Israel Israel Privacy Protection Law amendment

Israel's Privacy Regulator Got Broader Fining Powers Before It Ever Audited a Government Data Center

A State Comptroller report finds Israel's Privacy Protection Authority skipped physical-security audits of government data repositories for five years.

A Regulator Untested on Its Own Turf People of Internet Research · Israel 5 years No government-wide oversight PPA ran no physical-security audit… 12 / 26 Bodies and server rooms audited Comptroller's own audit covered 12… ₪100,000s+ Per-violation fines under Amdt. 13 PPA can now levy administrative fi… peopleofinternet.com
A Regulator Untested on Its Own Turf People of Internet Research · Israel 5 years No government-wide … 12 / 26 Bodies and server rooms audited ₪100,000s+ Per-violation fines under Amdt… peopleofinternet.com

Key Takeaways

Israel's Privacy Protection Authority (PPA) spent the past year building a reputation as an aggressive regulator. Since Amendment 13 to the Protection of Privacy Law took effect on August 14, 2025, the Authority has gained the power to levy administrative fines reaching "hundreds of thousands of shekels and more" per violation, order processing halted, refer cases for criminal prosecution, and see courts award damages up to ₪10,000 without proof of harm. It is, on paper, one of the more muscular data protection regulators outside the EU.

On July 2, 2026, Israel's State Comptroller published a report that undercuts the premise that this expanded authority has been matched by expanded oversight. The report — National ICT Infrastructure: Physical, Environmental Aspects and Business Continuity, part of the Comptroller's broader special report on state risk management — audited 12 government bodies and 26 server and communications rooms between April 2024 and April 2025. Its finding on the PPA specifically: for five straight years preceding that audit, the Authority never conducted government-wide oversight of the physical security, environmental protection, or business-continuity posture of the databases it is supposed to regulate.

That's worth sitting with. The PPA can now fine a private company for a sloppy consent process. It never once checked whether the server room holding a government ministry's sensitive personal-data files has a fire-suppression system that works.

The Case for Taking This Seriously

The Comptroller's underlying concern is legitimate and shouldn't be waved away. Government-held databases in Israel — tax records, health files, population registries — are exactly the widescale sensitive databases Amendment 13 was written to protect, and they sit in physical facilities that face real threats: fire, flooding, power failure, and the kind of infrastructure strain that comes with wartime conditions. A cyberattack that steals data is a privacy breach; a burst pipe or an unbudgeted backup generator that takes a server room offline for days is a business-continuity failure with the same practical harm to the citizens whose services depend on that data. The report notes that existing international frameworks — ISO 27001, NIST 800-53 — already contain detailed controls for exactly this gap, and that Israel's own information security regulations (Regulation 6, on "physical and environmental security") only partially cover it, with no supplementary guidance ever published. A regulator that focuses entirely on the front end of data processing while ignoring the back-end infrastructure is regulating only half the risk.

The Authority's regulation and oversight "do not fully address physical protection, environmental protection, and business continuity of personal data repositories."

Why the Fix Isn't a Bigger Hammer

Where the steelman breaks down is in what should follow. The instinctive policy response to a finding like this is another amendment: expand the PPA's statutory mandate again, write bespoke physical-security rules into the privacy regulations, and hand the Authority yet more fining power to prove it takes infrastructure seriously. That would be a mistake, and not just because Amendment 13's ink is barely a year old.

The Comptroller's report doesn't describe a gap in legal authority — the PPA already had the mandate to conduct administrative oversight of physical security under its existing regulations; it simply didn't use it for five years. That is an execution and prioritization failure, not evidence that the statute book is thin. Piling a new physical-security regime on top of a regulator that hasn't executed its current one mainly produces more compliance paperwork for the bodies it inspects, not more resilient server rooms. Israel's tech sector, still the country's largest export earner, has more to fear from a PPA that responds to every audit finding by widening its own jurisdiction than from one that is told, plainly, to do the oversight job it already has.

The proportionate fix is narrower: direct the PPA's existing inspection powers at the highest-risk repositories first — large-scale sensitive databases in critical infrastructure and government ministries, the exact population the Comptroller flagged — rather than spreading a new compliance mandate across the whole economy. Incorporate ISO 27001 and NIST 800-53 by reference for the government bodies that already nominally need to meet them, rather than drafting an Israel-specific physical-security code from scratch. And treat the finding as a resourcing and management question for the Ministry of Justice, which houses the PPA, before treating it as a legislative one.

The Broader Pattern

This is not the first time an Israeli watchdog has flagged this asymmetry. The Comptroller's May 26, 2026 annual report on cyber and information systems separately found deficiencies in information security management across government bodies. The pattern across both reports is consistent: Israel has been faster to legislate strong enforcement powers than to fund and staff the oversight functions those powers depend on. Amendment 13 gave the PPA teeth. This report is a reminder that teeth are only useful if the regulator shows up to bite the right target — and on physical infrastructure, for five years, it didn't show up at all.

Sources & Citations

  1. State Comptroller — National ICT Infrastructure report (mevaker.gov.il)
  2. Knesset — Privacy Protection Law, 1981 (consolidated text incl. Amendment 13)
  3. law.co.il — Comptroller: Privacy Authority never conducted government-wide oversight
  4. Calcalist — Amendment 13's enforcement and criminal-liability overhaul
  5. IAPP — Israel marks a new era in privacy law: Amendment 13