Privacy and AI in Israel and worldwide: a look to 2024
During 2023, privacy protection and artificial intelligence regulation continued apace and their implications continued to be a major focus in Israel and around the world. In Israel, this was reflected in a number of guidelines issued by the Privacy Protection Authority, as well as in the enactment of regulations governing the transfer of data from Europe to Israel and the protection of that type of data. On the international stage, the developments were even more dramatic and included the enactment of privacy protection laws in additional states in the United States, new legislation by the European Union, and significant enforcement proceedings.
2023 was also the year AI took center stage. During this year, the use of AI tools became more widespread in various organizations. This use led policymakers around the world to consider the issue of regulation, in relation to the risks and challenges posed by this new technology. Questions relating to the use of AI tools are currently arising in all companies from all business sectors, and require unique attention.
Key Developments in Israeli Privacy Protection Laws
Regulations Governing Data Transferred to Israel from Europe
In 2023, Israel enacted the Privacy Protection Regulations (Instructions for Data That Was Transferred to Israel from the European Economic Area). The purpose of these regulations is to align Israeli law with European law, and provide European Economic Area (EEA) residents with strong rights over their personal data held in Israel. The regulations also aim to ensure the free transfer of data from the EEA to Israel.
The regulations include additional obligations beyond those already required in Israeli privacy protection laws pertaining to data transferred from the EEA. As of 2025, the regulations will also apply to all databases containing data transferred from Europe, and not just the data of European residents. They will also require the implementation of various data subject rights: data erasure, data retention, data accuracy, and the right to be informed. The regulations also broaden the definition of the term “sensitive data.”
These regulations indicate the direction the Israeli privacy protection regime is expected to take in the coming year, and the principles set in them will have a broad impact on databases held in Israel.
Israeli Supervision and Exercise of Powers for Security Reasons
According to Israeli authorities’ assessment, the outbreak of the Swords of Iron War increased the risk of cyberattacks in the country. To contend with the new risks, emergency regulations were enacted in December delegating to the National Cyber Directorate significant and unprecedented powers to supervise the activities of companies providing data storage and other digital services. At the same time, a draft bill of similar provisions was submitted.
In addition, the Prime Minister’s Office published a memorandum of law in December proposing to amend the Israeli Security Agency (Shin Bet) Law. The proposed amendment includes a significant expansion of the Shin Bet’s powers with regard to obtaining data. The memorandum seeks to authorize the Shin Bet, in some cases after receiving the prime minister’s authorization and in others the Shin Bet director’s authorization, to conduct covert searches in computer materials and obtain data from databases, including sensitive data, GPS tracking data, and data about religious and political beliefs. The memorandum proposes to delegate broad powers to the Shin Bet that will be exercisable without effective judicial oversight. If passed, the law could undermine Israel’s recognition as a country that maintains an adequate data protection regime under the GDPR.
Israeli Privacy Protection Authority Guidelines
During 2023, Israel’s Privacy Protection Authority (PPA) adopted a more stringent stance on privacy protection. This trend was evident in a number of key guidelines issued by the PPA, which took a more restrictive approach relating to the scope of Israeli privacy law and the obligations imposed on companies in Israel.
Boards of Directors’ Role in Fulfilling Privacy Protection Obligations
In September, the PPA published a draft directive regarding the role of boards of directors in fulfilling obligations under the Privacy Protection (Data Security) Regulations. The draft directive stipulates that a board of directors is responsible for, among other things, establishing procedures for monitoring and overseeing compliance with the regulations. The board should also take an active role in setting a company’s policy on use and management of personal data. The directive is based on the PPA’s interpretation of the provisions of the Privacy Protection Law and the Companies Law and is not explicitly required by legislation. This draft directive is an example of the central role that data security and privacy issues play in the activities of corporations.
This directive was published in the wake of an extensive audit performed by the Israel Securities Authority in 2022, examining how corporations are contending with cyber threats. The audit found that, in most companies, updates on the company’s cybersecurity status were not being provided to the board of directors, and that the company’s approach to cybersecurity and the associated disclosure obligations were not being regulated in the company’s policies. As a result, the Israel Securities Authority updated its position on the disclosure obligations of companies.
Monitoring of Employees and Guidelines to Employers
In May, the PPA published a position statement about employers’ monitoring of employees working remotely. The PPA’s position states that employers must ensure they do not materially infringe on their employees’ privacy or the privacy of others residing in the home, including minors. The position statement specifies the considerations that employers must take into account when using surveillance measures. Inter alia, the PPA addressed a list of highly invasive surveillance measures that should only be used in extenuating circumstances and for a specific purpose.
In August, the PPA published another position statement about employers’ use of vehicular GPS systems to track employees. The position states that such use should be limited to instances when no alternative to it exists and only after the employer carefully weighs the benefit from using the tracking system against the violation of the employee’s privacy.
Unfortunately, in October, following the Swords of Iron War and the significant impact on the economy, remote work became widespread once again. Many companies switched to remote work and the protection of employees’ privacy became a relevant issue.
Additional PPA Position Statements
In September, the PPA published a manual for companies engaging with outsourcing vendors, to ensure their compliance with Regulation 15 of the Privacy Protection (Data Security) Regulations. The manual provides practical tools for companies to examine their vendors, to ensure they comply with Israeli legislation. The manual also includes a sample questionnaire that may be used to examine compliance with the law.
In June, the PPA published a position statement for public comments about the collection of ID numbers and photocopies of ID documents by businesses for providing services. The PPA’s position is that, in most instances, the collection of ID document details, including photocopies thereof, is considered excess data that is not required to provide services. The PPA recommends that businesses adhere to the following principles: inform customers about any legal obligations to provide the data or lack thereof; inform customers about the purpose of the collection, who the data will be transferred to, and for what purpose; and disclose the fact that the ID details will be collected before the purchase transaction can be completed. The PPA further clarifies that businesses may not use ID numbers and photocopies of ID documents for additional purposes, and that this may be considered excess data in violation of the Privacy Protection Regulations.
Privacy Protection Laws from an International Perspective
During 2023, the trend of expanding privacy protection regimes in various countries continued. In the United States, the number of states with privacy legislation rose to 12, with seven more states in the process of enacting legislation. In India, a comprehensive privacy law was enacted, imposing significant obligations on companies operating in the country, similar to European legislation. Singapore also joined these countries, amending and expanding its existing law.
Another prominent issue during 2023 was the data transfer regime between Europe and the United States. In July, the European Commission re-recognized the US as a country that adequately protects personal data in accordance with the requirements of the GDPR under a new EU-US Data Privacy Framework. Companies that want to be part of the new framework must register for it and comply with its terms. Companies that do not want to register to the data privacy framework will be able to continue operating through various contractual mechanisms (such as standard contractual clauses).
Additionally, Europe and the UK have both passed laws designed to address various information technologies. In Europe, the EU Data Act was enacted to regulate the collection and use of data coming from smart IoT devices and to enable consumers to receive this data and transfer it between different companies in the market.
Furthermore, the preparations continued in Europe for the Digital Services Law (DSA), which came into effect on January 1, 2024. The law imposes on companies the need to comply with transparency, accountability, and removal of prohibited and harmful content obligations. In February, digital service platforms were required to disclose their number of users, and in April, the European authorities published their classifications under the law, based on the information the companies provided. In August, the law started to apply to certain companies designated by the EU authorities. The law now applies to all digital service providers in Europe – data transfer services, data storage services, digital platforms and search engines, and very large digital platforms and search engines.
Finally, the UK passed the Online Safety Act, which seeks to increase users’ online safety, particularly child safety, by imposing various supervisory obligations on information service providers. These include social networks, search engines, video and picture sharing platforms, and other direct user-to-user services.
Enforcement of GDPR Provisions
In 2023, the European authorities took a hard stance against companies they deemed in violation of the GDPR, and imposed heavy fines on them.
In May, Meta (formerly Facebook) was fined EUR 1.2 billion by the Irish Data Protection Commission, a fine that was approved by the European Data Protection Board. The fine was the result of Meta’s reliance on the EU’s contractual mechanism known as standard contractual clauses (SCCs), which were found to provide inadequate protection for data transfers. The fine was imposed following a CJEU ruling that nullified the data transfer arrangement between the United States and Europe, which forced companies to rely on SCCs. Subsequent to that ruling, the new EU-US Data Privacy Framework for data transfers, as mentioned above, was established. This ruling underscores the importance of thoroughly examining what is permissible and prohibited during cross-border data transfers.
In January, Meta was fined EUR 390 million for breaching transparency obligations relating to the legal basis for its personal data processing for presenting personalized ads. The transparency obligations under the GDPR require companies to inform users about the means and purpose of personal data collection and processing. This ruling, which addressed Meta’s core revenue source, resulted in an in-depth examination of Meta’s operations. The issue of transparency in personalized ads is likely to be a key issue in international companies’ activities in the coming year.
In September, TikTok was fined EUR 345 million for violations related to the way the service was presented to children. As stated above, protecting children, including providing them with appropriate disclosures of data processing details, obtaining adapted consent, and protecting them from exposure to inappropriate content, is a top priority of the privacy and consumer protection authorities worldwide, particularly in Europe.
In January, we saw an example of Israeli companies’ exposure to European law enforcement efforts, which can also apply broadly outside of Europe. The Greek Privacy Protection Authority imposed a fine of EUR 50,000 on Intellexa, an Israeli cyber espionage company. The fine was imposed due to the company’s refusal to fully cooperate with the Greek authority.
Regulatory Developments Regarding Artificial Intelligence
With the launch of ChatGPT at the end of 2022, and the spread of the tool’s use among the general public, significant issues of regulation of artificial intelligence tools and their proper use arose. Organizations that use artificial intelligence tools and the authorities that oversee various aspects of business activity are facing new challenges of maintaining reliability, data security, and more.
During the year, there was widespread discussion of imposing restrictions and regulation of the field of artificial intelligence by all influential stakeholders. Leading industry companies have united in creating a framework for transparency processes and restrictions on artificial intelligence tools, the European Union has promoted legislation that will lead to the regulation of artificial intelligence, and the White House has published a draft bill of rights on the use of artificial intelligence and a presidential executive order for its regulation.
In Europe, an historic agreement was achieved on the drafting of the EU AI Act. This law is expected to lay a significant infrastructure for regulation, development, and use of artificial intelligence. The law will require companies to conduct in-depth examinations of the risks inherent in AI systems that they are developing or using, and to take a series of measures depending upon the risk level posed by their systems. The EU AI Act prohibits the use of particular AI systems and imposes strict obligations of transparency and accountability on others. Furthermore, a European authority is expected to be established to supervise AI models deemed “foundation models” and to create supervisory tools and standards for the development and use of AI models and tools.
Artificial Intelligence in Israel
The Israeli government has published an AI policy, regulations, and ethics document that outlines the government’s basic approach to the development and supervision of artificial intelligence, as well as several fundamental principles for its use. The Israeli government’s position is that there will be no specific regulation of artificial intelligence, and each government authority will act independently to implement appropriate regulation. However, in order to coordinate regulatory efforts, Israel will establish a government knowledge center whose role will be to amass relevant knowledge and promote collaboration among the various state authorities and with major international companies and entities. The principles outlined in the document are consistent with those prescribed by the OECD: prevention of discrimination; human supervision; explainability; transparency; reliability, resilience, security, and safety; accountability; and privacy protection.
Lawsuits against AI Companies
The ubiquitous use of AI tools has also led to a series of lawsuits filed against AI companies on various issues, including regarding the output generated by AI tools.
In the United States, several lawsuits were dismissed that sought to register copyrights on works created using artificial intelligence tools. In 2023, lawsuits were also filed in the US and Europe alleging privacy violations caused by artificial intelligence tools. In April, a motion to certify a class action was also filed in Israel against ChatGPT on the grounds of violations of privacy protection laws.
The expansion of the use of AI tools and the unique risks posed by them require organizations to take extra precautions before beginning their use of these tools. To do this while ensuring compliance with privacy protection laws and other regulations, we recommend following a few simple rules: verify the accuracy of your data, implement measures to protect personal and confidential data, ascertain the AI tool provider’s liability for the tool used, make sure human oversight is implemented where needed, and ensure that employees are trained in the tools’ use. To assist our customers, we published a manual on implementing AI systems in businesses, as well as guidelines to assist employers when implementing AI tools in the workplace.
2024
During 2023, we observed interesting developments in privacy protection laws, digital services, data security, and, of course, artificial intelligence. In 2024, global legislation and regulation of digital services and artificial intelligence will likely continue to evolve. Additionally, new and as yet unresolved legal questions about copyright and artificial intelligence will (hopefully) receive a slightly more orderly answer. We expect that, upon the promulgation of additional regulations in the United States and the completion of the European AI legislation, many companies will have to comply with new regulatory provisions. In Israel, a major amendment to the Privacy Protection Law dealing with the powers granted to the Privacy Protection Authority is awaiting its second and third readings by the Knesset. If the law passes, it will change the risk balance under Israeli law.
During this period of significant technological and regulatory developments, companies must re-examine how they manage and protect the data they retain, particularly personal data. Sound privacy, artificial intelligence, and data security programs will help companies protect themselves against the various risks, and provide them with a clear business advantage over their competitors.
***
Barnea Jaffa Lande’s Privacy Data Protection and Cyber Department is at your service to answer any questions about the IoT, AI regulation and other privacy questions.
Dr. Avishay Klein is a partner and heads the department.
Adv. Masha Yudashkin is an associate in the department.