A 44-year-old law finally grew up
For most of its life, Israel's Protection of Privacy Law, 5741-1981 was a paper tiger. The statute created a Registrar of Databases and criminalized egregious snooping, but its regulator — the Privacy Protection Authority (PPA) — had few tools to punish the routine mishandling of data that defines a digital economy. That changed on 14 August 2025, when Amendment No. 13 entered into force: the most consequential rewrite of Israeli privacy law in over four decades.
The case for the overhaul is strong, and worth stating plainly. A 1981 framework cannot govern a 2026 data economy. Israel sits on a uniquely valuable trove of personal data — health records, biometric and security databases — and hosts one of the world's densest concentrations of AI and cybersecurity firms, yet its regulator could not impose meaningful penalties for misuse. Aligning more closely with the EU's GDPR also helps protect Israel's adequacy status, which lets Israeli firms move European data without friction. When the harm is real, citizens deserve a regulator that can act.
What Amendment 13 actually changed
The amendment did four things at once. It broadened the definition of sensitive data — the translated statute now lists roughly a dozen categories of "data of special sensitivity," from genetic information to intimate family life. It made data protection officers mandatory for public bodies, data brokers, and organizations engaged in large-scale or systematic processing. It tightened rules on data brokers while streamlining database-registration paperwork for ordinary businesses. And, most importantly, it rearmed the regulator.
Under Amendment 13 the PPA can now issue administrative orders, impose monetary sanctions reaching into the millions of shekels, order cease-and-desist directives, suspend data processing, and open criminal investigations. The translated text sets specific tariffs — for example, a sanction of up to ₪150,000 for registration violations, scaling up with database size. The PPA gave organizations a grace period until 31 October 2025 to appoint DPOs; that window has closed, and DPO compliance is now an enforcement priority for 2026.
The first fines tell us where this is heading
Enforcement is no longer hypothetical. In one of its first administrative penalties under the new regime, the PPA fined an employee of Israel's National Insurance Institute ₪75,000 for 15 unauthorized queries of sensitive records — including data on an ex-spouse and family members — between 2020 and 2021, in breach of Section 8(b) of the law.
This is exactly the kind of case the reform should target. An insider abusing privileged access to a state database to spy on family members is a concrete, identifiable harm to real people. No reasonable defender of innovation should object to penalizing it. If Amendment 13's teeth are reserved for misuse of this kind, the reform will have earned its mandate.
Proportionality, not severity, is the real test
The risk is not that Israel modernized its privacy law — it badly needed to. The risk lies in how broadly and how aggressively the new powers get used against firms acting in good faith. Three features deserve watching.
First, the breadth of "special sensitivity." A dozen elastic categories, interpreted expansively, can sweep ordinary analytics and product development into the highest-risk tier, where compliance costs and liability spike. Israel's comparative advantage is a dense ecosystem of small, fast-moving startups — precisely the firms least able to absorb GDPR-scale compliance overhead.
Second, discretionary fines. Penalties scaling into the millions, plus suspension of processing, are powerful deterrents — but discretion cuts both ways. Without published, predictable enforcement guidelines, founders face regulatory uncertainty that is itself a tax on building.
Third, the DPO mandate. For a data broker holding records on tens of thousands of people, a dedicated privacy officer is reasonable. For an eight-person seed-stage company, a blanket requirement is overhead that buys little additional protection.
What good calibration looks like
The PPA can have both robust privacy and a thriving tech sector — but only if it enforces with a scalpel, not a hammer.
- Prioritize harm. The National Insurance case is the template: pursue actual misuse and breaches that injure identifiable people, not paperwork lapses by firms that handle data responsibly.
- Publish clear guidance. Predictable written standards and safe harbors reduce uncertainty far more cheaply than after-the-fact fines.
- Scale obligations to risk. Tier DPO and registration duties by genuine processing risk, so the rules bind data brokers harder than they bind startups.
- Treat good-faith compliance as mitigation. Firms that invest in privacy programs should face lower exposure, rewarding investment rather than punishing it.
Israel built its reputation as the "Startup Nation" on light-touch rules and world-class talent. Amendment 13 was a necessary correction to a law that had fallen decades behind. Whether it strengthens or strains that ecosystem will be decided not in the statute's text but in how the PPA chooses to wield it. The first fine struck the right target. The next hundred will tell us whether Israel has built a privacy regulator that protects people — or one that simply makes building harder.