal to a court.
Right to Deletion
The PPL provides individuals with the right to request deletion of personal data that is incorrect, incomplete, unclear, or outdated. Exceptions apply when deletion could endanger the data subject's physical or mental wellbeing, breach legal privilege, or interfere with investigations and law enforcement.
Right to Object
Data subjects can object to the processing of their personal data for direct marketing purposes. Organizations must honor opt-out requests for marketing communications.
Right to Data Portability
Data portability rights under Israeli law are more limited than under the GDPR. However, sector-specific legislation has expanded portability in certain areas. The Medical Data Portability Law, 5784-2024 regulates the transfer of medical data between healthcare entities and requires patient consent for such transfers.
Right to Sue Without Proving Harm
One of the most significant changes under Amendment 13 is that individuals can now file civil claims for privacy violations without needing to prove actual harm. Courts can award statutory damages of up to NIS 100,000 (approximately USD 27,000) per person. This lowers the barrier for individuals to enforce their privacy rights and creates a meaningful financial incentive for compliance.
Penalties and Enforcement
Amendment 13 dramatically increased the financial consequences of non-compliance.
Administrative Fines
The PPA can impose administrative fines based on the severity and nature of the violation:
| Factor | Impact on Fine |
|---|---|
| Security level of the database | Higher security classification = higher fines |
| Number of data subjects affected | More individuals affected = higher fines |
| Duration of non-compliance | Longer violations = higher fines |
| Type of data involved | Sensitive data = multiplied fines |
Fines range from NIS 1,000 to NIS 320,000 per offense, but can be doubled to NIS 640,000 in severe cases. For large-scale violations, fines can include a per-data-subject component of up to NIS 100 per individual whose data is in the affected database.
The maximum administrative fine can reach approximately NIS 3.2 million (approximately USD 1 million), with penalties capped at 5% of annual turnover in the most serious cases.
Criminal Sanctions
The PPL retains criminal penalties for serious privacy violations:
- Willful privacy infringement or breach of data confidentiality obligations: up to five years imprisonment
- Obstructing PPA investigations: up to three years imprisonment
- Deliberately misleading the PPA in database registration applications: up to three years imprisonment
- Unauthorized data processing without permission from the data controller: up to three years imprisonment
Amendment 13 expanded the list of offenses carrying criminal penalties and increased maximum terms for several categories.
Civil Liability
Beyond administrative and criminal penalties:
- Statutory damages of up to NIS 100,000 (approximately USD 27,000) per person without proof of harm
- Class action lawsuits are possible for widespread privacy violations
- Actual damages can be claimed where harm is demonstrated
Data Breach Notification
Amendment 13 formalized and strengthened data breach notification requirements.
When Notification Is Required
Database owners must immediately notify the PPA in the event of a "Severe Security Incident." The definition of a severe security incident depends on the database's security classification:
- High-security databases: Any unauthorized use of data or damage to data integrity
- Medium-security databases: Unauthorized use or damage affecting a substantial part of the database
For databases containing ISS about more than 100,000 individuals, notification to the PPA is mandatory for qualifying breaches.
Security Assessment Requirements
Organizations managing large databases with sensitive data must conduct:
- Risk assessments at regular intervals
- Penetration testing at least every 18 months
- Prompt reporting of serious incidents to the PPA
Notification to Data Subjects
While the PPL has historically focused on notification to the PPA rather than to individuals, Amendment 13 expanded the obligation to inform affected data subjects in certain circumstances, particularly where the breach poses a significant risk to their rights.
Cross-Border Data Transfers
Israel regulates international transfers of personal data through the Privacy Protection (Transfer of Data to Databases Abroad) Regulations, 5761-2001.
Transfer Requirements
Personal data may be transferred outside Israel only if the destination country ensures a level of data protection equivalent to Israeli law. The PPA maintains a list of approved countries with adequate protections.
For transfers to countries not on the approved list, organizations must use one of the following mechanisms:
- Contractual safeguards: The foreign recipient must undertake to comply with Israeli data protection requirements and fulfill obligations toward data subjects
- Data subject consent: Obtaining informed consent for the specific transfer
- Legal obligation: Where the transfer is required by law
Pre-Transfer Risk Assessments
Before transferring data internationally, organizations must conduct risk assessments evaluating:
- The data security regulatory environment in the receiving country
- The potential for government surveillance in the receiving country
- Whether sensitive data is involved
- The adequacy of contractual protections
EU Adequacy Status
Israel was granted EU adequacy status in 2011 under the original Data Protection Directive. This means the European Commission determined that Israel provides an adequate level of data protection, allowing personal data to flow freely from the EU/EEA to Israel without requiring additional safeguards such as Standard Contractual Clauses.
The European Commission renewed Israel's adequacy status, reaffirming that Israeli data protection standards remain essentially equivalent to those under the GDPR.
Practical Significance
For businesses operating between Israel and the EU, adequacy status means:
- No additional transfer mechanisms required for personal data flows from EU to Israel
- Simplified compliance for multinational organizations with operations in both jurisdictions
- Competitive advantage for Israeli companies providing services to EU clients
Ongoing Controversy
Israel's adequacy status has faced scrutiny. In 2025, civil society organizations including EDRi and Access Now sent letters to the European Commission urging reassessment of the adequacy decision, citing concerns about surveillance practices. Members of the European Parliament also raised questions about whether Israel's use of personal data remains compatible with GDPR principles.
The European Commission responded that based on its evaluation, it does not believe the adequacy decision needs modification. However, advocacy groups continue to press the issue, and organizations relying on adequacy-based transfers should monitor developments.
Compliance Requirements for Organizations
Organizations operating in Israel or processing Israeli residents' personal data should focus on these practical compliance steps.
Immediate Priorities
- Appoint a DPO if your organization falls within the mandatory categories
- Review database classifications under the Data Security Regulations to determine your security tier
- Update consent mechanisms to meet Amendment 13's enhanced transparency requirements
- Conduct a data inventory to identify databases containing Information of Special Sensitivity
- Implement breach notification procedures aligned with the new requirements
Security Obligations
The Data Security Regulations (5777-2017) require security measures proportional to the database classification:
- Basic level: Fundamental security procedures, access controls, and documentation
- Medium level: All basic requirements plus access logging, encryption considerations, and periodic reviews
- High level: All medium requirements plus mandatory penetration testing every 18 months, comprehensive risk assessments, and physical access controls
Documentation and Record-Keeping
Organizations should maintain:
- Records of data processing activities
- Consent documentation
- Data protection impact assessments for high-risk processing
- Breach logs and notification records
- DPO appointment documentation and independence verification
Israel vs. GDPR: Key Differences
While Amendment 13 moved Israeli law closer to GDPR standards, meaningful differences remain.
| Feature | Israel (PPL + Amendment 13) | EU (GDPR) |
|---|---|---|
| Lawful basis | Primarily consent-focused | Six lawful bases including legitimate interests |
| DPO requirement | Mandatory for specific categories | Mandatory for public authorities and certain processors |
| Fines | Up to NIS 3.2 million / 5% turnover | Up to EUR 20 million / 4% global turnover |
| Right to be forgotten | Limited deletion rights | Comprehensive erasure right |
| Data portability | Limited (sector-specific) | Broad right across all sectors |
| Statutory damages | NIS 100,000 without proving harm | Left to member state law |
| Breach notification | To PPA for severe incidents | To supervisory authority within 72 hours |
| Extraterritorial scope | Limited | Broad global reach |
Frequently Asked Questions
Sources and References
- Protection of Privacy Law, 5741-1981 (Full Text) - WIPO
- Privacy Protection Authority Official Page - Government of Israel
- Israel: Amendment to Privacy Protection Law Goes into Effect - Library of Congress
- Privacy Protection (Data Security) Regulations, 5777-2017 - Government of Israel
- Privacy Protection (Transfer of Data Abroad) Regulations - Government of Israel
- EU Data Protection Adequacy Decisions - European Commission
- Israel's Adequacy Decision Reaffirmed - Government of Israel
- Israel Marks a New Era in Privacy Law: Amendment 13 - IAPP
- Israeli PPA Legislation Page - Government of Israel
- EU Parliament Question on Israel Adequacy - European Parliament
Sources and References
- Protection of Privacy Law, 5741-1981 (Full Text)(wipo.int)
- Privacy Protection Authority Official Page(gov.il).gov
- Israel: Amendment to Privacy Protection Law Goes into Effect(loc.gov).gov
- Privacy Protection (Data Security) Regulations, 5777-2017(gov.il).gov
- Privacy Protection (Transfer of Data Abroad) Regulations(gov.il).gov
- EU Data Protection Adequacy Decisions(europa.eu).gov
- Israel Adequacy Decision Reaffirmed(gov.il).gov
- Israel Marks a New Era in Privacy Law: Amendment 13 Ushers in Sweeping Reform(iapp.org)
- Israeli PPA Legislation Page(gov.il).gov
- EU Parliament Question on Israel Adequacy Agreement(europarl.europa.eu).gov
- Civil Society Urges EU to Reassess Israel Adequacy Status(edri.org)
- PPA First Fines Under Amendment 13(ai-law.co.il)
- Draft Clarification on DPO Requirements(arnontl.com)
- Board Responsibility and DPO Appointment Under Amendment 13(barlaw.co.il)
- Israel Data Subject Rights(bakermckenzie.com)