Israel is widely recognized as a major global player and leader in cybersecurity innovation, particularly in areas like AI security, cloud protection, and threat intelligence. It was only fitting that Israel enter a new phase in its data protection laws. Israel has revamped the Protection of Privacy Law, 5741-1981, which is a complete overhaul of the privacy framework. The reform underscores Israel’s commitment to aligning with global privacy norms while maintaining its distinct regulatory approach with a heightened emphasis on cybersecurity.
On Aug 5, 2024, the Knesset approved Amendment No. 13, with most provisions taking effect on Aug 14, 2025. The update modernizes core definitions, adds governance obligations (like appointing a privacy officer in defined cases), strengthens transparency, introduces data-broker requirements, and significantly expands the powers of the Privacy Protection Authority (PPA) to investigate, enforce, and fine, which signals a shift toward proactive data protection and governance aligning with regulatory requirements.
Amendment 13 arrives alongside a separate Espace économique européen (EEE) data transfer regime that became applicable in 2025 for Israeli databases that also include data originating from the EEA, imposing enhanced rights and duties on those mixed databases.
Landmark Privacy Reform
Israel’s Privacy Protection Law, first enacted in 1981, has been incrementally amended for decades. Amendment 13 marks the most sweeping reform to date—bringing coherence to past updates, introducing modern legal definitions, and creating new mechanisms for proactive supervision, oversight, and administrative inquiry.
The legislation was shaped through extensive consultation with legal scholars, civil society, and industry leaders. The result is a framework designed to strike a careful balance: enabling innovation while safeguarding individual rights, and equipping the Privacy Protection Authority (PPA) with the mandate and tools to enforce compliance more effectively than ever before.
New Updates from Amendment 13
Broader Data Definitions
Données personnelles now covers any data about an identified or identifiable person (using “reasonable effort”), and traitement is defined broadly (any operation on personal data). Categories of particularly sensitive data are clarified and widened.
Mandatory Privacy Protection Officer
Organizations that meet certain thresholds—such as large-scale processing of sensitive data, systematic monitoring, or operating as public authorities or data brokers—are now required to appoint a qualified Privacy Protection Officer (PPO).
This role must operate independently, report directly to senior leadership, and bring a unique blend of expertise: legal knowledge, IT and cybersecurity fluency, and a deep understanding of the organization’s operations.
The PPA has clarified key expectations: individuals with decision-making authority cannot serve as the PPO, and the role must remain distinct from the Chief Information Security Officer to avoid conflicts of interest.
Beyond data processing oversight, the PPO must be actively involved in all matters related to privacy, with guaranteed access to the resources needed to fulfill its mandate effectively.
Expanded Transparency and Notices
Organizations are required to provide transparent, easy-to-understand information about what data is collected, why it is processed, and who will have accéder to it. When handling sensitive categories of data—especially biometrics or information used in AI systems—additional disclosure rules apply to ensure heightened accountability.
Consent must be meaningful: informed, voluntary, and in most cases explicit. This is particularly true for sensitive data processing and direct marketing. The PPA’s guidance makes clear that organizations must offer granular consent options, avoid vague or bundled consent, and ensure individuals can make truly free choices.
The PPA has underscored that these consent requirements are binding obligations, not suggestions. That means organizations must implement clear opt-in mechanisms, maintain full transparency about how data will be used, and keep auditable records of consent collection and management.
Data Brokers Under the Microscope
Organizations engaged in data brokerage or direct mailing are required to formally register their databases and keep detailed records of data sources and transfers. They must also respect opt-out requests by ensuring all communications include the database’s registration number along with clear instructions for deletion.
Failure to meet these requirements can result in administrative enforcement actions, including warnings or monetary penalties.
AI and Data Privacy Oversight
The PPA has made clear that artificial intelligence systems processing personal data will not go unregulated. Organizations are expected to evaluate the risks of automated decision-making, maintain transparency, and build safeguards to reduce bias and discrimination. These measures align with international trends and highlight Israel’s deliberate yet forward-leaning approach to Gouvernance de l'IA.
In its guidance, the regulator underscores the principles of explainability, fairness, and accountability in algorithmic operations. To comply, entities must maintain documentation of their AI systems, perform impact assessments, and demonstrate proactive governance. Together, these requirements mark a decisive step toward embedding trust and responsibility into AI-driven processing.
Managing Vendor Risk
Before engaging third-party processors, controllers must evaluate their privacy and cybersecurity practices, establish robust data processing agreements with clear security obligations, and continuously monitor vendor compliance. Processors should be required to provide annual reports on their cybersecurity measures and implementation, ensuring ongoing accountability and risk mitigation.
Data Transfers & EEA
In line with regulations enacted in 2023 to preserve the European Commission’s adequacy status for Israeli privacy laws, personal data transferred from the European Economic Area (EEA) to Israel carries additional compliance obligations. Controllers must guarantee data accuracy, enforce strict retention limits, and provide clear mechanisms for demandes de suppression. Non-compliance may trigger fines calculated on a per-individual basis, significantly raising the stakes for organizations processing EEA-origin data.
Strengthened Security and Compliance Requirements
Organizations that manage large, sensitive databases are required to conduct formal risk assessments and penetration tests at least every 18 months. Findings must be documented, security procedures updated, and any serious incidents promptly reported to the PPA. Non-compliance can result in fines of up to ILS 320,000 per violation.
The existing Data Security Regulations (5777–2017) remain fully applicable and will soon be reinforced by the PPA’s expanded enforcement powers under Amendment 13. This means organizations must maintain comprehensive safeguards, including updated database structure documentation, detailed access control logs, incident response playbooks, secure coding practices, and strong encryption for both data storage and transmission.
Stronger Enforcements, Risks, and Penalties
Amendment 13 ushers in a far tougher compliance regime, with consequences that extend well beyond reputational damage. The Israeli Privacy Protection Authority (PPA) will gain expanded enforcement powers, including the ability to issue administrative orders, levy significant monetary penalties, and issue cease-and-desist directives. Fines may reach millions of shekels, with higher multipliers for large databases or the handling of sensitive information.
Organizations that fall short could also face legal exposure on multiple fronts: civil lawsuits, class actions, and even criminal charges for violations such as breaches of confidentiality, unauthorized processing, or misleading regulators. Statutory damages of up to ILS 100,000 can be awarded without requiring proof of harm, and courts may order the deletion of unlawfully obtained data or restrict further processing—making compliance not just a legal obligation but a business imperative.
Notifying the PPA
Controllers are required to notify the PPA of any database containing sensitive information on more than 100,000 individuals. They must also submit a formal database definition document—Israel’s statutory equivalent to the EU GDPR’s records of processing activities—along with the details of their appointed Privacy Protection Officer (PPO).
Day-to-Day Practical Impacts
Gouvernance
Organizations subject to Amendment 13 will need to strengthen their internal governance frameworks. This includes appointing a privacy officer (PPO) who operates with independence, sufficient budget, and executive-level authority to oversee compliance. Beyond staffing, enterprises will have to embed privacy-by-design practices across operations, with routine policies, workforce training, and DPIA-style reviews becoming mandatory to evaluate new initiatives and technology deployments.
Transparence
Transparency obligations will extend well beyond boilerplate privacy policies. Universities, enterprises, and startups alike will need to upgrade collection points, applications, and consent forms with clear disclosures about the purposes of data processing, individuals’ rights, data recipients, and retention periods. For sensitive data, including biometrics or AI-enabled profiling, enhanced disclosure standards apply. This will require organizations to rethink UX design and customer communication, ensuring privacy information is both accessible and actionable.
Data Broker Compliance
Entities involved in data brokerage, profile enrichment, or direct mailing will face heightened scrutiny. They may need to register databases, maintain detailed source and transfer logs, and provide clear opt-out and deletion mechanisms. Regulators are expected to conduct audits or inspections to ensure transparency in the data supply chain. This means marketing teams, list vendors, and third-party aggregators must prepare for a compliance regime that looks much more like financial or securities regulation, where full documentation is not optional.
Regulatory Exposure
The PPA is gaining enforcement powers on par with major European regulators. It can impose administrative fines, suspend processing activities, or issue cease-and-desist orders. Weak internal record-keeping, a lack of visibility into sensitive databases, or failure to maintain up-to-date database documentation now carry serious financial risk. Organizations that previously treated privacy as a legal formality will need to build ongoing operational monitoring to avoid unexpected disruption.
Litigation
Beyond regulatory enforcement, organizations face a growing risk of private litigation. The law enables easier routes to compensation for data subjects, including statutory damages without proof of harm and expanded grounds for class actions. Civil suits, combined with reputational damage and mounting compliance costs, make non-compliance a multiplier risk rather than a line-item fine. Enterprises must prepare for litigation risk as a core part of their privacy strategy, much like product liability in other industries.
How BigID Helps with Israel’s New Privacy Updates
Amendment 13 to Israel’s Privacy Protection Law introduces sweeping reforms in governance, accountability, security, and enforcement. Organizations will need to adopt stronger controls for data visibility, privacy-by-design, and risk management. BigID provides the data intelligence foundation to address these challenges at scale.
Découverte et classification des données
The law requires organizations to maintain clear documentation of their databases, including sensitive data sources, processing purposes, and retention. BigID automatically scans, discovers, and classifies personal and sensitive data across structured, unstructured, and cloud environments. It builds accurate data inventories to support PPA reporting requirements, database registration, and records of processing activities.
Governance & Privacy Officers
Amendment 13 mandates appointing an independent Privacy Protection Officer (PPO) with oversight responsibilities and visibility into all processing activities. BigID provides a business glossary and data overview dashboard that provides PPOs with a central hub for monitoring compliance, enforcing policies, and ensuring accountability with senior management.
Consent & Transparency
The reform emphasizes explicite, informed consent, transparency of notices, and granular control over the use of sensitive data. BigID tracks data subjects, consent records, preferences, and usage across applications. Organizations can demonstrate a lawful basis for processing, honor opt-out requests, and generate disclosure-ready reports to meet transparency requirements.
Data Security & Risk Management
Amendment 13 requires risk assessments, penetration testing, incident reporting, and stronger safeguards for sensitive data. BigID offers notation des risques and policy monitoring that flag abnormal access, exposure of sensitive data, or violations of retention policies. Integration with SIEM/SOAR systems enhances incident response and breach notification readiness.
Vendor & Data Broker Oversight
The law places obligations on controllers to review processors, monitor compliance, and ensure that data brokers maintain accurate records and respect opt-outs. BigID delivers third-party data sharing insights, helping organizations monitor who has access to what data, enforce data minimization, and provide auditable logs for regulators.
Regulatory Readiness & Litigation Defense
With new administrative powers, the PPA can impose fines, suspend processing, and enable class actions. BigID provides out-of-the-box rapports de conformité and audit trails, reducing regulatory uncertainty and providing evidence in the event of litigation. Organizations can quickly generate compliance documentation to satisfy regulators or courts.
BigID helps comply with data intelligence and automation that turns legal obligations into repeatable operations. Book a demo today!
Auteur
