On April 18, 2026, Israel's Ministry of Justice published the Privacy Protection (Administrative Warning) Regulations, 5786-2026, spelling out when the head of the Privacy Protection Authority (PPA) may issue a formal warning instead of a financial penalty. The regulations slot into the enforcement regime created by Amendment 13 to the Protection of Privacy Law, 5741-1981, which the Knesset passed on August 8, 2024 and which took effect on August 14, 2025. They are a small instrument with an outsized signal: Israel's privacy regulator is being told, in writing, that the fine is not always the answer.
What Amendment 13 actually did
Amendment 13 converted the PPA from what practitioners describe as a registry-based supervisor into a full enforcement agency. The Authority can now impose administrative fines reaching into the millions of shekels for serious database and governance failures, issue binding orders to suspend data processing, seek court approval to delete unlawful databases, and conduct criminal investigations. For data-security breaches the statute sets graduated caps—up to ILS 320,000 per cybersecurity violation, with reporting and security-incident failures running from roughly ILS 80,000 to ILS 320,000 depending on the database's security tier.
The regulator wasted little time. In August 2025, days into the new regime, the PPA issued its first administrative penalty—NIS 75,000 against a National Insurance Institute employee who, during a family dispute, ran 20 queries between 2020 and 2021, fifteen of them pulling sensitive information about a complainant and her relatives with no professional justification. The case violated Section 8(b) of the law, the purpose-limitation rule. It was, frankly, exactly the kind of insider abuse a privacy authority should punish.
The strongest case for hard enforcement
It is worth stating plainly why a tough regime is defensible. For decades Israel's privacy law was widely seen as under-enforced: a registration formality with little behind it. Real harms—insider snooping, leaky databases, brokers trading sensitive data—went largely unaddressed because the regulator lacked teeth. Amendment 13 gives the PPA the deterrent power that comparable regulators in the EU have wielded under the GDPR since 2018, and the European Commission's long-running effort to keep Israel on its 'adequacy' list rewards exactly this kind of credible enforcement. A regulator that can only register databases cannot protect anyone.
Why the warning off-ramp matters
But deterrence without proportionality is its own failure mode. A regime that meets every infraction—however minor, inadvertent, or quickly cured—with a payment demand pushes compliance spending toward defensive paperwork and away from actual security, and it falls hardest on the startups and small firms that are the backbone of Israel's tech economy. The Administrative Warning Regulations address precisely this gap. They give the PPA's director a codified, lighter-touch tool: a reasoned written warning that documents the violation and the penalty avoided, reserved for circumstances where a fine would be disproportionate.
This is the right instinct. Practitioner guides had already noted that the PPA could, in principle, reach for 'lesser administrative means' such as a warning or a letter of commitment. Codifying the criteria turns regulator goodwill into something firms can rely on. A company that self-reports, cooperates, and remediates a first, low-harm lapse now has a visible path to resolution short of a fine—an incentive structure that rewards transparency rather than concealment.
The risk: discretion is not the same as predictability
The regulations are a genuine improvement, but they are not self-executing, and two cautions follow. First, a warning power is only as good as the published reasoning behind each decision. If the PPA issues warnings and fines without explaining why similar conduct landed differently, the off-ramp becomes a source of arbitrariness—and a lever for the very largest firms, which can best argue their way into leniency. Israel's regulator should publish anonymised decision summaries so the criteria develop into something resembling case law.
Second, the warning sits inside a far broader enforcement architecture whose edges remain untested. Amendment 13's criminal-investigation and database-deletion powers are serious instruments, and the State Comptroller has already scrutinised database governance in government bodies such as the Ministry of Defense. A warning regime cannot substitute for clear, narrow definitions of what actually counts as a punishable violation. Proportionality at the penalty stage is welcome; proportionality should also govern what triggers enforcement in the first place.
A model worth watching
For a publication that favours proportionate, evidence-based regulation, the Administrative Warning Regulations are close to a model move. They preserve the deterrent that genuine privacy harms require while building in the graduated response that good enforcement demands. The test now is execution: whether the PPA uses the warning as a transparent, principled first step—or as an unexplained discretionary favour. If Israel publishes its reasoning and applies the rules evenhandedly, it will have shown that a regulator can be both feared and fair. That is a harder balance than either pole, and it is the one worth getting right.