2022 saw significant regulatory developments in the field of privacy protection in Israel and throughout the world. These developments directly affect companies whose business activities in Israel and internationally involve the collection and processing of personal information.
Regulatory Developments in Israel
Legislative Amendments
1. Proposed amendment to the Israeli Privacy Protection Law
Amendment no. 14 to the Privacy Protection Law was submitted in January 2022 for the purpose of adapting the law to technological realities. The draft bill attempts to fulfill this purpose at two levels. At the first level, it reduces the obligation to register a database and clarifies the definitions of “information” and “sensitive information” so that they more precisely align with technological developments and the legislative framework in Europe and in most countries in the western world. At the second level, it expands the Privacy Protection Authority’s enforcement powers and increases the fines it can impose on organizations if they commit violations of the law. The draft bill specifies that the amendment will come into effect just six months after the completion of the legislative process. Therefore, organizations managing or maintaining databases must prepare in advance. Click here to read the full update.
2. Regulations regarding information transferred to Israel from the European Economic Area
In late November 2022, the Israeli Ministry of Justice published the Draft Protection of Privacy Regulations (Instructions Regarding Data Transfers to Israel from the European Economic Area). These regulations prescribe specific obligations imposed on organizations that transfer personal information from the European Economic Area, in addition to the obligations prescribed under the Privacy Protection Law in Israel.
The draft regulations stem from a review process the European Commission is conducting for the purpose of considering whether to reaffirm the adequacy status the EC granted to Israel as a country whose level of data protection is consistent with the accepted level of protection of personal information in countries in the European Economic Area. The draft regulations prescribe the imposition of four additional obligations on database owners in Israel in relation to information transferred to Israel from the European Economic Area. They also update the definition of “sensitive information” in order to align it with the EU’s General Data Protection Regulation (GDPR). Click here to read the full update.
PPA guidelines and publications
The Privacy Protection Authority published numerous publications in 2022, including guidelines, positions, legal opinions, and more. These publications clarified and deepened the requirements imposed on organizations in Israel that process personal information. Given the difficulty in advancing legislation, the PPA’s publications are a major source for establishing legal norms pertaining to privacy protection.
1. PPA tightens reporting requirements relating to data security incidents
In September 2022, the PPA updated its policy regarding the receipt of reports on data security incidents. The main innovation that emerged from the publication is that companies must immediately report serious security incidents in databases requiring medium-level or high-level security to the Privacy Protection Authority, as opposed to the previous time frame recommended by the PPA.
Said policy change obligates companies managing or maintaining databases to ensure their internal response policy and data security incident procedures enable them to comply with said time frame. Such companies must also examine their agreements with third parties relative to the obligations imposed on them during data security incidents. To read the full update, click here.
2. PPA publishes recommendations on the appointment of a privacy protection officer
In January 2022, the PPA published recommendations that organizations and companies in all sectors of the economy should appoint privacy protection officers.
By doing so, the PPA is advising organizations in the Israeli economy that it expects them to appoint a senior officer to be responsible for implementing the organization’s privacy protection laws. Although this is not a mandatory requirement, failure to appoint a privacy protection officer could prove to be detrimental to the organization, in the event of an audit by the PPA. Click here to read the full update.
3. Duty to inform data subjects that personal information is being collected and used
In July 2022, the PPA published its position regarding the duty to inform data subjects that their personal information is being collected and used. The purpose of this position is to clarify the duty to inform that applies to organizations that collect personal information. This clarification discusses, inter alia, the correlation between the duty to inform and the legal requirement to obtain “informed consent” from people before collecting data about them. It also provides recommendations on ways to contend with the challenges of fulfilling the duty to inform in advanced technological environments. Inter alia, the PPA clarified that, in order to substantiate “informed consent,” entities that collect personal data using algorithmic and artificial intelligence systems must inform the data subjects about the purpose for collecting and using the data already at the data-collection stage.
This position requires organizations to examine how they collect, process, and retain personal data and the way in which they inform data subjects. Click here to read the full update.
4. “Information” and “sensitive information” in the Privacy Protection Law
In December 2022, the PPA published the final version of its legal opinion regarding the terms “information” and “ sensitive information” in the Privacy Protection Law. The legal opinion explains these terms, which form the basis for the imposition of various obligations by virtue of the Privacy Protection Law. The PPA’s position is that the list of types of information that constitute “information” or “ sensitive information” in the law is not an exhaustive list, since the realities of life and technology continue to generate new data requiring expansion of their scope and the application of the law.
International Developments Addressing Privacy Protection and Digital Services
Over the past year, there were several major developments pertaining to privacy protection in the international sphere that directly impact Israeli organizations engaging in international business activities. Following are the key regulatory developments in the United States and the European Union.
Legislative Developments in the United States
In June 2022, the draft American Data Privacy and Protection Act (ADPPA) was published. This bill aims to prescribe a uniform and binding standard for privacy protection in the United States, by imposing material obligations on local and international companies that collect and process Americans’ personal information.
Concurrent with this initiative, individual states also joined the trend in 2022. Virginia, Colorado, and California enacted state privacy protection laws largely consistent with the principles prescribed in the European General Data Protection Regulation (GDPR). Utah and Connecticut also enacted new privacy protection laws.
In early 2023, California’s new Privacy Rights Act (CPRA) came into effect, amending California’s Consumer Privacy Act (CCPA). This law also applies to companies outside of California that provide services or products to residents of the state. The CPRA significantly expands the obligations imposed up until now on entities that process personal data. For example, the CPRA imposes new obligations limiting the duration of data retention, expands the existing restrictions on data transfers to third parties, expands the obligations regarding transparency, and grants data subjects additional rights. The CPRA also expands enforcement measures by enabling the imposition of administrative fines on service providers, rescinds the “grace period” given to companies to rectify violations of the law, and expands the possibilities for citizens injured as a result of data security incidents to file civil suits.
Enforcement actions relating to the fulfillment of obligations under the CPRA should begin as early as July. This is in addition to the enforcement actions already taking place under California’s existing law. In this regard, we note that, in August 2022, California courts imposed a precedent-setting fine under the CCPA on the Sephora cosmetics company for violating transparency obligations and its customers’ rights relating to sales of their personal information. Click here to read the full update on this topic.
Considering the regulatory developments and enforcement actions in California, companies that collect or process information about California residents should promptly implement organizational and technological mechanisms to ensure they comply with the latest obligations of California’s privacy protection regulations.
New Framework for Data Transfers From the European Union to the United States
In December, the European Union and the United States published a new arrangement for data transfers from Europe to the United States. This is an “adequacy” arrangement that should allow the free transfer of personal data from Europe to organizations in the United States, provided these organizations assume increased obligations beyond those prescribed in the current US legislation. The EU and the US introduced this arrangement after the EU Court of Justice annulled the previous arrangement, the Privacy Shield, in July 2020. Its adoption is still contingent upon the EU institutions’ approval.
If approval is obtained, organizations will be able to freely transfer data from Europe to the United States, provided they update their internal policies and their agreements with customers and suppliers in a manner consistent with the privacy protection principles prescribed in the arrangement.
European Legislation Regarding the Provision of Online Digital Services
In 2022, EU lawmakers enacted two comprehensive laws that regulate the provision of online digital services. One is the Digital Services Act (DSA), and the other is the Digital Markets Act (DMA).
These laws will apply to internet service providers, including websites, trading platforms, social networks, and more. The purpose of these laws is to make use of the internet and online services fairer and safer, while imposing restrictions relating to the processing of data and end-users’ content. Inter alia, the laws impose enhanced transparency obligations on internet service providers, a prohibition on the use of sensitive data to display personalized advertisements, obligations regarding the implementation of content supervision, obligations regarding the implementation of supervision over products sold online, and strict restrictions on the tech giants (Google, Amazon, etc.) with the aim of protecting competition. Entities that fail to comply with these obligations expose themselves to extremely high fines.
The Digital Services Act will come into effect on January 1, 2024. The Digital Markets Act will come into effect in May 2023. Since the adjustments required under these laws require time and preparation, organizations offering online services in Europe must prepare for this in a timely manner.
Summary and Preview of 2023
As stated, 2022 was replete with regulatory initiatives relating to privacy protection and significant enforcement actions, but it appears 2023 will be even busier. Many US states (New Jersey, Michigan, etc.) already have legislative processes underway in order to join the trend of state privacy protection regulations. In Europe, in addition to enforcement actions relating to the GDPR, artificial intelligence regulation is likely to continue emerging. This regulation aims to enable technological advances while ensuring the fundamental rights of those using these technologies, including the right to privacy. Other countries, such as Canada, India, and Australia, are in the process of revising and updating their local privacy protection regulations.
These developments will require organizations with international activities involving the collection and processing of personal information to establish an organizational privacy protection plan, including privacy policies and data security documents, and to implement the plan in a manner tailored to the nature of the company and its activities.
Barnea Jaffa Lande’s Privacy and Data Protection Department is at your service if you have any questions about the aforementioned updates or about any other privacy protection and data security issues in Israel and abroad.
***
Adv. Dr. Avishay Klein leads the Firms Privacy and Data Protection practice.
Adv. Karin Kashi and Adv. Ben norman are associates in the firm’s Regulation Department.