Israel’s commitment to modernizing its digital safeguards, the Knesset approved Amendment 13 to the Privacy Protection Law (PPL) on August 5, 2024. This sweeping overhaul, set to take effect on August 14, 2025, revamps the decades-old 1981 legislation to align more closely with global standards like the EU’s General Data Protection Regulation (GDPR). The amendment addresses contemporary challenges in data handling, from expanded definitions of personal information to bolstered enforcement powers for the Privacy Protection Authority (PPA), impacting businesses both within and beyond Israel’s borders. For organizations processing data on Israeli residents—regardless of location—these changes demand proactive compliance reviews to avoid hefty penalties.
Amendment 13: First Big Updates Since 1996
Amendment 13 represents the most substantial update to Israel’s privacy framework since the 1996 addition of data protection provisions, adapting to the realities of big data, AI-driven analytics, and cross-border flows. Codified under the Protection of Privacy Law, 5741-1981, the reform introduces GDPR-inspired like Africa did with elements that are shared between the 3 frameworks while retaining Israel’s unique regulatory flavor, such as a focus on database management and sector-specific exemptions. At its core, the amendment broadens the law’s scope by redefining key terms to capture modern data practices.
The definition of “personal information” has been significantly widened to encompass any data relating to an identified or identifiable individual, including digital identifiers like IP addresses, cookies, or online behaviors—mirroring GDPR’s approach and closing gaps in prior coverage. Similarly, “highly sensitive information” replaces the outdated “sensitive information” category, now including special categories such as health data, political opinions, ethnic origin, biometric details, sexual orientation, and geolocation—requiring heightened protections and consent. This expansion ensures that emerging technologies, like facial recognition or targeted advertising, fall under stricter scrutiny.
A major shift is the scaling back of mandatory database registration, an archaic requirement that previously burdened many entities. Under the new rules, registration is limited to high-risk databases: those holding data on over 10,000 individuals for direct marketing purposes, databases processing highly sensitive information on more than 100,000 people, or those operated by data brokers collecting data for resale. For non-registering databases handling sensitive data on large scales, a simplified reporting obligation applies, requiring submission of details like the controller’s identity, contact info, and a database definition document within 30 days of meeting thresholds. Changes or cessations must also be reported promptly. Existing registrations not meeting new criteria can be canceled upon request, easing administrative loads.
The amendment mandates the appointment of a Privacy Protection Officer (PPO) for qualifying organizations, akin to the GDPR’s Data Protection Officer. This role applies to public entities (e.g., government agencies, universities, health organizations), data brokers handling data on over 10,000 individuals for commercial disclosure, banks, insurers, credit companies, and firms engaged in large-scale systematic monitoring or processing sensitive data on vast numbers. The PPO oversees compliance, promotes privacy initiatives, and reports to the PPA, expanding on the prior Data Security Officer requirement.
Consumer rights are strengthened, with enhanced access, correction, and—in limited cases—deletion provisions. Notification obligations when collecting data are broadened to include the controller’s details, rights explanations, and consequences of non-provision. The statute of limitations for civil claims extends from two to seven years, empowering individuals further.
International data transfers now explicitly require adequate protection levels in recipient countries, facilitating Israel’s “adequacy” status with the EU while imposing safeguards like contracts or binding corporate rules. Data security ties into existing regulations, emphasizing encryption, access controls, audits, and board-level oversight for risks.
Exemptions apply to security and defense agencies, where internal inspectors handle oversight, and certain political activities during elections receive tailored protections. Overall, this reform streamlines obligations while heightening accountability, potentially influencing future amendments on privacy by design or expanded rights.
To help businesses prepare, here’s a bullet-point overview of core reforms and action steps that our data privacy consultants put together:
- Updated Definitions: Personal data now covers identifiable info, including digital traces; highly sensitive data includes biometrics, health, and politics—review data classifications for compliance.
- Database Management: Registration limited to high-risk cases; report large sensitive databases—audit holdings and submit notifications by thresholds.
- Officer Appointments: Mandate PPO for qualifying entities; expand Data Security Officer roles—assess if your organization qualifies and appoint/train staff.
- Rights and Notices: Enhance access/correction processes; update privacy notices—implement response timelines and inform data subjects fully.
- Transfers and Security: Ensure adequate protections abroad; bolster security measures—conduct risk assessments and align with Data Security Regulations.
- Preparation Tips: Map data flows, revise policies, train teams, and consult experts to avoid gaps before the end of this month.
Comparison Chart: Amendment 13 vs. GDPR, CCPA, and TDPSA
To contextualize Israel’s reforms, the following table we put together compares key aspects of Amendment 13 with the EU’s GDPR, California’s CCPA, and Texas’s TDPSA. This highlights alignments and divergences in global privacy standards.
| Aspect | Israel Amendment 13 | GDPR (EU) | CCPA (California) | TDPSA (Texas) |
|---|---|---|---|---|
| Scope/Applicability | Applies to data controllers processing personal data of Israeli residents, with extraterritorial reach; focuses on databases and high-risk activities; exemptions for security agencies. | Broad application to any entity processing EU residents’ data; extraterritorial for targeting EU; covers automated and manual processing. | Applies to for-profit businesses meeting thresholds (e.g., $25M revenue, 100,000+ consumers); limited to California residents; exemptions for certain data types. | Applies to entities conducting business in Texas or targeting residents, excluding small businesses unless selling sensitive data; exemptions for nonprofits, finance, health. |
| Definitions of Personal Data | Expanded to include identifiable data like IP addresses, cookies; “highly sensitive” covers health, biometrics, geolocation. | Broad: any information relating to identifiable persons, including pseudonymous; special categories for sensitive data. | Personal information as identifiable consumer data; excludes deidentified/aggregate; probabilistic identifiers included. | Personal data linked to individuals; sensitive includes health, biometrics, geolocation; exempts deidentified data. |
| Individual Rights | Access, correction, limited deletion; extended statute for claims; no full portability or automated decision opt-out. | Comprehensive: access, rectification, erasure, portability, objection, automated decisions; response within 1 month. | Access (last 12 months), deletion, opt-out of sale; no discrimination; response within 45 days. | Access, correction, deletion, portability, opt-out of sales/profiling; response within 45 days; no private right. |
| Controller Obligations | PPO appointment for qualifying entities; reduced database registration; notices at collection; data protection assessments implied. | DPO for certain entities; accountability, privacy by design; DPIAs for high-risk; records of processing. | Privacy notices; data minimization; risk assessments for high-risk; service provider contracts. | Privacy notices; data protection assessments for high-risk; consent for sensitive data; no DPO required. |
| Enforcement | Exclusive by PPA: audits, cease orders; no private actions; focuses on administrative efficiency. | Supervisory authorities (DPAs); investigations, corrective measures; private actions allowed. | Attorney General; cure period; private right for breaches; CPPA oversight post-amendments. | Attorney General only; 30-day cure; no private right; dedicated enforcement team. |
| Penalties | Fines up to NIS 3.2M (~$850K), scaled by turnover/impact; daily for ongoing violations. | Up to €20M or 4% global turnover; lower tier for minor infractions. | $2,500 per violation, $7,500 for intentional; no cap on total. | Up to $7,500 per violation; injunctions, fees; no cap. |
| Data Transfers | Requires adequate protection in recipient countries; contracts or BCRs; aligns with EU adequacy. | Adequacy decisions, SCCs, BCRs; strict for non-adequate countries. | No specific transfer rules; focuses on sales/sharing within US context. | No explicit transfer rules; relies on general security obligations. |
In-Depth Examination of Enforcement Under Amendment 13: PPA’s Enhanced Powers and Implications
The Privacy Protection Authority (PPA), Israel’s dedicated data regulator, emerges as a powerhouse under Amendment 13, with expanded tools to enforce compliance and deter violations. Previously limited, the PPA now wields broader supervisory, investigative, and punitive authorities, drawing from GDPR models but tailored to Israeli contexts. This includes conducting sectorial audits, enlisting external experts, and issuing cease-and-desist orders for breaches. I also like to compare this to Rob Bonta the California enforcer pushing the California Privacy Protection Authority to do more as well as Ken Paxton who has been driving high profile enforcement actions in Texas.
Financial penalties have been dramatically increased, calculated based on violation type, affected data subjects’ count, and the entity’s annual turnover—potentially reaching uncapped amounts in severe cases, up to NIS 3.2 million (about USD 850,000) or more for repeated offenses. Violations like unregistered processing, denying access rights, inadequate notices, or unlawful purposes trigger these sanctions, with daily accruals for ongoing non-compliance. The PPA can also publicize penalties, amplifying reputational risks.
Recent PPA actions preview this intensified stance: In March 2025, fines were imposed on EY and PwC Israel branches for scanning visitor IDs without proper consent notices, with warnings of steeper post-amendment penalties. A February 2025 draft opinion emphasized informed consent in imbalanced power dynamics or intrusive tech, signaling scrutiny on processing bases. Guidance on board responsibilities for data security underscores corporate governance integration. For security bodies, internal sanctions apply, maintaining PPA oversight elsewhere.
No private right of action exists; enforcement rests solely with the PPA, focusing on administrative efficiency. This centralization positions the PPA as a vigilant guardian, with proactive audits and swift interventions. Businesses face implications in marketing (e.g., consent for direct comms), AI (e.g., profiling risks), and transfers (e.g., adequacy checks).
Key enforcement elements:
- Penalty Structure: Fines up to NIS 3.2M, scaled by turnover/affected individuals; daily for persistence—budget for compliance to mitigate.
- PPA Tools: Audits, expert assistance, cease orders, public disclosures—prepare for inspections with robust documentation.
- Exemptions/Special Cases: Security agencies self-regulate; election activities balanced—tailor policies accordingly.
- Recent Actions: Fines on consultancies for ID scans; consent guidance; board oversight—monitor PPA updates for trends.
- Business Implications: Heightened consent in AI/marketing; global alignment for transfers—integrate into operations for seamless adherence.
Amendment 13 positions Israel as a forward-thinking player in global data protection where they are already a leader in cybersecurity the fit feels natural. Entities dealing with Israeli data should initiate audits, appoint officers where needed, and update practices now to thrive in this reformed environment without facing the PPA’s regulators.
