Israel Data Privacy Laws: Complete Guide to the PPL and Amendment 13 (2026)

Israel governs data privacy through the Protection of Privacy Law 5741-1981, enforced by the Privacy Protection Authority. Amendment 13, effective August 14, 2025, expanded enforcement powers, mandated Data Protection Officers for designated organizations, and granted individuals the right to sue for statutory damages without proving harm.

Last updated: May 19, 2026

Israel has one of the oldest data protection frameworks in the world. The Protection of Privacy Law (PPL), enacted in 1981, predates the European Union's first Data Protection Directive by more than a decade. For most of its history, Israeli privacy enforcement lagged behind the ambition of the statute.

That changed when Amendment 13 took effect on August 14, 2025. The amendment is the most significant overhaul of Israeli privacy law since the original act was passed. It strengthens enforcement powers, introduces mandatory Data Protection Officers, expands the definition of sensitive data, raises the financial consequences of non-compliance, and extends the statute of limitations for civil claims. Combined with the Privacy Protection Authority's (PPA) demonstrated willingness to act, Amendment 13 marks a new era for data protection in Israel.

This guide covers the full Israeli data privacy framework as it stands in 2026, including the constitutional basis, the original PPL, the Amendment 13 reforms, Data Security Regulations, enforcement powers and penalties, EU adequacy status, AI guidelines, and practical compliance requirements.

Quick Answer

Israel's primary data protection law is the Protection of Privacy Law 5741-1981. The supervisory authority is the Privacy Protection Authority (PPA), which operates under the Ministry of Justice. Amendment 13, effective August 14, 2025, is the dominant recent development: it modernized definitions, expanded PPA enforcement to include administrative fines up to NIS 3.2 million, introduced mandatory DPOs for certain organizations, and gave individuals a right to sue without proving actual harm. Israel holds EU adequacy status, renewed by the European Commission on January 15, 2024, allowing free data flows from the EU without additional safeguards.

Constitutional Foundation

Privacy in Israel is a constitutional right, not merely a statutory one. In 1992, the Knesset passed the Basic Law: Human Dignity and Liberty, which elevated privacy to the status of a fundamental right. Section 7 states that every person has the right to privacy and to the confidentiality of their intimate affairs.

Because privacy is constitutionally grounded, courts can strike down legislation or government action that infringes privacy rights without adequate justification. This gives Israeli privacy law a legal weight that purely statutory frameworks lack. Any limitation on the right to privacy must be by law, for a proper purpose, and to an extent no greater than is required.

The Protection of Privacy Law, 5741-1981

The Protection of Privacy Law (PPL) is the primary statute governing data protection in Israel. Enacted in 1981, it was among the first comprehensive data protection laws anywhere in the world. The PPL governs collection, use, storage, disclosure, and transfer of personal data by both public bodies and private organizations.

Scope and Application

The PPL applies to any person or entity that maintains a database containing personal information about individuals, regardless of whether the data controller is based in Israel or abroad. Any database with information about more than 10 people counts for regulatory purposes.

The PPL does not rely on a GDPR-style list of lawful bases for processing. Instead, it uses a consent-and-purpose-limitation model. Personal data may be processed only:

• With the informed consent of the data subject
• When required by law
• When necessary for legitimate activities of the database owner, provided the processing is consistent with the purpose disclosed at collection

Explicit consent is required for processing Information of Special Sensitivity (ISS) after Amendment 13.

Core Obligations

Key obligations under the PPL include:

• Purpose limitation: Personal data may only be used for the purpose for which it was collected. Using data for other purposes without consent is a violation.
• Transparency: Data subjects must be informed of the purpose of collection, who will hold the data, and what rights they have.
• Data accuracy: Controllers must take reasonable steps to ensure data is accurate, complete, and current.
• Confidentiality: Anyone working with a database has obligations of confidentiality regarding personal data they access.
• Data security: Appropriate technical and organizational measures must be in place to protect data from unauthorized access, loss, or destruction.

Supporting Regulations

Several regulations supplement the PPL:

• Privacy Protection (Data Security) Regulations, 5777-2017 establish tiered security requirements based on database classification
• Privacy Protection (Transfer of Data to Databases Abroad) Regulations, 5761-2001 govern cross-border transfers
• Privacy Protection (Instructions Regarding Data Used for Direct Mail) Regulations address direct marketing databases

Timeline of Key Developments

The Privacy Protection Authority (PPA)

The Privacy Protection Authority (PPA) is the independent supervisory authority responsible for enforcing the PPL. It operates under the Israeli Ministry of Justice.

Core Functions

The PPA is responsible for:

• Enforcing the PPL through investigations, audits, administrative fines, and criminal referrals
• Issuing regulatory guidance and binding directives
• Managing the database registration and notification system
• Advising the Knesset on privacy-related legislation
• Promoting privacy-by-design principles
• Representing Israel in international data protection forums

Pre-Ruling Procedure

One notable feature of the post-Amendment 13 regime is a formal pre-ruling procedure. Organizations can seek advance guidance from the PPA on a planned data processing activity before undertaking it. The PPA must respond within 60 days. This gives businesses a way to manage regulatory risk for novel or complex processing activities, a mechanism that did not exist under the original framework.

Enforcement Powers Under Amendment 13

Amendment 13 transformed the PPA from a relatively limited regulator into an authority with meaningful enforcement capacity. The PPA can now:

• Issue administrative orders requiring organizations to change data processing practices
• Impose administrative fines reaching millions of shekels
• Issue cease-and-desist directives halting data processing operations
• Conduct criminal investigations with expanded scope
• Order suspension or deletion of databases in serious cases
• Publish the names of violators for up to four years

Amendment 13: The 2025 Privacy Reform

Amendment 13 to the Protection of Privacy Law (officially Amendment No. 13, 5784-2024) is the most consequential change to Israeli data protection in the law's history. Approved by the Knesset in August 2024, it entered into force on August 14, 2025.

The amendment does not replace the PPL. It modernizes and expands the existing framework, aligning it more closely with international standards such as the GDPR while maintaining Israel's distinct statutory approach.

Expanded Definition of Sensitive Data

Amendment 13 introduces the concept of "Information of Special Sensitivity" (ISS). This category receives heightened protections throughout the amended law. ISS includes personal data about:

• Health conditions and genetic information
• Biometric identifiers used for identification or verification
• Sexual orientation and intimate family life
• Political views and opinions
• Ethnic or racial origin
• Criminal record
• Geolocation data
• Financial details

Processing ISS requires explicit, separate consent. It cannot be bundled into general terms and conditions. Organizations processing ISS also face stricter security requirements, additional notification duties, and the highest fine multipliers.

The expanded personal data definition now expressly includes IP addresses, online identifiers, and behavioral data, closing interpretive gaps that existed under the original 1981 text.

Mandatory Data Protection Officers

Amendment 13 introduced a mandatory DPO requirement for four categories of organization. The following entities must appoint a Data Protection Officer:

1. Public bodies as defined under the PPL, including government ministries, state authorities, municipalities, health funds, hospitals, and universities (excluding security bodies)
2. Data brokers whose primary business involves collecting personal data for transfer to third parties, where the database contains data on more than 10,000 individuals
3. Organizations whose primary activity involves large-scale processing of Information of Special Sensitivity, such as hospitals, health insurers, banks, and insurance companies
4. Entities conducting systematic monitoring of individuals on a large scale, such as operators of behavioral tracking platforms, location services, wearables, or surveillance systems

The DPO can be an internal employee or an external appointment. They must possess in-depth knowledge of Israeli privacy law, sound understanding of information security, and familiarity with the organization's operations. Formal certification is not required, but practical expertise is.

The DPO must operate with full independence and free from conflicts of interest. The PPA's draft guidance on DPO appointments makes clear that the DPO cannot also serve as Head of Marketing, Head of Customer Success, CFO, IT Manager, or CTO. The DPO should report directly to the CEO or an equivalent senior executive.

The PPA granted an initial grace period until October 31, 2025, during which it would not enforce the DPO requirement. That grace period has expired. DPO compliance is a stated 2026 enforcement priority. Expect the PPA to examine whether DPOs have adequate resources, genuine independence, and are properly integrated into governance structures.

Overhauled Database Registration

One of Amendment 13's most practical changes is the streamlining of database registration. Previously, most organizations maintaining databases with personal data about more than 10,000 individuals had to register with the PPA.

Under the revised framework:

• Most private-sector organizations no longer need to register their databases
• Registration remains mandatory for data brokers where the database covers more than 10,000 individuals
• Public agencies must still register
• Notification requirement: Organizations processing ISS about more than 100,000 individuals that are not otherwise required to register must notify the PPA of their identity, contact details, and their DPO's details

This shift moves compliance from broad registration to targeted oversight of the highest-risk actors: data brokers and large-scale sensitive data processors.

Strengthened Consent and Transparency

Amendment 13 tightened the rules for obtaining and managing consent. Blanket consent buried in terms of service is no longer acceptable for most purposes and is entirely insufficient for ISS. When collecting personal data, organizations must now disclose:

• The legal basis for data collection
• The specific purposes for which the data will be used
• The identity of the data controller
• Potential third-party recipients
• The consequences of refusing to provide the data
• Data subject rights including access, rectification, and deletion

Consent must be specific, informed, and documented. Organizations should maintain records demonstrating that valid consent was obtained.

Board-Level Accountability

Amendment 13 introduced direct board-level responsibility for data protection. Boards of directors must now take an active role in overseeing data protection policies and ensuring organizational compliance. This was not required under the original PPL. The change signals that the Knesset intended data protection to be treated as a governance matter, not just an IT or legal function.

Extended Statute of Limitations

The civil statute of limitations for privacy claims was extended from two years to seven years. This gives individuals significantly more time to bring legal action for privacy violations, increasing the long-tail liability exposure for organizations.

Pre-Ruling Procedure

The amended law introduced a formal procedure by which organizations can request advance guidance from the PPA on proposed data processing activities. The PPA must issue a ruling within 60 days. This provides a meaningful compliance tool for organizations navigating complex or novel data processing scenarios.

Privacy Protection (Data Security) Regulations, 5777-2017

The Privacy Protection (Data Security) Regulations are among the most operationally significant parts of the Israeli framework. Enacted in 2017, they establish tiered security requirements based on database classification.

Database Security Tiers

Databases are classified into three security tiers based on the type of data processed, the number of data subjects, and the number of authorized users:

Basic level: Applies to small databases with non-sensitive data. Requirements include documented security procedures, access controls, and basic physical security measures.

Medium level: Applies to larger databases or those containing more sensitive information. Additional requirements include access logging, periodic security reviews, encryption considerations, incident response procedures, and employee privacy training.

High level: Applies to databases containing ISS or particularly large databases. Requirements include all medium-level measures plus mandatory penetration testing at least every 18 months, comprehensive risk assessments, physical access controls, and detailed incident response plans.

Security Obligations Common to All Tiers

Regardless of classification, all database owners must:

• Appoint a person responsible for data security
• Maintain a written security procedure
• Control and document access authorizations
• Take measures to prevent unauthorized access
• Report security incidents to the PPA where required

Breach Reporting

The Data Security Regulations require immediate notification to the PPA of a "Severe Security Incident." What qualifies depends on the database's security classification:

• High-security databases: Any unauthorized use of data or damage to data integrity
• Medium-security databases: Unauthorized use or damage affecting a substantial portion of the database

Amendment 13 expanded breach notification in two additional ways. For databases containing ISS about more than 100,000 individuals, PPA notification is explicitly mandatory for qualifying incidents. Organizations must also notify affected data subjects where a breach poses a significant risk to their rights, not just the PPA.

Data Subject Rights

Israeli law provides individuals with rights regarding their personal data. Post-Amendment 13, those rights are more practically enforceable than at any point in the law's history.

Right of Access

Data subjects can request access to personal data held about them in any database. The controller must respond within a reasonable period and provide the information in an intelligible format. The PPA has stated that enforcing data subject access rights is a 2026 priority.

Right to Rectification

Individuals can request correction of personal data that is incorrect, incomplete, unclear, or outdated. If the controller refuses, the individual can appeal to a court.

Right to Deletion

The PPL allows individuals to request deletion of personal data that is incorrect, incomplete, unclear, or outdated. Exceptions apply where deletion would endanger the data subject's wellbeing, breach legal privilege, or interfere with law enforcement.

Right to Object to Direct Marketing

Data subjects can object to the processing of their personal data for direct marketing purposes. Organizations must honor opt-out requests.

Right to Data Portability

Data portability rights in Israel are narrower than under GDPR. However, sector-specific legislation has expanded portability in certain areas. The Medical Data Portability Law, 5784-2024, governs the transfer of medical records between healthcare providers and requires patient consent.

Right to Sue Without Proving Harm

One of Amendment 13's most significant changes: individuals can now file civil claims for privacy violations without proving actual harm. Courts can award statutory damages of up to NIS 100,000 (approximately USD 27,000) per person. The statute of limitations for such claims is now seven years. This removes the practical barrier that previously deterred most individual enforcement actions and creates meaningful financial exposure for class actions involving widespread violations.

Penalties and Enforcement

Amendment 13 dramatically increased the financial consequences of non-compliance.

Administrative Fines

The PPA can now impose administrative fines without going to court. The fine structure is tiered:

• Per-offense fines range from NIS 1,000 to NIS 320,000
• Aggravated cases allow fines to be doubled to NIS 640,000
• Large-scale violations can add a per-data-subject component of up to NIS 100 per individual in the affected database
• Maximum administrative fine can reach approximately NIS 3.2 million (roughly USD 900,000)
• Turnover cap: fines are capped at 5% of annual turnover in the most serious cases
• Reduced fines: small and micro businesses benefit from substantially reduced fine caps
• Name-and-shame: the PPA can publish violators' names for up to four years

Fines can be reduced by up to 70% for first-time violations or where mitigating circumstances exist. The fine structure is calibrated to the severity of the violation, the size of the organization, the number of affected individuals, and whether ISS is involved.

First Enforcement Actions Under Amendment 13

The PPA wasted no time demonstrating enforcement intent. In August 2025, the same month Amendment 13 took effect, the PPA imposed its first fine under the new regime: NIS 75,000 against an employee of the National Insurance Institute of Israel for conducting 15 unauthorized data queries involving sensitive personal information. The violations occurred between 2020 and 2021. The case involved use of personal data for purposes inconsistent with the original intent of the databases, a violation of the purpose-limitation principle under Section 8(b) of the PPL.

The PPA also fined HOT, an Israeli telecommunications provider, NIS 70,000 for separate privacy violations, further signaling that enforcement would be active from day one.

Criminal Sanctions

The PPL retains criminal penalties for serious violations:

• Willful privacy infringement or breach of confidentiality obligations: up to five years imprisonment
• Obstructing PPA investigations: up to three years imprisonment
• Deliberately misleading the PPA in database registration applications: up to three years imprisonment
• Unauthorized data processing without permission from the data controller: up to three years imprisonment

Amendment 13 expanded the list of offenses carrying criminal penalties and increased maximum terms for several categories.

Civil Liability

Beyond administrative and criminal penalties:

• Statutory damages of up to NIS 100,000 per person without proof of harm
• Class action lawsuits possible for widespread violations
• Actual damages where real harm is demonstrated
• Punitive damages of up to NIS 10,000 per person for purpose-limitation violations or failures to fulfill access rights

Cross-Border Data Transfers

Israel regulates international transfers through the Privacy Protection (Transfer of Data to Databases Abroad) Regulations, 5761-2001.

Transfer Requirements

Personal data may be transferred outside Israel only where the destination country ensures an equivalent level of data protection. The PPA maintains an approved-country list.

For transfers to unapproved countries, organizations must rely on:

• Contractual safeguards: the foreign recipient contractually commits to Israeli data protection standards and data subject obligations
• Data subject consent: informed consent for the specific transfer
• Legal obligation: where the transfer is required by law

Pre-Transfer Risk Assessments

Before transferring data internationally, organizations should assess the regulatory environment in the receiving country, the risk of government surveillance, whether ISS is involved, and whether contractual protections are adequate.

EU Adequacy Status

Israel was granted EU adequacy status in 2011 under the original Data Protection Directive. On January 15, 2024, the European Commission renewed Israel's adequacy status as part of its GDPR Article 45 four-year review cycle, confirming that Israeli data protection continues to provide an essentially equivalent level of protection to GDPR standards.

What Adequacy Means in Practice

For businesses operating between Israel and the EU, adequacy status means:

• No additional transfer mechanisms required for personal data flows from the EU or EEA to Israel
• No Standard Contractual Clauses needed for EU-to-Israel transfers
• Simplified compliance for multinational organizations with operations in both jurisdictions
• Competitive advantage for Israeli companies providing services to EU clients

Adequacy Does Not Mean GDPR Compliance

EU adequacy status is frequently misunderstood. It means data can flow from the EU to Israel without extra safeguards. It does not mean Israeli organizations automatically comply with the GDPR. Organizations processing the personal data of EU residents must comply with the GDPR independently, regardless of Israel's adequacy status.

Ongoing Scrutiny

Israel's adequacy status has faced civil society pressure. In April 2024, a coalition of 17 organizations coordinated by EDRi and Access Now wrote to the European Commission urging reassessment of the adequacy decision. Members of the European Parliament have also raised formal questions about whether Israeli data use remains compatible with GDPR principles. The European Commission has responded that based on its evaluation, no modification is needed. The adequacy decision remains in force.

AI and Privacy: PPA Guidelines (2025)

One of the most significant post-Amendment 13 developments is the PPA's draft guidance on privacy in artificial intelligence systems, published in April 2025. The guidelines clarify how the PPL applies across the full AI lifecycle.

Key Principles

The PPA's AI guidance establishes that:

• The PPL applies to AI systems that collect, process, or use personal data, including during training, development, and deployment
• Privacy-by-design must be built into AI systems from inception, not added afterwards
• Most databases used in AI development are classified at medium-to-high security level under the Data Security Regulations
• Automated decision-making that significantly affects individuals requires transparency about the logic involved

Data Scraping

The PPA took a clear position on data scraping. Unauthorized scraping of personal data constitutes a "severe security incident" requiring immediate PPA notification. Database owners are required to take reasonable technical measures to prevent prohibited scraping from their platforms. Organizations using scraped personal data for AI training without a valid legal basis are in violation of the PPL.

Consent for AI Processing

Where AI processing is complex, deviates from data subjects' reasonable expectations, or poses a high risk to individual rights, the PPA's position is that active and separate consent is required. Consent obtained for one purpose cannot be repurposed for AI training or model development without fresh consent.

Vendor Accountability

Organizations using third-party AI vendors must conduct due diligence on those vendors' privacy practices, implement contractual controls, and ensure vendors provide sufficient guarantees. The data controller remains accountable for processing conducted by AI vendors on its behalf.

2026 AI Enforcement Outlook

The PPA is expected to finalize its AI guidance in 2026 and begin active enforcement. Organizations building or deploying AI systems that process personal data of Israeli residents should treat the draft guidance as indicative of the PPA's enforcement intent, not as a safe harbor.

Israel vs. GDPR: Key Differences

While Amendment 13 moved Israeli law materially closer to GDPR standards, important differences remain.

Business Compliance Requirements

Organizations operating in Israel or processing the personal data of Israeli residents should prioritize the following.

Mandatory Steps

1. Appoint a DPO if your organization falls within the four mandatory categories. The DPO grace period ended October 31, 2025. Non-compliance is a live enforcement risk in 2026.
2. Conduct a data inventory to identify all databases, their security classification under the Data Security Regulations, and whether any contain ISS.
3. Review database registration status: determine whether you still need to register with the PPA, or whether only a notification is required.
4. Update consent mechanisms to meet Amendment 13's enhanced transparency requirements. Review all data collection forms, privacy notices, and cookie banners.
5. Implement breach notification procedures with clear internal escalation paths and PPA notification workflows.
6. Review international transfer arrangements for non-adequacy-country recipients.

Security Obligations by Tier

Under the Data Security Regulations, security obligations scale with database classification:

• Basic level: Documented security procedures, access controls, basic physical security
• Medium level: All basic requirements plus access logging, encryption, periodic security reviews, incident response, and employee training
• High level: All medium requirements plus mandatory penetration testing every 18 months, comprehensive risk assessments, and physical access controls

Documentation and Record-Keeping

Organizations should maintain:

• Records of all data processing activities and purposes
• Consent documentation including timestamps and the specific consent text shown
• Data Protection Impact Assessments for high-risk processing
• Breach logs and PPA notification records
• DPO appointment documentation and independence verification
• Records of any pre-ruling requests and PPA responses

AI-Specific Steps

For organizations building or deploying AI:

• Conduct a Data Protection Impact Assessment before deploying any AI system that uses personal data
• Review data scraping practices and ensure a valid legal basis exists for any personal data used in training
• Disclose to users when they are interacting with an automated system
• Establish correction and access workflows for AI-generated decisions

Recent Developments (2025-2026)

August 2025: Amendment 13 enters into force. The PPA issues its first administrative fines under the new framework in the same month, demonstrating immediate enforcement intent.

October 2025: The DPO grace period expires. Organizations that did not appoint a DPO by this date are in violation, with no further administrative forbearance.

April 2025: The PPA publishes draft AI guidelines, applying the PPL to the full AI lifecycle and taking a firm position on data scraping as a severe security incident.

2026 enforcement priorities: DPO compliance (independence, resourcing, governance integration), data subject access and rectification rights, AI governance, and cookie consent standards (Israeli courts expected to reference EU guidance on "Reject All" requirements).

Ongoing: Civil society organizations continue to press the European Commission to reassess Israel's adequacy status. The Commission has indicated no change is warranted. Organizations relying on adequacy-based transfers should continue monitoring.