From Registry to Regulator
Israel's Privacy Protection Law has been on the books since 1981, with its data governance chapter added in 1996 — before streaming video, cloud storage, or mass smartphone adoption. For most of that history, the Privacy Protection Authority (PPA) operated as a registry: organizations filed database registration forms, and the agency had limited tools to act when things went wrong. Amendment 13, approved by the Knesset on August 5, 2024 and in force since August 14, 2025, ends that model.
This is the most comprehensive reform of Israeli privacy law since 1996. It does three things at once: updates the law's definitional architecture to reflect how personal data actually moves in 2025; creates organizational accountability through mandatory Data Protection Officers (DPOs); and converts the PPA from a paperwork processor into an enforcement authority with genuine coercive powers. For a country whose technology sector processes significant volumes of European, American, and regional personal data, the timing and ambition of the reform are commercially significant.
What the Law Now Requires
The definitional overhaul addresses longstanding gaps. "Personal data" now explicitly covers IP addresses, online identifiers, and geolocation data — categories the 1981 text never contemplated but which underpin virtually every digital product today. The law's older "sensitive information" category has been replaced with "highly sensitive information," encompassing genetic and biometric data, criminal records, political opinions, health records, and location and traffic data. This maps closely to GDPR Article 9 categories, a deliberate alignment that supports Israel's EU adequacy standing.
The DPO mandate applies to four categories of organization: public bodies (with security agencies excluded), data brokers collecting personal information on 10,000 or more individuals commercially, entities conducting large-scale systematic monitoring, and organizations processing highly sensitive data at scale — banks, insurers, hospitals, and equivalents. DPOs must be genuinely independent, cannot hold decision-making authority over data processing, and must have direct access to senior management. Organizations that fail to appoint a qualifying DPO face fines calculated per individual in the database, with a statutory minimum of ILS 20,000.
One feature of Amendment 13 that has received insufficient attention is the administrative burden it removes. The prior requirement to register most databases has been dramatically narrowed — now mandatory only for databases whose primary purpose is commercial distribution of personal data on more than 100,000 individuals, plus public agency databases. Most businesses have been freed from an anachronistic filing obligation and replaced with substantive accountability requirements instead.
Enforcement Gets Real
The PPA's new enforcement powers are where Amendment 13 departs most sharply from its predecessor. The authority can issue binding cease-and-desist orders, impose administrative fines of up to ILS 320,000 per cybersecurity violation, and — for large-scale database governance failures — impose uncapped fines multiplied by the number of individuals affected. Courts may now award statutory damages of up to ILS 100,000 per claimant without requiring proof of actual harm, a provision that substantially raises class action exposure. The statute of limitations for civil privacy claims has been extended from two to seven years, raising the tail risk for historic non-compliance significantly.
These were not theoretical powers even before August 2025 took effect. In March 2025, the PPA sanctioned Israeli branches of EY and PwC for collecting visitor identity card scans without adequate notice or consent — and explicitly stated that sanctions under the incoming regime would be substantially higher. The message was deliberate: the grace period would not be permanent. As of mid-2026, the PPA has identified inadequate DPO appointments and deficient data security postures as its primary enforcement focus.
The Security Carve-Out Problem
The amendment's most significant structural weakness is the one most discussed: the IDF, Israel Police, Shin Bet (ISA), and Mossad are explicitly excluded from PPA supervisory and investigative authority. Internal privacy officers will be appointed within these bodies, but with no external oversight mechanism and no power for the PPA to compel information or impose sanctions.
The case for this design choice deserves a fair hearing. National security agencies worldwide operate under distinct oversight regimes — the UK's ICO does not supervise GCHQ, and the U.S. FTC has no jurisdiction over NSA. Operational security legitimately constrains what civilian regulators can review, and Israel's threat environment adds a further dimension to that argument. These are reasonable grounds for a carve-out.
In Israel's specific context, however, the scope of the exemption raises harder questions. Civil society organizations including EDRi and Access Now have formally challenged Israel's EU adequacy status on grounds that include the security exemption: Israeli technology firms have built AI-driven surveillance and targeting systems that draw on large datasets, the line between commercial data processing and security-sector data use is not always clean, and the entities whose data practices most directly implicate cross-border privacy concerns are precisely those outside the PPA's reach. The European Commission, in its January 2024 adequacy review (COM(2024) 7 final), reaffirmed Israel's status while recommending that sub-legislative protections be codified in statute — but did not resolve the security exemption question. These are substantive challenges that Amendment 13 does not answer.
EU Adequacy and the Innovation Dividend
For Israeli technology companies, adequacy is commercially significant. Personal data flows freely from the European Economic Area to Israel without Standard Contractual Clauses or Binding Corporate Rules — an operational advantage that competitors in non-adequate jurisdictions lack. Amendment 13's GDPR alignment on sensitive data categories, DPO structures, and cross-border transfer rules was designed in part to protect and extend that standing. The Commission's report noted that Israel specifically enacted Privacy Protection Regulations for EEA-originating data in 2023, addressing one of its earlier recommendations.
AI and the Road Ahead
In April 2025, the PPA published draft guidance confirming that the Privacy Protection Law applies to AI systems — including requirements for lawful processing bases in model training, data minimization, and transparency for automated decision-making that affects individuals. This draft positions Israel ahead of most non-EU jurisdictions on AI-specific privacy governance, though the guidance remained in draft form as of mid-2026.
The 2026 enforcement calendar is the real test of Amendment 13's ambitions. Organizations that treated August 14, 2025 as a planning milestone rather than a compliance deadline are now within the PPA's active enforcement sights. The law's civilian framework is modern, proportionate, and economically rational for Israel's globally integrated technology sector. Closing the security oversight gap — through a specialized independent oversight body or strengthened judicial review mechanisms — is the step that would make the reform complete.