Israel Israel Privacy Protection Law amendment

Israel's Regulator Just Pulled Every Foreign Cloud Vendor Into Its Privacy Law

A final April 2026 opinion sets an objective test for data exports and asserts that overseas processors serving Israeli customers are directly bound by Israeli law.

People of Internet Research Team · 2026-06-04
Israel's Cross-Border Data Rules After the April 202… People of Internet Research · Israel Apr 2026 Final opinion published PPA finalized its Regulation 2(4) … Aug 2025 Amendment 13 in force The enabling overhaul of the Priva… ISO 27001 Accepted security baseline Foreign recipients may satisfy sec… 2001 Regulations being interpreted Regulation 2(4) dates to the 5761-… peopleofinternet.com

Key Takeaways

On April 13, 2026, Israel's Privacy Protection Authority (PPA) published a final opinion — a gilui daat — interpreting Regulation 2(4) of the Privacy Protection (Transfer of Data to Databases Abroad) Regulations, 5761-2001. The document finalizes a draft the regulator first circulated in July 2024, and it lands at a consequential moment: it is the first major interpretive guidance to follow Amendment 13 to the Protection of Privacy Law, 5741-1981, which took effect on August 14, 2025. Together, the two move Israel decisively toward a GDPR-style export regime — and, in the process, reach across borders to bind companies that have never set foot in the country.

What the opinion actually requires

Israeli law generally bars transferring personal data abroad unless the destination country offers protection no weaker than Israel's. Regulation 2(4) is the workaround most companies actually use: it permits a transfer when the foreign recipient is contractually bound to honor the conditions that would apply to a database in Israel, "with the necessary modifications." For years that phrase did the heavy lifting, and nobody knew quite how much weight it could bear.

The PPA has now answered. A compliant transfer agreement must obligate the overseas recipient to undertake duties "identical, or at least materially similar in substance" to those in the Privacy Protection Law: purpose limitation (no using the data for anything beyond its original purpose), a data subject's right to inspect their information, the right to demand correction or deletion, and a duty of confidentiality. On security, the regulator offers two paths — the recipient either commits to the substantive obligations of the Privacy Protection (Data Security) Regulations, 5777-2017, or declares that it holds ISO/IEC 27001 certification, complies with the relevant Annex A controls, and follows the PPA's Guideline No. 3/2018.

The sharpest move is the reading of "necessary modifications." The PPA says the test is objective, not subjective. A recipient cannot point to its own organizational or commercial inconvenience and call that a necessary modification; only genuine, structural differences between legal systems — for instance, that a foreign jurisdiction has no database-registration regime to mirror — qualify. That closes a loophole through which a great deal of non-compliance could otherwise have flowed.

The extraterritorial claim

The more striking assertion is jurisdictional. The PPA states that a foreign data holder can be directly subject to Israel's Privacy Protection Law even with no physical presence in Israel. The regulator's own example is blunt: an American company offering cloud storage to Israeli businesses falls under the Law. Where data moves between an Israeli database owner and an overseas holder, the holder must meet the Law's material obligations in its own right — not merely as a contractual counterparty, but as a regulated entity.

The case for it

The strongest argument for the PPA's approach is that contractual promises are worthless if the law behind them evaporates the moment data crosses a border. A purpose-limitation clause means little if an Israeli regulator and an Israeli data subject have no leverage over the company actually holding the file. Anchoring the obligations in objective legal standards — and in a recognized security baseline like ISO 27001 — gives both businesses and individuals something concrete to rely on, and it pushes Israel closer to the EU's adequacy expectations, which matters enormously for an export-driven tech economy that depends on frictionless data flows with Europe. Predictability is itself a feature. An objective test is harder to game than a vague one, and clarity tends to lower compliance costs over time.

Where proportionality frays

But the extraterritorial reach risks proving too much. Read literally, the opinion converts essentially every global SaaS, cloud, and analytics provider with a single Israeli customer into a directly regulated Israeli data holder — subject to the Law's full apparatus, including the enhanced enforcement Amendment 13 introduced. The PPA can now levy administrative monetary sanctions reaching into the millions of shekels, with existing penalties such as the 300,000 NIS exposure for unregistered large databases set to climb. A hyperscaler can absorb that; the mid-market vendors and startups that make up most of the supply chain cannot easily audit which of their thousands of downstream users happen to be Israeli.

The likely real-world effect is not better protection but quieter exclusion. Faced with direct liability under a law they cannot fully map, some foreign providers will simply decline Israeli business or bury the risk in pricing — the same chilling pattern that followed aggressive readings of GDPR's Article 3. That outcome harms the Israeli companies the Law is meant to serve, narrowing their tool choices and raising their costs.

The better path is proportionate, and the opinion already contains its seed. The ISO 27001 safe harbor is exactly the kind of objective, internationally portable standard that lets a foreign vendor demonstrate compliance without reverse-engineering Israeli administrative law. The PPA should lean into that route, publish model contractual clauses, and signal that enforcement will target controllers who exfiltrate data to genuinely lawless jurisdictions — not boilerplate processors who already hold recognized certifications. An objective test deserves an objective, scalable compliance ladder.

Bottom line

Israel has chosen interoperability with the GDPR world over isolation, and the discipline of an objective standard over the mush of "necessary modifications." Both are defensible, even welcome. The open question is enforcement temperament. If the PPA treats its extraterritorial claim as a basis for pragmatic, certification-anchored compliance, the regime strengthens trust without strangling the data flows Israel's economy runs on. If it treats every foreign cloud as a registrant-in-waiting, it will export friction instead of protection. Companies should not wait to find out: existing transfer agreements need review now, and ISO 27001 plus tight contractual undertakings is the clearest road through.

Sources & Citations

  1. Gornitzky — PPA Position Paper on Section 2(4) Cross-Border Transfers (Apr 2026)
  2. DLA Piper — Transfer of Personal Data in Israel (Transfer of Data Abroad Regulations 5761-2001)
  3. Gornitzky GNY — analysis of the April 13, 2026 PPA position
  4. Pearl Cohen — PPA clarifies cross-border transfer requirements
  5. IAPP — Israel's Amendment 13 ushers in sweeping reform