Israel Israel Privacy Protection Law amendment

Israel's Landmark Privacy Law Overhaul Exempts the Military — Exactly Where the Azure Surveillance Scandal Lives

Amendment 13 gave Israel's privacy regulator real teeth, but carved out the military units at the center of the Microsoft Azure surveillance controversy.

Israel's Privacy Overhaul vs. the Military Carve-Out People of Internet Research · Israel ~8,000 TB Data stored on Azure Unit 8200's intercepted Palestinia… Aug 14, 2025 Amendment 13 effective date Israel's biggest privacy law refor… 7 yrs, up from 2 Civil claim limitation period Amendment 13 extended the statute … 4 agencies Security bodies exempt from PPA IDF, Israel Police, Shin Bet and M… peopleofinternet.com

Key Takeaways

A letter, and a silence

On May 18, 2026, five civil society organizations — Access Now, Amnesty International, the Electronic Frontier Foundation (EFF), Palestinian digital rights group 7amleh, and Fight for the Future — sent Microsoft a joint letter with a simple ask: publish the findings of the internal review the company promised into how its Azure cloud and AI services were used by the Israeli military. Microsoft, the letter says, "completed" that review but "has neither released its findings as publicly promised" nor clarified which services remain suspended or what safeguards, if any, now apply (Access Now). EFF frames Microsoft's partial disclosure as a floor other cloud providers haven't even reached, pointedly asking why Google and Amazon — both of which hold their own Israeli Ministry of Defense contracts — haven't matched even that much (EFF).

The underlying facts are no longer seriously disputed. A joint investigation by The Guardian, +972 Magazine and Local Call, published August 7, 2025, reported that Unit 8200 — Israel's signals-intelligence corps — had used Azure infrastructure in the Netherlands and Ireland to store roughly 8,000 terabytes of intercepted Palestinian phone calls, under an internal mantra of "a million calls an hour," with sources describing the data as feeding targeting decisions in Gaza. Microsoft's own review, launched within days, examined contracts, billing records and internal correspondence rather than the classified system itself, but found enough to confirm Israeli Ministry of Defense Azure storage consumption in the Netherlands and AI-service use consistent with the reporting. On September 25, 2025, Microsoft President Brad Smith announced the company had suspended and revoked cloud storage and AI-service access for the Ministry of Defense and Unit 8200, stating Microsoft does not provide "technology to facilitate mass surveillance of civilians" (Calcalist/CTech).

The regulator built for exactly this — with an exemption for exactly this

What makes this moment more than a rerun of last year's scandal is that it lands eight months after Israel's most significant privacy law reform in four decades took effect. Amendment 13 to the Protection of Privacy Law, 5741-1981 — passed by the Knesset on August 5, 2024 and in force since August 14, 2025 — brought Israel's regime substantially closer to the EU's GDPR: mandatory data protection officers, a new administrative-fine regime, cease-and-desist and database-suspension orders, criminal investigation powers, and a statute of limitations on civil privacy claims extended from two years to the general seven (WIPO Lex; IAPP). On paper, the Privacy Protection Authority (PPA) is now one of the more muscular data regulators outside the EU.

But Amendment 13 explicitly excludes Israel's security and defense bodies — the IDF, Israel Police, the Israel Security Agency (Shin Bet) and the Mossad — from the PPA's supervisory and investigative powers, substituting internal privacy inspectors appointed within those bodies themselves (Pearl Cohen). That is precisely the category of institution at the center of the Azure story. The regulator Israel just spent a decade rebuilding to police exactly this kind of large-scale, AI-assisted data processing has no jurisdiction over the one instance drawing global scrutiny.

Steelmanning the carve-out

This isn't a drafting oversight, and it isn't unique to Israel. Nearly every mature privacy regime — the EU's GDPR under Article 2(2) and the national-security carve-outs in Treaty on European Union Article 4(2), the US framework separating FISA oversight from FTC consumer-privacy enforcement — draws a similar line. Subjecting classified intelligence and targeting operations to the same disclosure obligations, database registration and DPO-mediated transparency that apply to a retail loyalty program would be unworkable and, in a live conflict, dangerous: operational security has a real claim here, not a manufactured one. Legislators writing Amendment 13 were not trying to shield military surveillance from all accountability; they were recognizing that ordinary civil-regulator tools don't fit military intelligence, full stop.

Why the gap still matters

The problem is what happens when that legitimate carve-out meets a foreign commercial vendor. An internal privacy inspector embedded in Unit 8200 has no visibility into, and no authority over, what Microsoft engineers built, what contractual terms governed the arrangement, or what Microsoft's own human-rights review actually found — because that inspector's mandate stops at the boundary of the security agency, not at the boundary of the data. When the tooling is homegrown, the security exemption is coherent: the agency's own inspector, cleared and internal, is the appropriate check. When the tooling is a publicly traded American cloud provider's commercial product, the exemption leaves nobody with both the access and the mandate to look — except the vendor itself, voluntarily, under public pressure.

That is the structural reason five NGOs are petitioning Redmond rather than Jerusalem: Israeli domestic law was never built to reach this, and wasn't retrofitted to when the opportunity came. Microsoft's September 2025 suspension and its partial disclosure since are real, voluntary steps — more than Google or Amazon have offered on their own Nimbus-adjacent contracts. But voluntary vendor disclosure is a poor substitute for structured oversight, precisely because it can be reversed, narrowed, or simply stop the moment public attention moves on.

The proportionate ask

The demand worth backing is the narrow one: publish the review's scope, methodology and findings, and specify what access restrictions remain in place. That is transparency, not divestment, and it doesn't require Microsoft — or Google or Amazon — to exit allied governments' legitimate cybersecurity and defense-modernization contracts, which remain a normal and valuable line of business. The broader ask in the letter, that Microsoft suspend all business with Israeli military and government bodies, goes further than the evidence currently supports and risks treating an accountability gap as grounds for blanket decoupling. Israel's regulators, for their part, would do well to consider a narrowly scoped oversight mechanism for foreign-vendor contracts held by exempted security bodies — not to reopen classified operations to a civil regulator, but to ensure someone with actual authority is watching the seam Amendment 13 left open.

Sources & Citations

  1. WIPO Lex — Israel Protection of Privacy Law, 5741-1981 (official text)
  2. Calcalist/CTech — Microsoft cuts off Unit 8200 from cloud services
  3. Access Now — Joint letter to Microsoft on Israeli military use of Azure
  4. EFF — Microsoft took a step toward human rights accountability
  5. Pearl Cohen — The Knesset enacts a comprehensive amendment to the Privacy Protection Law
  6. IAPP — Israel marks a new era in privacy law: Amendment 13