Privacy Protection for Businesses: What Has Changed, What Is Now Required, and Why This Is No Longer a "Technology" Issue

1. Any business that maintains a customer list, email addresses, employee details, or any information that identifies individuals holds a “database” for the purposes of the Privacy Protection Law, 5741-1981, and is subject to the obligations set forth therein.
2. Invasion of privacy is a civil tort. The injured party is entitled to compensation even without proof of monetary damage, in an amount that can reach tens of thousands of shekels per incident.
3. Amendment 13 to the Law, which entered into force in October 2025, has transformed the Privacy Protection Authority into a regulator with teeth, with the power to impose financial sanctions of hundreds of thousands of shekels and even millions of shekels on violating companies.
4. Certain businesses are required to appoint a “Privacy Protection Officer” – a new position created by Amendment 13, similar to the DPO customary in Europe under the GDPR.
5. A data breach, including a cyberattack, requires reporting to the Authority and, in certain cases, to the affected individuals themselves, within a specified timeframe.

Why 2025 Is the Turning Point

The Privacy Protection Law was enacted in 1981 – long before the era of smartphones, the cloud, and digital customer databases. For years it managed to survive as a legal framework, but most business owners viewed it as a “technological” issue primarily relevant to large companies.

Amendment 13, which was approved by the Knesset in August 2024 and entered into full force in October 2025, has changed that. The reform is designed to align Israeli law with the European GDPR – the strictest legislation in the world in the field of data protection – and to transform the Privacy Protection Authority from a body with limited power into a regulator with real enforcement capability.

What Is Required: The Principal Obligations for Businesses

Duty to Inform: Every individual whose information is collected – a customer filling out a form, a job candidate, a new employee – must receive explicit notice: what is being collected, for what purpose, who holds it, and how the right to access and deletion may be exercised. A website that collects email addresses without explanation is already in violation.

Purpose Limitation: Information collected for one purpose may not be used for another purpose. Someone who registers for a mailing list to receive product updates has not consented to receive advertisements from business partners.

Right of Access and Deletion: Every individual is entitled to request to know what details are held about them and to demand deletion. Refusal without lawful justification is a violation.

Information Security: The Privacy Protection Regulations (Data Security), 5777-2017, establish security levels according to the sensitivity of the database. A database containing medical information, financial status, or employee data requires more stringent security measures than a customer list with names and addresses.

Privacy Protection Officer: Certain entities – including companies operating on a large scale of data processing, or businesses processing information of “special sensitivity” – are required to appoint a Privacy Protection Officer pursuant to Amendment 13.

What the Authority Can Now Do That It Could Not Before

Before Amendment 13, the Privacy Protection Authority had investigative powers, but its enforcement tools were limited. Amendment 13 has fundamentally changed this:

The Authority may now impose financial sanctions on violating companies in amounts that can reach hundreds of thousands of shekels per violation, and in serious cases, millions in cumulative penalties. A company that has not registered a database, has not appointed an officer as required, and has not provided a privacy notice may face high cumulative fines for each of these violations.

The Authority may also order the cessation of data processing – a measure that can paralyze business operations.

Class Actions: A Growing Risk

In CA 4110/18 Jane Doe v. Kadima Madda, the Supreme Court (Justice Ofer Grosskopf) ruled that in principle, a class action may be filed for violation of the Privacy Protection Law when the violation falls under one of the categories listed in the Class Actions Law. This represents a breakthrough that has opened the door to collective lawsuits on behalf of tens of thousands of individuals affected by a data breach.

The implication: a data breach at a single company, even due to a cyberattack, can establish grounds for a class action by anyone whose details were in the database.

The European Connection: The GDPR and Israeli Businesses

Israeli companies that receive information from customers, suppliers, or partners in the European Union are also subject to the provisions of the GDPR. Israel has been recognized by the European Union as a country with “adequate protection” of privacy, but this recognition is based on Israeli law meeting a minimum standard. The Privacy Protection Regulations (Provisions Regarding Information Transferred to Israel from the European Economic Area), 5783-2023, apply additional provisions to information sent from Europe to Israel – including deletion and notification obligations.

An Israeli company that violates the provisions of the GDPR with respect to European customers is exposed to sanctions that can reach up to 4% of its annual global turnover.

What to Do Now

Any business that has not already done so should conduct a review:

Database Mapping: What databases exist in the business, what is contained in them, who accesses them, and for what purpose are they used.

Privacy Notice: Is there a clear privacy notice on the website and in forms? Are consents for data collection being obtained properly?

Security Incident Procedure: Is there a clear procedure in place in the event of a breach or leak? Who reports, to whom, and when?

Obligations Under Amendment 13: Does the business comply with the new requirements for a Privacy Protection Officer, expanded notification obligations, and updated security levels?

Privacy protection is no longer an issue that can be set aside for “when there is time.” With the entry into force of Amendment 13, gaps in compliance have become a real exposure to fines, lawsuits, and reputational damage.

Businesses that wish to ensure they meet the new legal requirements should conduct a compliance review before a regulator arrives to check for themselves.

© Tidhar Tzur Law Firm | This article is for general information only and does not constitute individual legal advice.