Israel spent four decades governing personal data under a law written before personal computers were common. That era formally ended on August 14, 2025, when Amendment 13 to the Protection of Privacy Law (5741-1981) entered into force — the most consequential overhaul of Israeli privacy regulation since the original statute passed the Knesset in 1981. The Privacy Protection Authority (PPA) issued its first fines within weeks of the amendment's effective date, including a NIS 70,000 penalty against HOT Telecommunications for misusing personal data in marketing, and has declared 2026 an active enforcement year. The question now is not whether the reform was necessary — it was — but whether the PPA can calibrate its new powers in ways that advance genuine privacy protection without imposing compliance costs that quietly tax Israel's innovation economy.
What Amendment 13 Actually Changes
The reform rewrites four structural pillars of Israeli privacy law.
Data Protection Officers. Organizations meeting one of four thresholds must now appoint an independent Privacy Protection Officer: public bodies, data brokers holding records on 10,000 or more individuals, organizations engaged in large-scale processing of sensitive data, and entities conducting systematic monitoring. A PPA grace period for enforcement expired on October 31, 2025. DPO quality and independence — not just nominal appointment — are explicitly flagged as a 2026 enforcement priority.
Information of Special Sensitivity. Amendment 13 introduces a heightened-protection category covering health and genetic data, biometric identifiers, sexual orientation, political views, ethnic and racial origin, criminal records, geolocation, and financial details. Processing these categories requires explicit, separate consent — a meaningful upgrade from the implied consent the 1981 law permitted in many contexts, and a structural alignment with GDPR Article 9's special categories.
Administrative fines. The PPA can now impose penalties without court proceedings — up to NIS 3.2 million (approximately $870,000) for data governance violations, with a cap of 5% of annual turnover in the most serious cases. Fines can also scale at NIS 100 per affected individual for large-scale breaches, a structure borrowed directly from GDPR's per-data-subject logic. Repeat offenders face doubled penalties within a two-year window, and continuing violations accrue 1% of the base fine per day.
Civil remedies. Individuals can now sue for statutory damages of up to NIS 100,000 — roughly $27,000 — without proving actual harm. The statute of limitations has been extended from two to seven years, significantly lengthening the tail of litigation exposure for past compliance decisions.
The Case for the Reform
Defenders of Amendment 13 have the stronger short-run argument, and they deserve a fair hearing. Israel's original 1981 law was a registry-centric, fine-light regime designed for mainframe-era databases. By 2024, it was governing AI pipelines, biometric border systems, and real-time advertising infrastructure its authors could not have imagined. Cyberattacks on Israeli critical infrastructure intensified during the Gaza conflict, exposing how little the old enforcement architecture could deter or remediate. The PPA's transition from a registry supervisor to a full enforcement agency — with administrative fines, cease-and-desist authority, criminal investigation powers, and database suspension orders — brings Israel up to the enforcement standard of any peer jurisdiction.
The EU adequacy argument is equally compelling. The European Commission renewed Israel's adequacy determination in January 2024, allowing Israeli companies to receive personal data from EU-based clients without executing Standard Contractual Clauses — a material competitive advantage for Israel's export-oriented tech sector. Amendment 13's ISS categories mirror GDPR Article 9, its DPO mandate echoes Article 37, and its mandatory 18-month cybersecurity audit cycle for large sensitive databases maps to GDPR Article 32 obligations. The reform was architecturally designed to protect that adequacy status.
Where the Reform Risks Overcorrection
The pro-reform case does not settle every question. Three provisions create disproportionate exposure that policymakers and courts should monitor carefully.
First, the seven-year statute of limitations creates a long tail of litigation risk against companies that made reasonable compliance decisions under the prior framework. A two-to-seven-year jump is an outlier: most EU member states have settled on three to five years for privacy claims, and the GDPR itself leaves this to national law precisely because a long tail chills first-mover compliance.
Second, statutory damages without proof of harm at NIS 100,000 per individual create class-action economics that can be weaponised against routine data practices. In the United States, analogous per-person statutory damages under Illinois's Biometric Information Privacy Act triggered billions of dollars in litigation against companies whose actual harm to individuals was negligible or non-existent. Israel's technology sector — dominated by startups and scale-ups running on thin margins — is structurally more vulnerable to this dynamic than US big tech.
Third, the PPA's AI governance posture is important but underdeveloped in the current guidance. Draft AI guidelines released in late 2025 assert that the Privacy Protection Law fully applies to AI systems and that most AI databases must meet medium-to-high security classifications. The principle is sound: AI systems that process personal data are subject to privacy law. But "most AI databases" is not a precise legal standard, and the ambiguity creates compliance costs for legitimate research without specifying what harm they prevent.
The 2026 Enforcement Crucible
The PPA has signalled five enforcement focus areas for 2026: DPO quality and independence; AI enforcement including unauthorised web scraping and biometric processing; cybersecurity audits on 18-month cycles; board-level accountability for data governance; and purpose limitation against "data creep" — where consumer data is repurposed for AI training without renewed consent.
The data-creep priority is the most consequential for the innovation economy. Israel's AI development sector routinely involves reusing behavioural data collected for one purpose to train models for another. Aggressive enforcement of purpose limitation — without safe harbours for research and development use cases — would impose costs on Israeli AI companies that competitors in less-regulated jurisdictions do not face. The PPA's guidance should draw a clear line between bad-faith data monetisation and legitimate model development.
The Proportionality Test
The measure of Amendment 13 will not be the amendment itself, which is broadly sound in its architecture. It will be the PPA's first-generation enforcement decisions. A regulator that applies its new powers proportionately — prioritising genuine harm, systemic risk, and bad-faith actors — will reinforce Israel's standing as a mature, high-trust digital market. One that reaches for maximum penalties against first-time compliers, treats ambiguous AI data practices as presumptively unlawful, or enables a cottage industry of statutory-damages litigation will impose a compliance tax that Israel's startup ecosystem cannot easily absorb.
Privacy law enforcement culture is hard to reverse once it sets. Israel has roughly a twelve-month window to establish norms that balance protection with proportionality. That window is open now.