Will a major reform that is about to come into force severely damage the many businesses that are unprepared for it? Amendment 13 to the Protection of Privacy Law, passed a year ago and due to be implemented from August 14, represents nothing less than a revolution in privacy protection and information security in both public organizations and private enterprises. This is the most extensive reform in this field since the law was enacted in 1981.
The background to the amendment is the burgeoning of cyber attacks since October 7, 2023. According to figures from the Israel National Cyber Directorate, there were some 17,000 cyber incidents last year, 24% more than in 2023. 41% of these were phishing attacks, messages designed to give access to the victim’s computer system.
The amendment is meant to bring Israel into line with international regulation on privacy, and to ensure that the standard in Israel comes as close as possible to the EU General Data Protection Regulation (GDPR), considered the most advanced standard in the world.
A regulator with teeth
First and foremost, the amendment dramatically strengthens to powers of the Privacy Protection Authority in the Ministry of Justice. The Authority will become an enforcement agency “with teeth”, empowered to carry out investigations, demand documents, and impose penalties. The Authority will be able to employ investigators and use administrative enforcement against commercial companies and public bodies, including security agencies.
That, however, is the minor concern. The worrying news for businesses is that the Privacy Protection Authority will be able to impose high penalties on organizations that breach data security rules.
For example, an organization in which a cyber break-in has occurred as a result of breaches of the law’s requirements can be fined NIS 320,000 for each and every breach. If the database that has been hacked is especially large, the fine per breach can be doubled to NIS 640,000, and can reach up to 5% of the organization’s revenue. That may not seem very much, but for many enterprises it could represent their entire profit, which means that the penalties will have a dramatic impact on them and could leave them destitute.
As indicated, each incident could involve a number of breaches: not just the leak of information, but the failures that led up to it, such as not carrying out a risk survey or a lack of a data security policy. Cumulatively, therefore, the fines could amount to millions of shekels.
The amendment also strengthens the possibility of receiving compensation for harm to privacy in civil suits. Liquidated damages of NIS 10,000 can be awarded without proof of harm, for example in a case in which a person discovers that information about him or her is contained in a database that has not been registered according to law, or that personal information about him or her has been accessed in breach of the conditions that allow it. The prescription period for such lawsuits, which was two years, has been extended to seven years.
The fear of penalties also relates to the requirement that organizations should erase old information that they hold. “A business that has an Internet site with cookies has a year in which to erase information, but in complex systems such as at banks and insurance companies it’s difficult to erase information on customers that is years old,” says Adv. Dalit Ben-Israel, a partner, head of IT Privacy and Data Protection, and co-head of AI, at the law firm of Naschitz Brandes Amir, who participated in the Knesset discussions on Amendment 13. She says that companies that are not yet prepared are liable to be targets for collecting “easy money” in fines.
A year to get ready
The Privacy Protection Authority is aware of the fears, but points out that organizations have had a year in which to gear up for implementation of the law, and recommends anyone who has not yet done so to act quickly to fill any gaps. Under the amendment, the Authority can issue a warning to an organization that unless a breach of privacy ceases, a fine will be imposed. It can require a cash deposit as a guarantee that the breach will be halted, and can even apply to the court for an order to shut down the database.
Large organizations will be required to appoint an officer in charge of privacy protection. This will be required in banks and insurance companies, telecommunications companies, government ministries and local authorities, hospitals and health funds, universities and colleges, and any organization “the main business of which includes processing of highly sensitive information on a substantial scale.”
The amendment changes the definition of “highly sensitive information”, and includes in it medical, genetic and biometric information, criminal records, personal assessments in the course of recruitment, information about pay, political views, religious faith, and location services.
Amendment 13 relaxes the requirements for registration of databases. Registration will not apply to most of the private sector, but only to public bodies, and to databases containing information on more than 10,000 people to which there is paid access.
The Ministry of Justice is already working on further amendments to the law. Adv. Ben-Israel believes that this is vital, for example for the development of artificial intelligence systems. “Under the existing law, processing information is allowed only by consent, or if the law explicitly authorizes it, for example in enforcement of money laundering prohibitions,” she explains. “But how can a bank that wants to develop an AI system obtain the consent of customers from five years ago? Therefore, in cases in which there is no substantial harm to privacy, the law will need to be amended so as to allow the use of information when there is a legitimate interest in doing so, as in Europe.”
The privacy revolution that will get underway in August, and which could exact a heavy financial price from businesses, is thus only the first stage on the way to a more comprehensive reform in the coming years.
Published by Globes, Israel business news – en.globes.co.il – on July 29, 2025.
© Copyright of Globes Publisher Itonut (1983) Ltd., 2025.
