.svg)
Amendment No. 13 strengthens Israel’s privacy framework in line with technological developments and the EU’s General Data Protection Regulation (GDPR), which has become the global benchmark for modern data protection laws. It bolsters individuals’ rights, enhances compliance obligations on organisations, and provides the Privacy Protection Authority (PPA) with powerful new enforcement tools.
How does this change things?
The reform replaces outdated structures with a modern compliance regime. Businesses face new governance, reporting and accountability requirements, coupled with significant legal exposure for violations.
Key changes include:
- The Privacy Protection Authority (PPA) is formally established in law as an independent regulator within the Ministry of Justice. It is entrusted with supervisory and investigative powers, as well as responsibilities for enforcement, public awareness and international cooperation.
- The definition of “personal data” has been broadened to cover any information relating to an identified or identifiable individual, including biometric, genetic, location and online identifiers. The former category of “sensitive data” has been replaced with “data of special sensitivity”, which now includes health, biometric and genetic data, sexual orientation, criminal history, political opinions, financial information and other categories prescribed by law.
- Database registration requirements for private entities are largely reduced. Instead, only public-sector databases and large or sensitive private databases remain subject to registration, while controllers of databases with more than 100,000 records containing sensitive data must notify the PPA within 30 days.
- A mandatory data protection officer (DPO) must be appointed in all public bodies and in private organisations engaged in large-scale monitoring, processing of sensitive data or data brokering. The DPO must serve as the privacy lead, oversee compliance and training, and act as liaison with the PPA.
- New restrictions prohibit processing that exceeds a database’s lawful purpose, processing without authorisation, or processing data from unlawfully obtained databases. Controllers who unknowingly receive unlawfully collected data are exempt from liability until they become aware of the illegality.
- Transparency obligations have been expanded: individuals must now be clearly informed not only of the purpose and recipients of their data, but also of any legal duty to provide it, the consequences of refusal, and their rights of access and correction.
- Courts may now award damages of up to NIS10,000 (€2,540) without proof of harm for certain breaches, including failure to register, provide notice, or honour access and correction rights. The former two-year limitation period for privacy claims has been abolished, aligning with the general civil limitation of seven years or more.
- The PPA has been granted enhanced enforcement powers, including administrative inspections and the ability to impose fines of up to 5 percent of annual turnover. Fines vary by severity, database size and sensitivity, and cover violations such as unlawful processing, failures in notice or security, and non-appointment of a DPO.
- Courts may issue judicial orders requiring cessation of processing or deletion of entire databases, provided the harm from continued processing outweighs the harm from the order itself.
- New criminal offences include unauthorised processing, intentional misrepresentation in privacy notices and unlawful disclosure of data by public bodies. Penalties range to up to three years’ imprisonment, with additional offences covering obstruction and provision of false information to the PPA.
- A dedicated oversight regime applies to Israel’s security and defence bodies. These organisations must appoint internal privacy supervisors, subject to PPA professional oversight, with defined mandates and minimum three-year terms.
The bigger picture
Israel’s reform reflects a global trend toward GDPR-style accountability and enforcement, bringing its privacy regime in line with the highest international benchmarks. Around the world, non-EU countries are also adopting GDPR-inspired frameworks. For example, Bosnia and Herzegovina has recently aligned its data protection law with EU standards. Likewise, on December 19, 2024, Albania approved a new Law “On the Protection of Personal Data” (No. 124/2024), fully aligning its legislation with the EU GDPR and fulfilling one of the requirements for EU accession. Israel’s amendment thus forms part of a broader international movement toward harmonised rules that facilitate trust, trade and regulatory cooperation.
Moreover, on January 15, 2024, the European Commission reaffirmed Israel’s adequacy status, following a multi-year review of its privacy regime. This recognition allows personal data to move freely from the EU to Israel without additional transfer mechanisms, cutting compliance costs and legal risks for Israeli companies, hospitals, research institutions and public authorities. The decision strengthens Israel’s competitive position in digital trade and reinforces its role as a trusted partner for European businesses and researchers.
The reform also arrives at a time when cybersecurity has become inseparable from national resilience. The October 7, 2023 attacks and the subsequent Iron Swords war highlight how military conflict now extends into cyberspace, with a surge in hostile operations targeting Israel’s infrastructure, government systems and public trust. The updated National Cyber Security Strategy, published in February 2025, calls for a whole-of-economy response, integrating government, security agencies, the private sector and international partners. In this environment, Amendment No. 13’s strengthened privacy and data security obligations are not only compliance measures but also part of a national defence architecture, with the PPA playing a central role in enforcing this security-first approach.
Why should you care?
To prepare for the new requirements, financial services entities should take immediate steps to align with enforceable standards and reduce compliance risk. The following actions will help firms build readiness and avoid regulatory or reputational consequences:
- Map and register databases:
- Identify all databases in use and determine whether notification to the PPA is required.
- Review data processing operations:
- Assess compliance with authorisation requirements, purpose limitation and sensitive data handling rules.
- Update privacy notices:
- Revise customer and client-facing notices to meet the expanded transparency obligations.
- Enhance security measures:
- Implement technical and organisational safeguards to prevent breaches and avoid administrative sanctions.
- Prepare for regulatory oversight:
- Establish internal processes for responding to PPA inspections and potential judicial intervention.
- Train staff and embed privacy in governance:
- Provide role-based training and integrate privacy considerations into risk and compliance frameworks.
- Appoint a DPO if required:
- Designate a DPO with clear authority and responsibilities.
- Note: enforcement of this obligation begins from October 31, 2025, per the PPA’s August 13, 2025 announcement.
Compliance under Amendment No. 13 is not limited to avoiding sanctions, it is a competitive differentiator. Companies that implement the new requirements effectively can demonstrate GDPR-level readiness, positioning themselves as reliable partners for EU and global clients. This is particularly valuable in data-intensive sectors such as fintech, digital banking, outsourcing and SaaS, where regulatory credibility strongly influences customer confidence and business growth.
