Data Protection & Privacy 2026 Comparisons

Regulatory Sources and Their Interaction

The Israeli privacy legal system is a tiered framework in which constitutional principles are implemented through statutes and regulatory guidance.

• Constitutional level: The Basic Law – Human Dignity and Liberty (1992) serves as the constitutional pillar. Section 7 protects the right to privacy and the confidentiality of communications and records. The courts rely on this right when interpreting the Privacy Protection Law, 5741-1981 (PPL), ensuring technological change does not erode substantive privacy protection.
• Primary statute: Following Amendment No 13 to the PPL (effective 14 August 2025), the PPL shifted from a technical database registration regime to a comprehensive personal data processing framework. Key developments include –
1. updated definitions of “personal data” and “Data of Special Sensitivity”, aligned with international standards;
2. mandatory appointment of data protection officers (DPOs) for public bodies and service providers to such data brokers, providers of direct mailing services, and organisations engaged in “systematic monitoring” or large-scale processing of Data of Special Sensitivity; and
3. expanded enforcement powers for the Privacy Protection Authority (PPA), including administrative fines and binding suspension orders.
• Secondary legislation: Regulations enacted under the PPL, including –
1. the Privacy Protection (Data Security) Regulations, 5777-2017 (the “Security Regulations”);
2. the Privacy Protection (Transfer of Data to Databases Abroad) Regulations, 5761-2001 (the “Data Transfer Regulations”); and
3. the Privacy Protection (Instructions for Data that was Transferred to Israel from the European Economic Area) Regulations, 5783-2023 (the “EEA-originated Data Regulations”).

Hierarchical Interaction and Sectoral Instruments

The Israeli legal system operates through a clear hierarchy.

• Constitutional level: this guides interpretation of all lower-level legislation.
• Primary legislation: the PPL operates as the lex generalis across sectors.
• Secondary legislation: regulations impose mandatory technical and organisational measures.
• Sectoral instruments: lex specialis rules apply, including health, financial, and labour law frameworks.

Israel retains EU adequacy status. The EEA-originated Data Regulations add a distinct layer of protection for EU-sourced data, including erasure and accuracy rights.

Extraterritorial Reach and Triggers

Unlike the GDPR’s explicit Article 3 triggers, extraterritorial application of the PPL is driven by case law and PPA interpretation. The PPA applies Israeli law where processing of Israeli residents’ data has a material privacy impact.

In summary, key application triggers include:

• targeting the Israeli market (eg, Hebrew interface, local marketing);
• databases containing significant volumes of Data of Special Sensitivity relating to Israelis; and
• processing activities conducted within Israel (such as by local servers or R&D centres).

Interplay With AI, Cyber, and Non-Personal Data

The PPL increasingly intersects with other specialised regimes.

• AI: Israel follows a sector-based approach. The 2025 PPA draft AI Guidelines (published 28 April 2025) apply the PPL across the AI life cycle, requiring privacy by design, transparency for automated decisions, and prohibiting unlawful scraping.
• Cybersecurity: The Israel National Cyber Directorate (INCD) manages national and critical infrastructure security, issues voluntary cyber guidelines, and handles cybersecurity incidents in Israel, often alongside the PPA for data breaches involving personal information.
• Non-personal data: The low “reasonable effort” re-identification threshold means that most datasets capable of re-identification are treated as personal data and are subject to the PPL. An anonymisation process applied to personal data would be regarded as a processing activity covered by the PPL, thereby subject to the supervision of the PPA.

Processing of personal data under Israeli law is now governed by a strict “consent or authority” model, following Amendment No 13 to the PPL, bolstered by substantial administrative enforcement powers.

General Principles for Data Processing

The Israeli framework, particularly after Amendment No 13, is based on several core principles applicable to all organisations.

• Informed consent: Processing personal data without the data subject’s informed consent constitutes a violation of the law. Under current PPA guidance, consent must be granular and specific, and “bundled” consent (eg, service use combined with third-party marketing) is increasingly viewed as invalid.
• Lawfulness of processing: Processing personal data for purposes other than those lawfully established, or beyond the controller’s authorisation, constitutes a violation of the PPL.
• Purpose limitation: Data collected for a specific purpose (eg, contract performance) may not be reused for a different purpose (eg, AI training) without new, separate consent.
• Transparency and disclosure: Section 11 of the PPL requires a “notice of collection” specifying –
1. whether the provision of the data is legally required;
2. the specific purposes of the collection;
3. the identity of the controller;
4. reasons for disclosing the identity of third-party data recipients;
5. the consequences of refusal;
6. the data subject’s access and rectification rights; and
7. the EEA-originated Data Regulations and PPA guidance on transparency and AI include additional disclosure requirements.
• Proportionality and data minimisation: Databases may contain only information that is strictly necessary for the declared purpose, and organisations must conduct periodic reviews to delete excess or outdated data.
• Confidentiality: Breach of confidentiality relating to personal data constitutes a serious criminal offence, punishable by up to five years’ imprisonment.
• Security: The Security Regulations impose detailed, risk-based obligations on database owners and holders.

Data Subject Rights

Individual rights have expanded significantly, particularly for databases containing EEA-originating data not directly provided by the data subject.

• Access: Individuals may inspect personal data held about them, including digital records, audio-visual materials, and assessment data used in recruitment.
• Right to rectification (correction) and a minimised deletion right: Incorrect, incomplete, or outdated data must be corrected or deleted upon request.
• Limited right to erasure: From 1 January 2025, individuals may request deletion of unlawfully obtained or no-longer-necessary EEA-originating data, subject to statutory exceptions.
• Opt out of direct marketing: Individuals have an absolute right to demand removal from direct mailing lists. Failure to comply can lead to an immediate administrative fine of ILS15,000 per violation.
• Withdrawal of consent: While not statutory, PPA draft guidance encourages controllers to respect consent-withdrawal requests.

Main Compliance “To Do’s” for Organisations

To mitigate exposure to the PPA’s enhanced enforcement powers, organisations should prioritise the following.

• Assess whether they need to appoint a DPO: This is required of public bodies and service providers to such public bodies, data brokers, providers of direct mailing services, and organisations engaged in “systematic monitoring” or large-scale processing of Data of Special Sensitivity.
• Data mapping: Maintaining up-to-date mapping of databases, systems, data categories, security levels, and EEA-originating data is required.
• Database definitions document: It is necessary to prepare and maintain a database definition document, which underpins Israeli data protection governance and compliance.
• Security compliance: Cybersecurity policies should be aligned with the Security Regulations, including non-standard requirements such as extended access-log retention.

Definition

Amendment No 13 changed “sensitive data” to “Data of Special Sensitivity”. The Israeli definition is broader than the GDPR’s “Special Categories of Data”, covering political opinions, religious beliefs, medical and genetic data, sexual orientation, intimate family life, biometric identifiers, criminal records, personality assessments, certain location data, payroll, financial transactions, and legally confidential data.

Enhanced Processing and Security Requirements

The PPL applies a unified consent model, coupled with heightened operational obligations.

• Consent: Under the 2025 PPA Guidelines, explicit consent is preferable, and it should also be informed, clear and accessible.
• Security tiers: Databases are classified as basic, medium or high security. Databases containing sensitive data fall under medium or high security, triggering enhanced safeguards such as security assessments and automated access monitoring.
• Mandatory appointment of a DPO: Organisations engaged in large-scale processing of Data of Special Sensitivity are required to appoint a DPO.

Processing Data of Minors

Israel does not have a standalone children’s privacy statute. Protection derives from multiple sources.

• Legal Capacity and Guardianship Law, 5712-1962: Minors lack full legal capacity; consent generally requires parental or guardian approval.
• PPA Guidelines on “Sharenting” and Social Media: These emphasise the best interests of the child, particularly in online exposure.
• Age assurance: Platforms targeting minors are expected to implement age-gating or age-assurance where sensitive profiling is involved.

Criminal Convictions and Foreclosures

Criminal data is tightly regulated by the Criminal Record and Rehabilitation of Offenders Law, 5779-2019, and the PPL. Private organisations cannot request or use this information, and the PPA bans unauthorised “blacklists” related to criminal history or foreclosures.

Sectoral Overlaps: Health and AI

Health data: This is subject to strict confidentiality, with PPA guidance requiring a Privacy Impact Assessment before deploying new digital health tools.

Artificial intelligence: Draft 2025 PPA guidance requires heightened transparency, explainability, and human oversight when AI systems are trained on sensitive data.

Anonymisation of Patient Data for Product Development and Research

Under the Ministry of Health Circular 1/2018, companies serving Israeli healthcare providers can anonymise patient data for product development or research. This interim guidance sets out the framework until comprehensive regulation is established.

Key requirements

The circular favours anonymised data, requiring healthcare organisations to use it whenever possible. Identifiable patient data for secondary purposes is only accessible with legal authorisation or patient consent; otherwise, only anonymised data may be used.

Until unified standards exist, organisations should follow expert advice and best practices to ensure anonymisation is irreversible and re-identification is not possible.

Permitted uses

Anonymised data can support product development, quality improvement, research and statistics. Organisations must prove robust anonymisation and minimal re-identification risk.

Impact of European Health Data Space

As of early 2026, Israel’s functional equivalent to the European Health Data Space (EHDS) is the Health Information Mobility Law, 5784-2024 (enacted July 2024).

Key similarities

The law reflects the EHDS “primary use” objectives by mandating health data portability between Health Maintenance Organisations (HMOs), hospitals and private clinics, via a centralised Ministry of Health system enabling real-time patient access management.

Main differences

• The Israeli framework currently excludes secondary use for research and innovation, which remains governed by the Patient’s Rights Law and Circular 1/2018.
• Most operational obligations will enter into force in July 2027, whereas EHDS implementation began in early 2025.
• Both regimes require high interoperability, with Israel adopting the Fast Healthcare Interoperability Resources (FHIR) standard to ensure compatibility with European systems.

As of early 2026, Israel’s regulatory framework for AI has matured significantly. While no single “AI Act” equivalent exists, the PPA and the Ministry of Innovation, Science and Technology have established a comprehensive regime through binding guidance and the full implementation of Amendment No 13. In addition, specific sectors have developed their own AI guidelines, notably, the Bank of Israel inter-ministerial team report addressing AI in the financial sector.

Primary Legal Framework and Specific Guidance

The use of personal data in AI is governed by the PPL, as amended by Amendment No 13, and supplemented by the draft 2025 PPA Guidelines on the application of the PPL to AI systems.

Key legal pillars include

• Applicability to the life cycle: Privacy obligations apply across all stages of AI use, including collection, training, deployment and inference.
• Inferred data: AI-generated conclusions (such as health or credit predictions) qualify as personal data and are subject to full protection.
• Scraping prohibited: Unauthorised scraping of personal data for AI training is prohibited, in the absence of a valid legal basis or explicit consent.

Risk-Based Regime and Automated Decision-Making

Israel follows a sectoral, risk-based approach rather than a horizontal framework:

• High-impact decisions – AI systems materially affecting individuals (eg, hiring, insurance pricing, or medical diagnosis) are treated with greater scrutiny.
• Sectoral overlays – Financial and life sciences regulators require explainability and bias testing.
• The “reasonableness” test – The courts apply administrative law principles to assess proportionality and non-discrimination in automated public-sector decisions.

Transparency and Data Governance

Under the 2025 PPA draft AI guidance, organisations are expected to:

• disclose AI use and provide meaningful explanations of data processing;
• conduct privacy impact assessments (PIAs); and
• involve boards of directors in approving AI governance, particularly where Data of Special Sensitivity is involved.

Human Oversight and Prohibited Categories

• Prohibited categories: While no categorical bans exist, practices such as social scoring are likely to be deemed unreasonable or unconstitutional.
• Human-in-the-loop: Strong preference exists for human review and appeal mechanisms in high-impact systems.

Israeli data breach notification requirements are governed by Section 11 of the Security Regulations and further detailed in PPA guidance dated 7 August 2022 (as amended 1 September 2025).

Notification Triggers and Assessment

Organisations must assess three elements when determining whether notification to the PPA is required:

• whether Israeli privacy law applies based on sufficient territorial connection;
• whether the incident constitutes a “Severe Security Incident”; and
• whether any statutory or regulatory exceptions apply.

Following notification, the PPA may instruct the organisation to notify affected data subjects.

Definition

A “Severe Security Incident” is defined by reference to the database’s security classification.

For high-security databases, any unauthorised use of data or damage to data integrity triggers notification.

For medium-security databases, notification is required where a substantial portion of the database is accessed without authorisation or its integrity is materially compromised.

Databases classified at the basic-security level are generally exempt from notification obligations.

Security Level Classification

Security classification is based on data sensitivity and database scale.

Medium security applies to databases containing Data of Special Sensitivity, databases used for direct marketing, and databases controlled by public bodies.

High security generally applies where medium-level databases grant access permissions to more than 100 individuals or contain records relating to 100,000 individuals or more.

Notification Procedures and Timing

Where notification is required, organisations must act immediately upon discovery. Notifications are submitted via the PPA’s designated online form and may be filed by legal representatives, including in English. Certain HR databases may qualify for exemptions and fall within the basic-security level.

Authority Investigations and Litigation Exposure

Following notification, the PPA may initiate investigations and order corrective measures, including mandatory notice to data subjects. Organisations face potential mass privacy litigation, as Israeli law provides civil remedies for privacy violations. This combined regulatory and litigation exposure heightens compliance and reputational risks, making early assessment and timely notification critical.

The PPA, operating as an independent authority pursuant to Government Decision No 1890, serves as Israel’s principal data protection regulator. Following the entry into force of Amendment No 13 to the PPL on 14 August 2025, the PPA has emerged as a highly active regulator with significantly expanded powers.

The PPA’s mandate extends beyond classic data protection to encompass all privacy matters, including physical intrusions into privacy, and applies to both public bodies (including government ministries and municipalities) and private entities. It oversees compliance with the PPL and its implementing regulations, enforces regulatory guidance as binding obligations, and exercises authority over database registration and notification, data brokers, DPOs, and cross-border data transfers.

Investigative Workflow and Triggers

Enforcement proceedings may be initiated through multiple channels. Mandatory breach notifications trigger investigations in cases of Severe Security Incidents affecting medium or high-security databases.

In parallel, the PPA conducts proactive, cross-sector inspections, particularly in industries handling Data of Special Sensitivity. Media reports and public complaints increasingly prompt investigations, alongside routine audits of organisations processing large volumes of personal data.

Enforcement Powers

The PPA now wields extensive administrative powers. It may impose monetary sanctions reaching millions of shekels, issue orders suspending unlawful processing, initiate criminal investigations for serious violations, and mandate corrective measures, including notification to affected individuals.

Co-Ordination Mechanisms

Cross-border co-ordination is facilitated through Israel’s EU adequacy status, requiring alignment with GDPR standards for databases containing EEA-originated data.

Binding Nature of Guidance

In practice, the PPA treats its directives as binding norms. PPA officials have stated that guidance will be enforced as if it were statutory, creating a quasi-legislative compliance layer beyond the text of the PPL and its regulations.

Initiation and Conduct of Enforcement Proceedings

The PPA initiates enforcement proceedings through proactive and reactive channels. Proactive enforcement includes systematic monitoring, while reactive investigations are triggered by information from regulatory bodies, public institutions, media reports, complaints from individuals or competitors, and intelligence tools.

Once potential violations are identified, the PPA applies a graduated enforcement toolkit tailored to the severity and nature of the breach. Authorised investigators and supervisors may demand documents and information, enter premises where databases are reasonably believed to operate, conduct searches, and seize items pursuant to the Criminal Procedure Ordinance (Arrest and Search) [New Version], 5729-1969.

Computer investigations, particularly in residential premises, require prior judicial authorisation from a magistrate court’s judge, and all PPA investigators are certified in computer investigations.

Available Sanctions and Remedies

The enforcement framework comprises criminal, administrative, and supervisory measures. Criminal investigations may lead to indictments. Administrative tools include supervised remediation, suspension or revocation of database registration, formal determinations of violations, and administrative fines for specific breaches of the PPL.

Administrative Fine Decision Process

After considering arguments submitted under Section 23(kh) of the PPL, the PPA determines whether to impose an administrative fine and may reduce its amount. The authority must issue either a reasoned payment demand specifying the fine, payment period, and 45-day appeal right, or a reasoned decision declining enforcement. If no arguments are submitted within the statutory period, the notice of intent automatically becomes a payment demand.

Enhanced Penalties for Continuing and Repeat Violations

For continuing violations, an additional 1% of the base fine accrues daily following issuance of a payment demand, excluding appeal periods unless otherwise ordered.

Repeat violations, defined as breaches of the same provision within two years of a prior fined violation, result in doubling of the penalty.

Reduced Fine Provisions

Administrative fines below statutory minimums may be imposed only in limited circumstances and subject to strict statutory conditions.

Appeal Rights and Timelines

Appeals against administrative enforcement actions must be filed with the magistrate’s court within 45 days. Appeals do not automatically stay enforcement unless approved by the PPA director or ordered by the court. The courts may affirm, modify, annul, or remit the decision with instructions. Where a fine is paid and the appeal succeeds, the refund includes index-linked interest from payment to refund.

Amendment No 13

The enactment of Amendment No 13 to the PPL in August 2025 represents the most significant reform of Israeli privacy law since 1981.

The amendment substantially expands the PPA’s enforcement powers, including the authority to impose administrative fines, suspend database operations, and conduct criminal investigations.

It also introduced mandatory appointment of DPOs and enhanced transparency obligations, and it broadened the PPA’s regulatory authority.

Adequacy Status Reaffirmation

In January 2024, the European Commission reaffirmed Israel’s GDPR adequacy status, ensuring uninterrupted data flows between Israel and the EEA. While reinforcing Israel’s attractiveness as a data hub, the decision maintains heightened compliance expectations for databases containing EEA-originated personal data.

Surge in Cyber-Related Enforcement

Following the October 2023 conflict, Israel experienced a rise in cyber-attacks. In response, the PPA intensified enforcement, managing 282 supervisory files and handling 224 Severe Security Incident reports in 2024. Enforcement actions included violation determinations and administrative fines against municipalities and medical centres for inadequate data security.

Cross-Sectoral Supervision Expansion

In 2024, the PPA expanded proactive, sector-wide audits across six additional industries, examining 175 entities in sectors including fintech, real estate, and mental health services. This supervision model, now embedded in Amendment No 13, aims to identify systemic risks at an early stage.

Practical Takeaways

Organisations should prepare for expanded DPO obligations, enhanced security testing (typically on an 18-month cycle), strengthened consent and transparency mechanisms, and continuous data mapping. Early enforcement actions, including an ILS70,000 fine imposed on HOT Telecommunication Systems Ltd, signal the PPA’s intention to actively exercise its expanded powers.

Over the past 24 months, privacy and data-related litigation in Israel has increased markedly, with a rise in both individual claims and attempted class actions against private corporations and public bodies. Alongside regulatory enforcement by the PPA, courts are increasingly called upon to resolve civil disputes arising from data breaches and unauthorised processing of personal information.

Claimant Profiles and Causes of Action

Claims are brought by both individuals and groups. Individual actions typically arise in interpersonal and employment contexts, including unauthorised access to email or mobile devices, workplace surveillance, and unlawful disclosure of personal information. Such claims are commonly based on infringement of privacy without consent under section 2 of the PPL, together with negligence and breach of statutory duty.

At the collective level, there has been a growing number of class actions against technology companies, healthcare providers, and other data-intensive organisations. These cases generally concern large-scale data breaches or systematic unauthorised processing, and rely on privacy infringement, breach of confidentiality, unjust enrichment, and related tortious causes of action, including consumer misleading practices under the Consumer Protection Law, 5741-1981. Courts increasingly focus on admissibility issues, including standing and the applicability of consumer-based causes of action.

Remedies and Non-Material Damage

Israeli law expressly recognises compensation for non-material harm. Section 29A of the PPL permits statutory damages without proof of actual loss, subject to a statutory cap. Courts assess such damages on a case-by-case basis, considering the gravity of the infringement and deterrence needs, while generally adopting a restrained and proportionate approach. The Class Action Law 5766-2006 expressly permits compensation for non-monetary harm, reflecting the public interest in addressing widespread privacy violations.

Israeli courts have significantly clarified the procedural boundaries of privacy litigation following the enactment of Amendment No 13, particularly in class actions, which remain the primary vehicle for privacy claims in Israel.

Class Action Limits and the “Trader-Customer” Relationship

Recent case law reflects a restrictive interpretation of the Class Actions Law. In Greenblat v Meta Platforms, Inc (2025), the central district court rejected a class action brought by non-users whose data was allegedly collected via third-party tracking, holding that commercial benefit alone does not establish a customer relationship. Similarly, in Osher (Estate) v Tel Aviv Sourasky Medical Center (2025), the court ruled that public hospitals generally provide public, rather than consumer, services, thereby limiting privacy-based class actions against public bodies.

The Modern Standard for Informed Consent

While narrowing standing, courts have raised the standard for consent. In Aviv v Meta Platforms (2025), the court approved a class action concerning the use of users’ names and profile photos in “social ads”. The court held that consent under Section 3 of the PPL must be genuinely informed, and that bundling consent to privacy practices within general terms of use is likely insufficient to establish lawful consent. This has driven a shift towards clear, separate and specific consent mechanisms.

Statutory Damages Without Proof of Harm

The courts have also reinforced Section 29A of the PPL, which permits statutory damages of up to ILS100,000 per violation without proof of actual harm. In Ploni v Almonit (2025), the court emphasised deterrence as the primary rationale, holding that unlawful technological intrusion alone may justify significant compensation, particularly where transparency obligations are breached.

In Israel, collective redress is primarily pursued through class actions under the Class Actions Law. Although Israel lacks an equivalent to the EU Representative Actions Directive, its class action regime is highly active, particularly in consumer disputes, including privacy and cybersecurity claims.

Class Actions

Israel applies a “closed list” model, permitting class actions only for causes listed in the Second Schedule. In privacy and AI cases, claims are typically framed through consumer law, by characterising data processing as part of a service provided by a “trader” to a “consumer”.

Admissibility criteria and thresholds

A court may approve a class action if the following cumulative conditions are met at the preliminary stage.

• Personal cause of action: The representative plaintiff must demonstrate a direct claim; “non-user” classes have been rejected (Greenblat v Meta).
• Commonality: Substantial common legal or factual questions.
• Reasonable possibility of success: A prima facie merits assessment.
• Efficiency and fairness: The class action must be the most appropriate procedural vehicle.
• Adequacy of representation: Good faith and competent representation.

Procedure and indicative timelines

• Phase I – Certification: Typically decisive; respondents have 90 days to respond, and proceedings may last several years.
• Phase II – Merits: If certified, the case proceeds to trial, though most cases are settled or dismissed earlier.

Typical relief and statutory damages

Courts may award monetary compensation (individual or aggregate), statutory damages under Section 29A of the PPL without proof of harm, cy-près relief via the Class Actions Fund, and injunctive remedies.

Recent developments: privacy and AI contexts

Amendment No 13 strengthened privacy-based class actions, while recent case law confirms that web scraping alone does not establish a consumer relationship (OpenAI v Haim Barak Cohen (2025)). A proposed 2026 amendment seeks to curb abusive filings through pre-action notice mechanisms.

As of 2026, regulation remains centred on the PPL, but emerging legislative initiatives increasingly address the broader data economy, drawing inspiration from the EU’s digital strategy.

Statutory Scope: The “Reasonable Identifiability” Test

The core principle remains that data is regulated under the PPL only if it relates to an “identified” or “reasonably identifiable” natural person.

• Anonymised data: Under the 2025 PPA Guidelines on Anonymization, data stripped of identifiers falls outside the PPL where re-identification would not be possible with reasonable effort, considering available technology and auxiliary datasets.
• Corporate and industrial data: Purely machine-generated data (eg, industrial telemetry) and internal business data are generally excluded from the PPL and are governed by the Trade Secrets Law, 5759-1999, and contractual arrangements.

Sectoral Data-Sharing Frameworks

Israel has no horizontal equivalent to the EU Data Act and data-sharing obligations are sector-specific:

• The financial sector (open banking) – The Financial Information Service Law, 5782-2021, mandates data sharing with licensed third parties at the user’s request, covering personal data and certain non-personal elements such as pricing and product metadata.
• The health sector (information mobility) – The Health Information Mobility Law, 5784-2024, facilitates data exchange between healthcare providers and standardises interoperability, including adoption of the FHIR standard.

The 2026 Digital and AI Reform: Towards a “Data Act”

A proposed 2026 reform package mirrors elements of the EU Data Act and AI Act, including:

• clarification of access and sharing rights in data generated by connected products;
• safeguards permitting refusal of data sharing where trade secrets are at risk; and
• cloud portability obligations aimed at reducing vendor lock-in.

Interaction With Cloud and IoT

Cloud and IoT regulation is shaped by PPA directives and IoT security guidelines. The framework distinguishes between controllers and holders, with cloud providers often acting as holders. Even non-personal cloud data is scrutinised where it forms part of mixed datasets containing personal data, triggering heightened safeguards under the EEA transfer regime.

The interaction between these frameworks has been clarified by Amendment No 13 and the 2025 PPA Guidelines. Data processing in Israel is now viewed as a continuous spectrum in which privacy, confidentiality and proprietary rights intersect.

Legal Basis and Purpose Limitation

The primary legal basis for processing personal data remains informed consent or statutory authorisation. Amendment No 13 has tightened the standard for a “lawfully established purpose”:

• Granular transparency – Under the 2025 PPA Guidelines, consent for complex processing (including AI training and IoT telemetry) must be explicit, separate from general terms, and assessed across the data life cycle.
• Purpose limitation – Section 8(b) of the PPL strictly limits secondary use. In 2026, the PPA actively enforces this against “data creep”, particularly where consumer data is repurposed for AI development without renewed consent.

Statutory and Professional Confidentiality

Confidentiality obligations apply cumulatively, even where a lawful basis exists.

• Section 16 of the PPL: Prohibits disclosure of data obtained through one’s role or database access except for work purposes or by court order; breaches give rise to civil and potential criminal liability.
• Holder (processor) obligations: Cloud providers and other holders bear direct statutory duties, preventing reuse of client data unless expressly authorised and disclosed.

IP and Trade Secret Protection of Non-Personal Data

Purely non-personal data is protected primarily under trade secret and contract law.

• The “reasonable measures” test: Courts assess trade secret protection by reference to technical and organisational safeguards, increasingly aligned with the Security Regulations.
• Contractual protection: For IoT and life sciences datasets, contractual restrictions (such as no-scraping and no-derivation clauses) remain the principal IP protection mechanism.

The Interaction: the Identifiability Boundary

The key friction point arises where privacy obligations override IP interests.

• Reasonable effort: Data is treated as personal where re-identification is reasonably feasible.
• Regulatory consequence: Where proprietary datasets contain insufficiently anonymised Data of Special Sensitivity, the PPA may order deletion or “unlearning” of trained models, effectively negating the underlying IP.

Following the full implementation of Amendment No 13 and the publication of multiple PPA Guidelines, Israeli data protection law has shifted from a technical registration-based regime to an accountability-driven framework.

The PPL now provides a comprehensive set of rights and obligations broadly aligned with international standards, while preserving distinct Israeli features and remaining materially different from a GDPR-style regime.

• Enhanced access and rectification: Data subjects have a statutory right to access their personal data and request correction of inaccurate or outdated information. Non-compliance may result in administrative fines and statutory damages without proof of harm.
• The right to deletion (erasure): Israeli law recognises a limited right to deletion. Deletion is mandatory for direct marketing databases and for personal data transferred from the EEA other than by the data subject. In other cases, data must be deleted once the lawful purpose is exhausted; no general “right to be forgotten” exists.
• Transparency and disclosure (section 11): Before collection, organisations must provide a clear privacy notice identifying the controller, processing purposes, legal or contractual requirements, and consequences of refusal. Amendment No 13 strengthened enforcement of these obligations.
• Mandatory DPO and accountability: Public bodies, data brokers and organisations engaged in large-scale or systematic processing of sensitive data must appoint a DPO and maintain statutory compliance documents, including database definitions, structure documentation, and a written information security procedure.

Rights and Obligations for Non-Personal Data

Israel lacks a horizontal equivalent to the EU Data Act; regulation therefore relies on sectoral rules and contracts.

• Portability and interoperability: These apply only in regulated sectors, notably financial services (Financial Information Service Law, 2021) and healthcare (Health Information Mobility Law, 2024), with phased implementation through 2027.
• Switching and termination: Outside regulated sectors, exit and data retention rights are governed primarily by contract, subject to trade secret protections.
• IP and trade secrets: Non-personal data is typically protected as a trade secret under the Commercial Torts Law (1999), subject to reasonable safeguards.

Main Necessary Action for Organisations

To align with the 2026 framework, organisations should prioritise:

• appointing a DPO and an information security officer, where required under the PPL, and consider voluntary appointment where thresholds are not met;
• data mapping and classification, particularly of Data of Special Sensitivity;
• updating data processing agreements (DPAs) with vendors and cloud providers, and managing the vendor risk life cycle, including pre-engagement reviews, periodic cybersecurity audits, and oversight;
• maintaining and updating statutory documents under the Security Regulations;
• adopting internal AI governance policies;
• updating privacy notices to clearly disclose AI use, automated decision-making, and marketing activities, including consequences of refusal;
• conducting cybersecurity risk assessments and audits in line with the Security Regulations; and
• establishing and testing a security incident and breach notification response plan.

The enforcement of data protection and privacy in Israel is carried out by a co-ordinated network of authorities that has become increasingly integrated as of early 2026. The primary regulator, the PPA, now operates under a mandate significantly expanded by the 2025 reforms.

The PPA

The PPA is the lead authority enforcing the PPL. Following Amendment No 13, it has transitioned from a registry-based supervisor to a full enforcement agency. The PPA is authorised to impose administrative fines of up to ILS320,000 per cybersecurity violation and up to millions of shekels for database and personal data governance violations; issue binding processing suspension orders; order deletion of unlawful databases (subject to court approval); and conduct criminal investigations, including searches and seizures under partial judicial oversight.

The Israel Competition Authority (ICA)

The ICA enforces the Economic Competition Law and increasingly co-ordinates with the PPA where data concentration raises competition concerns. In 2025–2026, it scrutinised data-intensive mergers, particularly in the technology and fintech sectors. Co-ordination is formalised through inter-ministerial mechanisms, notably under the Financial Information Service Law, balancing data portability with privacy and security requirements.

The Israel National Cyber Directorate (INCD)

The INCD is responsible for national cybersecurity and critical infrastructure protection. While the PPA addresses privacy impacts, the INCD provides technical guidance and incident containment. Co-ordination is most visible during Severe Security Incidents, where reporting to both authorities may be required.

Sectoral Competent Authorities

Additional regulators enforce privacy-related obligations within their domains:

• The Bank of Israel – Banking privacy and open banking supervision.
• The Ministry of Health – Confidentiality and data sharing under the Patient Rights Law and the Health Information Mobility Law (2024).
• The Securities Authority – Disclosure of material privacy incidents by public companies.

Recent Enforcement Trends in 2026

Key trends include:

• lateral supervision – sector-wide audits focusing on systemic compliance;
• board level accountability – privacy-treated as a governance risk, with potential director exposure for compliance failures under PPA guidance;
• the AI enforcement drive – proactive action against unauthorised web scraping and biometric processing, supported by pre-rulings; and
• judicial barriers to digital searches – digital searches require narrowly tailored judicial authorisation to ensure proportionality.

Following the entry into force of Amendment No 13 to the PPL, the 2025 PPA Guidelines on Informed Consent, the PPA’s 2021 recommendation for cookie opt-in in its guidance on Privacy in Advanced Payment Methods, and the rise in cookie-related class actions, the Israeli market has placed increased focus on cookie consent. As a result, Israeli websites increasingly deploy cookie banners in various formats.

Status of Identifiers as Personal Data

Under the modernised PPL, personal data includes any information enabling identification with reasonable effort. This may include:

• online identifiers – cookies, MAC addresses, and advertising IDs (such as IDFA or AAID);
• network data – IP addresses and device fingerprints; and
• geolocation – real-time and historical location data collected via software development kits (SDKs).

As these identifiers may qualify as personal data, their collection requires an identifiability assessment and may trigger full PPL obligations, including notice and informed consent requirements.

The Mandatory Opt-In Consent Model

Although the PPL does not expressly regulate cookies, the 2025 PPA draft consent guidance requires informed, freely given consent for processing personal data, including common cookie-based activities such as analytics, advertising, user journey analysis, and marketing automation.

The following problem areas and solutions have been identified:

• Implied consent difficult to substantiate – The PPA indicates that reliance on implied consent requires substantial evidence of actual consent.
• Defective consent: Pre-ticked boxes and vague descriptions are considered invalid, with the burden on organisations to demonstrate valid consent.

Transparency and Notice Requirements (Section 11)

At the point of collection, users must receive notice identifying the controller, specifying processing purposes, explaining consequences of refusal, indicating access and rectification rights, and disclosing third-party recipients and purposes of data sharing.

The regulation of personalised and targeted advertising in Israel is governed by a framework significantly modernised through Amendment No 13 to the PPL.

The Two Regulatory Pillars

Targeted advertising operates under two complementary statutes:

• The PPL – Governs profiling and direct mailing, defined as contacting individuals based on database segmentation.
• The Communications Law (Telecommunications and Broadcasting), 5742-1982 (the “Spam Law”) – Section 30A regulates the transmission of commercial messages via electronic means, including email and other electronic messages, mobile text messages, faxes and automated calls.

Profiling and Data of Special Sensitivity

Amendment No 13 expanded Data of Special Sensitivity to include location data, financial activity, and biometric identifiers.

Mandatory DPO

Entities whose core activity is to provide direct mailing services and which process the data of over 10,000 individuals must appoint a DPO.

Database registration

Registration remains mandatory for databases for the commercialisation of personal data, including data brokers and potentially, ad-tech companies.

Consent and Opt-In Requirements

Under the PPL, direct mailing notices must disclose the controller’s identity, data source (especially third-party data), opt-out rights and, where applicable, the database registration number. Under the PPA’s 2017 Direct Mailing Guidelines, consent for direct mailing services unrelated to the transaction’s purpose (eg, lead generation or data enrichment) must be obtained through an active and explicit indication of consent.

Following Aviv v Meta Platforms (2025), bundling consent to privacy practices, particularly advertising uses, with acceptance of general terms of use is likely to invalidate such consent.

By contrast, where an organisation sends direct mailing to its own customers regarding products or services related to its core offering, it is generally sufficient to disclose the intended use and provide an opt-out mechanism, even if opting out results in service termination.

Under the Spam Law, prior written or electronic consent is required, subject only to the narrow “existing customer” exception. Consent to receive advertising must be separate from consent to terms of use or other privacy practices.

Protection of Children and Sensitive Categories

Children’s privacy (under 18)

Minors generally lack the legal capacity to consent independently. However, legal acts that minors of their age are accustomed to performing, such as routine, low-risk transactions, are generally valid. Platforms targeting children should implement age-assurance mechanisms, and profiling based on children’s sensitive data requires verified parental consent.

Sensitive profiling

Advertising based on Data of Special Sensitivity requires explicit opt-in. The PPA’s 2025 AI Guidance cautions against indirect “inference attacks” designed to deduce sensitive traits.

The landscape for workplace privacy in Israel is shaped by the PPL and its regulations, together with landmark rulings of the National Labor Tribunal and additional labour case law.

The Core Legal Standards

The main governing principles are as follows.

• In Isakov v State of Israel (2011) (“Isakov”), the National Labor Tribunal required any employer seeking access to an employee’s mailbox and digital assets on the employer’s computer systems to meet cumulative tests of legitimacy, proportionality, and transparency.
• In the New General Federation of Labor (Histadrut) v the Municipality of Kalanswa (2017), the National Labor Tribunal prohibited employers from requiring employees to use a fingerprint-based biometric attendance system without authorisation by law, or with the employees’ informed and freely given, separate and explicit consent.
• Under the Security Regulations, subject to certain conditions, databases containing employees’ personal data are subject to a low level of security (the basic level), even though they contain Data of Special Sensitivity.
• Use of CCTV in the workplace environment is subject to substantial governance rules and limitations under the PPA Guideline 5/17.
• Use of location-based (eg, through GPS) monitoring of employees is restricted to necessary use cases and only during work time, pursuant to several Labor Tribunal decisions.
• Employers do not have access to employees’ and job candidates’ criminal records and are forbidden to take into consideration any criminal proceedings related to employees and job candidates, even if the information is received indirectly, including from media and online resources.

Monitoring and Time Tracking

Monitoring is permitted only for legitimate business purposes and with maximum transparency:

• Email and IT monitoring – Employers may monitor professional mailboxes only. Access to personal mailboxes requires a court order. Mixed mailboxes may be accessed only with employee consent and under strict limitations.
• Video surveillance – Under Mark Friedman Ltd v Elkner (2025) and PPA guidance, cameras near individual workstations are generally prohibited; surveillance is permitted only in common areas for security purposes and pursuant to a written policy.
• Biometric identification – As biometric data is highly sensitive, employers must provide non-biometric alternatives and may not disadvantage employees who refuse biometric identification.

Remote Work and IT Systems

The PPL contains no specific provisions on employee monitoring; the applicable framework is derived primarily from Isakov and PPA Guideline 5/17 (Use of Surveillance Cameras in the Workplace).

Monitoring of digital activity is considered a significant intrusion and is permitted only where it serves a defined and legitimate purpose, complies with proportionality, is conducted under a clear policy, and is supported by informed consent.

In remote or hybrid work environments, monitoring must therefore be narrowly tailored, limited in scope and duration, and designed to minimise intrusion into employees’ private content, whether employer systems or personal devices are used.

Background Checks and Recruitment

The processing of applicant data is governed by the PPL, the Equal Opportunities in Employment Law, 5748-1988, and the Criminal Information and Rehabilitation of Offenders Law, 5741–1981.

Employers are generally prohibited from requesting criminal record certificates, except where expressly authorised by law and strictly relevant to the position. Even then, processing remains subject to necessity, proportionality and purpose limitation.

PPA Guideline 2/2012 requires transparency regarding assessment methods, informed consent, proportional data collection, and deletion of applicant data once no longer required. These principles apply to assessment centres and technology-assisted recruitment tools to the extent personal data is processed.

The intersection of privacy law and M&A in Israel is governed by the modernised PPL, following Amendment No 13, and PPA Directive 2/2024 on the Transfer of Ownership in a Database.

Pre-Closing and Due Diligence

Any disclosure of personal data during due diligence is subject to strict proportionality:

• Data minimisation – Sellers should avoid sharing identifiable data (such as full employee files or unmasked customer lists). The PPA expects the use of clean rooms, and anonymised or aggregated datasets.
• Confidentiality agreements – Disclosures must be covered by NDAs containing dedicated data protection clauses, strictly limiting use to transaction evaluation.
• Risk assessment – Buyers should review the target’s Database Definition Document and confirm whether a DPO was appointed where legally required.

Change of Control and Notification Requirements

PPA Directive 2/2024 treats database transfers as events affecting data subjects’ rights:

• Mandatory notification – Data subjects must be informed of the change in ownership and the identity of the new controller, and allowed to exercise their rights, including deletion prior to transfer.
• Consent v notice – Where the new owner’s characteristics differ substantially from those of the original owner in a manner likely to affect data subjects’ rights or expectations, notice alone may be insufficient and prior consent may be required, even if processing purposes remain unchanged.

Circumstances Requiring Explicit Opt-In Consent

Explicit consent is required where there is a:

• change of purpose and the buyer intends secondary use beyond the original purpose (eg, AI training or cross-selling); and/or
• material difference in the nature of the owner, and the buyer’s activities or ethical profile differ substantially from those of the seller.

Post-Closing Integration and Compliance

After closing, the buyer assumes full controller responsibility for:

• Database registration and notification – assessing whether notification or registration obligations are triggered.
• Updating governance documents – updating the Database Definition and Database Structure Documents and applying the buyer’s security regime in accordance with the Security Regulations.
• Statutory liability – buyers may inherit liability for past violations. Enhanced privacy due diligence and contractual indemnities have therefore become standard in Israeli M&A transactions.

Legal Framework

Cross-border data transfers are governed by the Data Transfer Regulations and the PPL.

• Personal data: Regulation 1 prohibits transfers from Israel unless the destination ensures a level of protection no less than that provided under Israeli law.
• Non-personal data: This is generally outside the ambit of the PPL, though sectoral regimes (eg, banking, insurance, defence and export control) may restrict transfers of sensitive industrial or state-related data.

What Counts as a “Transfer”

The PPL and PPA guidelines do not define “transfer”. However, as with the GDPR, it is likely that the interpretation of transfer will include:

• physical or digital relocation of data to foreign servers (eg, Cloud storage); and
• remote access.

Mechanisms for Lawful Transfer

Transfers are permitted where adequacy exists (Regulation 1) or an exemption applies (Regulation 2), including:

• the data subject having given informed consent for the transfer;
• transfer to a country that has ratified Convention 108;
• transfer to a country recognised as “adequate” by the EU Commission;
• contractual safeguards binding the recipient to Israeli-equivalent data protection standards;
• intra-group transfers to controlled affiliates (eg, subsidiaries) subject to guaranteed protections;
• vital interests, where the transfer is necessary for the data subject’s health or physical well-being and consent cannot be obtained;
• public availability, where data was lawfully made public or opened for public inspection;
• public safety or security, where the transfer is necessary for such purposes; and
• mandatory transfers required under Israeli law.

Onward Transfers

Following the PPA’s 2024–2025 position papers, Regulation 3 is applied more flexibly:

• controller consent – prior written approval required;
• equivalency – onward transfer must meet the same standards as a direct transfer from Israel; and
• sub-processing – sub-processors must be bound by equivalent obligations.

EEA-Originating Data

Under the EEA-originated Data Regulations, enhanced protections apply:

• expanded rights – stronger erasure, accuracy, and notice rights apply regardless of nationality; and
• purpose limitation – processing must strictly align with the original EEA transfer purpose.

Export Control (Defence and Dual-Use)

Israel maintains a stringent export control regime under the Defence Export Control Law (2007) and the Import and Export Order (Dual-Use).

Scope of applicability

The Export Control Law and Export Order apply to:

• defence items – products, services, or know-how (including data) listed on the Defence Export Control List, based on the Wassenaar Arrangement and Israeli security needs;
• dual-use items – civilian goods with potential military application; and
• encryption – defence-grade encryption (Ministry of Defence) and civilian encryption products (Ministry of Economy).

Requirements and filings

• Registration with the Defence Export Control Agency (DECA/API).
• A marketing licence is required before negotiations or disclosure of technical data to foreign parties.
• An export licence is required for the actual transfer of goods or know-how.

Privacy and Data Protection

Cross-border transfers of personal data are regulated separately under the Data Transfer Regulations.

Scope of applicability

Any transfer of personal data from an Israeli database to a recipient outside Israel.

Requirements and filings

• Transfers of personal data do not require prior filing or approval from the PPA.
• Where database registration is required, the registration must disclose overseas data transfers.

There is no general data localisation or residency requirement under Israeli law. Instead, the PPL and the Data Transfer Regulations regulate cross-border transfers rather than mandating domestic storage.

In practice, sector-specific regulation and the likely interpretation of what constitutes a “transfer” impose significant practical constraints.

Data Localisation and Remote Access Across Sectors

Sector-specific regimes govern data storage, security and access. Financial services, insurance and pensions, healthcare, and public bodies apply tailored rules reflecting confidentiality, risk, and national security concerns.

Organisations operating across sectors must therefore navigate overlapping and cumulative obligations.

Financial Sector Example

The financial sector demonstrates how functional localisation requirements arise in practice.

Directive 362 (Cloud Computing) restricts banking corporations from storing or processing sensitive information on foreign cloud infrastructure unless GDPR-equivalent protection is ensured.

Directive 364 (Management of IT, Information Security, and Cyber Protection Risks) permits remote access to sensitive systems only under strict safeguards, including encryption, multi-factor authentication, continuous monitoring, and access limited by business necessity.

In effect, while no formal localisation mandate exists, sectoral rules often produce localisation-like outcomes across regulated industries.

Blocking Statutes and Foreign Judgments

Israel has no general “blocking statute” prohibiting compliance with foreign discovery. However, sector-specific secrecy regimes may effectively restrict disclosure.

• Foreign Judgments Enforcement Law, 5718-1958: Foreign judgments, including discovery orders, are not self-executing and require an Israeli court declaration of enforceability.
• The “Public Policy” Defence: Enforcement will be denied where it contradicts Israeli public policy, including disproportionate infringements of privacy or trade secrets.

Foreign Discovery and the Hague Evidence Convention

Israel is a party to the Hague Convention on the Taking of Evidence Abroad (1970).

• Procedure: Discovery is pursued through a letter of request, executed under Israeli court supervision.
• Restrictions: Disclosure is limited to specific, relevant documents; broad discovery and pre-trial depositions are generally prohibited.

Sanctions Compliance (the 2026 Shift)

Traditionally, Israeli private entities were not required to comply with non-UN foreign sanctions in the absence of a legal nexus.

A Bank of Israel Directive (January 2026) now requires banks to limit the accounts of people sanctioned by allied jurisdictions to support financial stability and correspondent banking.

Interaction with Privacy Law (Amendment No 13)

The PPL functions as a practical constraint on foreign disclosure.

• Legal obligation exception: Disclosure is permitted only where required under Israeli law; foreign subpoenas alone are insufficient.
• Purpose limitation: Data collected for service provision cannot be repurposed for foreign litigation without informed consent.
• Judicial balancing: The courts apply a proportionality test, weighing privacy rights against foreign judicial interests.

The most significant recent change in Israel impacting the Data Transfer Regulations is Amendment No 13 to the PPL. The amendment gives the PPA greater enforcement powers, including the right to issue fines when organisations do not comply with orders to stop processing data in violation of Data Transfer Regulations. For example, ignoring a PPA order to halt unlawful data transfers can lead to significant penalties.

Since 1 January 2025, individuals have been able to request deletion of their personal data transferred from the EEA to Israel by third parties. This right also covers any other personal data in Israeli databases that contains EEA‑originating data.