Data & Privacy · Israel
Data protection & privacy laws in Israel (2026)
Israel shaded by its data & privacy status
Israel has a comprehensive, cross-sectoral personal-data protection regime anchored in the Protection of Privacy Law of 1981, which was overhauled by Amendment No. 13 effective 14 August 2025 to align more closely with the EU GDPR. The Privacy Protection Authority (PPA) is the national supervisory authority and, post-Amendment 13, has shifted from a registry-based supervisor to a full enforcement agency with substantial sanctioning powers. The EU recognizes Israel as providing an 'adequate' level of data protection, permitting EU-to-Israel personal-data transfers without additional safeguards.
Key points
The Protection of Privacy Law, 1981 is the country's general data-protection statute covering both the public and private sectors; Amendment No. 13 entered into force on 14 August 2025, modernizing definitions, obligations and enforcement.
The Privacy Protection Authority (PPA), a unit of the Ministry of Justice whose head also serves as Registrar of Databases, is the national regulator; Amendment 13 transformed it from a registration-focused supervisor into a full enforcement agency.
The PPA can now impose administrative monetary sanctions (up to ~ILS 320,000 per cybersecurity violation and into the millions of shekels for database/governance breaches, with multipliers for large or sensitive databases), issue binding processing-suspension and cease-and-desist orders, order deletion of unlawful databases (subject to court approval), and conduct criminal investigations.
Amendment 13 expanded 'personal data' to include online identifiers, IP addresses and geolocation, redefined 'especially sensitive data' (biometrics, genetics, criminal records, sexual orientation, financial details), and requires explicit, documented and granular consent (blanket consent no longer acceptable).
Public bodies, data brokers, entities whose core activity is processing especially sensitive data, and those conducting systematic monitoring must appoint a Data Protection Officer; transparency obligations were strengthened (the PPA granted a grace period on DPO enforcement until 31 October 2025).
Individuals have rights of access (inspection) to data held about them, correction of inaccurate data, and deletion where data is no longer needed or lacks a lawful basis; civil claim limitation periods were extended to seven years for causes of action arising after 14 August 2025.
The European Commission reconfirmed Israel's adequacy decision on 15 January 2024, allowing personal-data transfers from the EU/EEA to Israel without additional safeguards; the status remains in force in 2026 despite civil-society calls (EDRi, Access Now) for reassessment.
Timeline - major decisions & events
The most sweeping reform of Israeli privacy law in decades takes effect, broadening 'personal' and 'sensitive' data definitions (IP addresses, geolocation, biometrics), mandating data protection officers, and converting the regulator into a full enforcement agency aligned with the GDPR.
Library of Congress (Global Legal Monitor) ↗Shortly after the reform took effect, the Privacy Protection Authority used its new powers to fine an offender NIS 75,000 for repeated violations, signaling a shift to active, penalty-based enforcement.
AI-Law ↗Following a 2020 data breach of the PayBox app, the Tel Aviv District Court approved a class-action settlement under which the bank pays NIS 3.02 million; the PPA had found security deficiencies in violation of the Privacy Protection Law.
ICLG ↗Israel's parliament passed the comprehensive privacy overhaul, introducing tiered turnover-based monetary sanctions and substantially enlarged enforcement powers for the regulator, with a one-year run-up to entry into force.
IAPP ↗Following the GDPR-mandated four-year review, the Commission reaffirmed Israel as providing an adequate level of protection, preserving seamless EU-to-Israel personal-data transfers despite civil-society objections.
European Commission ↗The Knesset approved detailed data-security rules classifying databases into four risk tiers with mandatory access controls, audits, and breach-notification duties; they entered into force in May 2018 alongside the GDPR.
IAPP ↗A Knesset amendment ended the voluntary phase of the biometric program, requiring fingerprint/facial data on Israeli ID cards and passports, with data held in a secured, offline national biometric database separate from the Population Registry.
National Biometric Database Authority ↗Under Directive 95/46/EC the Commission recognized Israel as offering adequate protection for automated processing of personal data, enabling EU data transfers; the decision excludes territories administered since 5 June 1967.
EUR-Lex (European Commission) ↗The Knesset authorized collection of fingerprints and facial contours from all residents into a central biometric database for ID cards and passports, establishing the legal basis for Israel's biometric identity infrastructure.
Library of Congress (Global Legal Monitor) ↗Pursuant to Government Decision No. 4660, the Israeli Law, Information and Technology Authority was created in the Ministry of Justice to enforce privacy law and oversee databases; it was later renamed the Privacy Protection Authority.
IAPP ↗The Knesset gave privacy constitutional status, declaring every person's right to privacy and to the confidentiality of their conversations, writings, and records, anchoring later data-protection jurisprudence.
Knesset ↗Israel passed one of the world's earliest comprehensive privacy statutes, creating database registration duties, civil and criminal liability for privacy infringement, and the foundation of the modern framework.
WIPO Lex ↗Israel - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →