The legislation of privacy protection laws in Israel has shifted into high gear and is beginning to close the gap with legislation in Europe. A major step in this direction occurred about a month ago when the Ministerial Committee for Legislation approved a series of legislative amendments designed to adapt the Privacy Protection Law to the consumers, technologies, and trends of 2022. In addition, the committee delegated significant enforcement authorities to the Privacy Protection Authority (PPA), enabling it to increase the fines it may impose on offenders.
Over the last year and a half, the PPA has published a series of pronouncements, proposals for public comments, and policy documents about how it interprets privacy protection legislation and how it exercises the powers vested in it.
This article presents highlights of the PPA’s recent publications. We assume the PPA will continue to take this proactive approach, perhaps even more vigorously upon completion of the legislative process.
Privacy by design
In October 2020, the PPA published a data protection impact assessment guidance that addresses, inter alia, privacy by design. The PPA recommends that organizations handling personal information, whether public, governmental, or private, implement “privacy by design” measures and “privacy by default” measures. The PPA encourages organizations to address privacy protection issues already at the initial design stages of their data systems, regarding two aspects. The first aspect is the minimization of data collection, i.e., designing the system to collect only necessary information about users. The second aspect pertains to ensuring stringent security of the collected data throughout the duration of data collection and processing. This is to ensure the system’s design will serve the organization’s business purposes while minimizing privacy protection risks.
The Privacy Protection Authority encourages organizations to implement the privacy by design approach when planning projects such as these:
- Designing a new computer system for storing personal information or for accessing personal information.
- Promoting legislation, policies, or strategies that may have privacy infringement implications.
- Initiatives for exporting and sharing personal information.
- Using personal information for new purposes.
To implement the privacy by design approach, the PPA recommends that various organizations perform a data protection impact assessment, which is already a statutory requirement under the GDPR. In August 2021, the PPA published a comprehensive guide for the use of all organizations in the Israeli economy. The guide explains the stages of an impact assessment and how to carry it out.
Data protection officer
At the end of October 2020, the PPA published another position paper for public comments: “Appointment of a Data Protection Officer in an Organization and the Officer’s Roles.” To ensure compliance with the provisions of the Israeli Privacy Protection Law pertaining to personal information, the PPA recommends that organizations appoint a data protection officer (DPO). This is an additional officer whose role differ from those of the data security officer, who is responsible for data security, whose appointment is already compulsory today, in particular circumstances, pursuant to the Privacy Protection Law.
The PPA explains that a DPO is tasked with the implementation of the privacy protection laws in the organization that pertain to personal information. The DPO is also responsible for promoting and integrating principles and considerations of privacy protection in all work processes in the organization. In other words, the DPO does not merely supervise compliance with the language of the law and its regulations but also internalizes the principles and concepts underpinning the privacy protection laws in all of the organization’s activities.
At present, the appointment of a DPO is not a statutory requirement in Israel. However, the PPA does perceive it as a best practice. When organizations are subject to obligations by virtue of foreign law, including GDPR requirements, such appointment is often compulsory by virtue of foreign law. The DPO’s roles also include regulating data management processes, oversight, control, training, and assimilation.
Data storage and processing
One of the measures taken by the PPA to increase compliance with privacy protection and data security laws is its use of sectoral supervisory review. This includes sending compliance questionnaires to companies operating in the sector under examination. In November 2020, the PPA published a sectoral supervisory report: “Findings of Sectoral Supervision of Companies in the Data Storage and Processing Sector in Israel.” This was a significant sectoral supervisory process because it examined data security practices at the principal service providers in the sector today, i.e., server and storage providers.
According to this report, there are numerous risks to customer privacy in the data processing and storage services sector. The risks arise mainly due to the massive volume of data being managed by these companies, as well as due to the unregulated use of outsourcing services. The PPA’s findings, coupled with the lack of awareness of the laws and obligations applicable to this sector, led the PPA to decide not to take individual action against these companies. Rather, it opted to emphasize that “a company providing database storage or backup services to another party, including by way of providing servers, is considered a ‘holder’ of the database, even if the content of the information is encrypted and the encryption key is not in the possession of that company, but, rather, is in the possession of the database owner. As a result, all obligations pursuant to the law and regulations applicable to a database holder apply to this company.”
As part of the supervisory report’s findings, the PPA issued directives for execution to all companies operating in the sector. This thereby sets the standard expected of the companies and of those who engage with them. These findings underscore the obligation imposed on database owners that use these companies’ services to examine the degree of their compliance with the regulations and the sufficiency of their data security means.
Minimizing the collection of personal information
In March 2021, the PPA published the policy document “Data Minimization.” The document focuses on data collected and stored despite not being essential to achieving the purpose for which they were collected or to achieving the purposes of the database in which they were saved (“excess data”). Pursuant to the law and its regulations, the collection and retention of excess data constitutes a violation of the right to privacy. With this position, the PPA is emphasizing that the collection and retention of excess data inessential to achieving the purpose for which they were collected or for the database’s purposes—and, of course, the use of such data—constitute violations of the right to privacy and may also constitute a violation of privacy protection laws and regulations.
The purpose of this position is to remind those operating in this market that the fact they have the ability to collect certain personal information is insufficient justification for collecting it. Companies must be able to show a relevant connection between the requested information and its stated use. Consequently, companies must perform a focused examination of the connection between the collected information and their use of it.
Drafting a privacy policy
In April, shortly prior to the launch of advanced payment systems in Israel (Apple Pay and Google Pay), the PPA published a list of recommendations entitled “Privacy Protection in Advanced Systems for Money Transfers and Payments at Merchants.” This list is to ensure that new and advanced payment systems are used in a way that protects users’ privacy and allows them control over their information. The PPA’s recommendations were based on an analysis of the privacy policy documents and terms of use of the main advanced payment systems in operation at the time.
The PPA’s recommendations regarding privacy protection for users of payment applications and the collection of information about them may be broader and also extend to the privacy policies of other companies using technologies similar to payment technologies, especially those relating to sensitive information.
The PPA emphasized in its recommendations document that companies should pay considerable attention to the “principle of consent” specified in section 1 of the Privacy Protection Law. According to the PPA, proper implementation of this principle requires companies requesting consent to specify all of the details relevant to decision-making in this regard. The company requesting consent must specify, inter alia, what information will be collected once consent is given, what uses will be made of the information, to whom they may forward it, and for what purpose. The explanation should be clear, direct, and in simple language, and include details about the data subject’s rights, in order to enable users to have optimal control over their privacy.
The document also indicates that the PPA actively examines companies’ procedures and documents regarding data collection and processing. Therefore, it recommends that all companies should draft and enforce these procedures.
Following are highlights of the document’s emphases and recommendations:
- Obtaining permissions not required to use the service in the basic format will require active user consent (opt-in and not opt-out).
- Use of non-essential cookies will require a separate active opt-in, with an appropriate explanation.
- A material change in the technology used must be actively displayed and renewed consent must be obtained.
- For sensitive information, details about the data subjects’ rights to control the information about them must be provided.
- Information about how to disconnect from the service must be included, and the use of accumulated data subsequent to the disengagement must be regulated. The recommendation is that the termination of the engagement will result in the termination of the commercial use of the stored data (as opposed to retaining it to comply with the requirements of the law or for defense during legal proceedings).
If this PPA position is expanded to other sectors, it will result in significant changes in practices in the market regarding privacy policies. Companies should prepare for this.
Labor relations
COVID-19 prompted the increased use of digital means in workplaces. In September 2021, the PPA published a position paper about employers’ collection and use of information about employees, inter alia, for the purpose of monitoring work hours. This publication highlights the dual set of laws that apply to employment. Both labor laws and privacy protection laws address the power imbalance between employers and employees and emphasize employers’ obligations to take into account their employees’ rights to privacy and ensure they comply with all statutory provisions applying to employers.
These publications, coupled with the PPA’s position papers on the Israeli government’s handling of the COVID-19 pandemic and the use of technological means and Israeli Security Agency surveillance means to track infected civilians, are important to gain an understanding of the regulatory mindset in Israel. It is critical for companies and organizations operating in Israel to gain an understanding of the PPA’s mindset and of the standards it is formulating about privacy protection. This will provide companies the capability to better prepare for the privacy protection and data security challenges with which they will have to contend.