Member Article

The Basic Laws of Israel that comprise the county’s constitution specifically grant Israel’s citizens the right to privacy as a basic human right. This practice note provides an overview of the regulation of data protection and privacy in Israel, presented in a question and answer format.

Legislative Framework

• Question 1: Summarize the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Have any international instruments on privacy or data protection been adopted in your jurisdiction?

Answer: The right to privacy is a constitutional right under Israeli law, and is specifically mentioned as one of the basic rights under the Basic Law: Human Dignity and Freedom. Principle 7 of the Basic Law: Human Dignity and Freedom states:

(a) Every person has a right to privacy and to intimacy in his life.
(b) There shall be no entry into the private premises of a person, without his permission.
(c) No search shall be held on the private premises of a person, upon his body, in his body, or among his private effects.
(d) The confidentiality of conversations of a person, his writings or his records shall not be violated. The Protection of Privacy Law, 1981 and its associated regulations (collectively, the “Privacy Law”) comprise the basic statutory framework for the protection of PII in Israel.

The Privacy Protection Authority is an agency of the Israeli Ministry of Justice that enforces the right to privacy in accordance with the Privacy Law. Established in 2006, the Privacy Protection Authority issues guidelines that clarify and explain its interpretation of the Privacy Law.

Data Protection Authority

• Question 2: Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.

Answer: The Privacy Protection Authority oversees compliance with the provisions of the Privacy Law and acts as Israel’s Registrar of Databases. For this purpose, the Privacy Protection Authority is authorized to:

• Demand that any person or entity provide it with information and documents relating to a database
• Enter into a place where it has a reasonable basis for presuming that a database is being operated, to conduct a search, and to confiscate any object if it believes that it is necessary to do so in order to ensure the implementation of the Privacy Law and prevent its violation

Breaches of Data Protection

• Question 3: Can breaches of data protection lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

Answer: The Privacy Protection Authority has the authority to enforce the Privacy Law as follows:

• Database registration. If the owner of a database breaches any provision of the Privacy Law, or does not comply with any demand made by the Privacy Protection Authority, the Privacy Protection Authority is entitled to postpone the validity of registration of the database for a period that the Privacy Protection Authority determines, or to cancel the registration of the database, provided that an opportunity was given to the owner of the database to present its claims.
• Administrative fines. In addition, the Privacy Protection Authority has the authority to impose administrative fines with respect to certain breaches of the Privacy Law.
• Criminal liability. The intentional violation of privacy, as well as the breach of some of the regulatory duties under the Privacy Law, are considered criminal offences, and committing them may be subject to criminal penalties.

Rights protected under criminal law are enforced by the Israeli Police, State Attorneys, and the Privacy Protection Authority (which functions as the legal branch of the State Attorney with respect to privacy matters), and later reviewed by the judicial system.