Data & Privacy · Israel
Data & Privacy - Israel
Israel has a comprehensive, cross-sectoral personal-data protection regime anchored in the Protection of Privacy Law of 1981, which was overhauled by Amendment No. 13 effective 14 August 2025 to align more closely with the EU GDPR. The Privacy Protection Authority (PPA) is the national supervisory authority and, post-Amendment 13, has shifted from a registry-based supervisor to a full enforcement agency with substantial sanctioning powers. The EU recognizes Israel as providing an 'adequate' level of data protection, permitting EU-to-Israel personal-data transfers without additional safeguards.
The Protection of Privacy Law, 1981 is the country's general data-protection statute covering both the public and private sectors; Amendment No. 13 entered into force on 14 August 2025, modernizing definitions, obligations and enforcement.
The Privacy Protection Authority (PPA), a unit of the Ministry of Justice whose head also serves as Registrar of Databases, is the national regulator; Amendment 13 transformed it from a registration-focused supervisor into a full enforcement agency.
The PPA can now impose administrative monetary sanctions (up to ~ILS 320,000 per cybersecurity violation and into the millions of shekels for database/governance breaches, with multipliers for large or sensitive databases), issue binding processing-suspension and cease-and-desist orders, order deletion of unlawful databases (subject to court approval), and conduct criminal investigations.
Amendment 13 expanded 'personal data' to include online identifiers, IP addresses and geolocation, redefined 'especially sensitive data' (biometrics, genetics, criminal records, sexual orientation, financial details), and requires explicit, documented and granular consent (blanket consent no longer acceptable).
Public bodies, data brokers, entities whose core activity is processing especially sensitive data, and those conducting systematic monitoring must appoint a Data Protection Officer; transparency obligations were strengthened (the PPA granted a grace period on DPO enforcement until 31 October 2025).
Individuals have rights of access (inspection) to data held about them, correction of inaccurate data, and deletion where data is no longer needed or lacks a lawful basis; civil claim limitation periods were extended to seven years for causes of action arising after 14 August 2025.
The European Commission reconfirmed Israel's adequacy decision on 15 January 2024, allowing personal-data transfers from the EU/EEA to Israel without additional safeguards; the status remains in force in 2026 despite civil-society calls (EDRi, Access Now) for reassessment.
Machine-assisted translation · verified 5/23/2026 · orientation, not legal advice. English version →