On August 14, 2025, a new amendment law went into effect in Israel, revising the country’s privacy protections and bringing them into alignment with European Union standards. The Privacy Protection Law (Amendment No. 13), 5784-2024, (hereafter the amendment law) amends the Privacy Protection Law, 5741-1981, as amended.
Israel’s Privacy Protection Authority (PPA), the authority responsible for protecting all information stored in databases, explained the significance of the amendment law:
The comprehensive amendment to the Privacy Protection Law constitutes an important milestone in aligning Israeli law with the technological reality of today, and in addressing the challenges of the artificial intelligence era, by enhancing the protection of the right to privacy and the personal information of Israeli residents, and strengthening the enforcement tools of the Privacy Protection Authority regarding violations of the law and its regulations, and regarding non-compliance with legal requirements in the field of information security. It is essential for dealing with the growing cyber threats. Furthermore, the amendment to the law represents an important step in terms of Israel’s alignment with the European Union’s privacy protection laws and the recognition of Israel as a country with adequacy status, which was recently affirmed by the European Union in January 2024. (Guide, Amendment No. 13 to the Privacy Protection Law, PPA, Ministry of Justice (May 2025).)
Establishing the PPA’s Status and Roles in Legislation
The amendment law establishes by statute the PPA’s independent status and roles, which were previously determined by government decisions. (§§ 3, 1(b) and 2 of the 1st supp., here and below the Privacy Protection Law, 5741-1981, as amended by the amendment law.)
Limiting Database Registration Requirements
Under the amendment law, the types of databases that must register with the PPA are limited to the following:
- databases maintained by public bodies, except for databases that include only information about the employees of the public body, and
- databases that contain information on at least 10,000 individuals and have a primarily purpose of colleting personal information to transfer it to others for compensation or as an occupation, including databases used for direct mail services. (§ 8 A (a)(1).)
Requiring Notification for Large Databases Containing ‘Information of Special Sensitivity’
Amendment 13 defines “information of special sensitivity” (ISS) as personal information regarding, among other things, a person’s family life, sexual orientation, health and genetic information, origin, criminal record, political views, and a biometric identifier used or intended to be used to identify the person or to verify his or her identity via computer. (§ 2.)
A person who controls a database that contains ISS about more than 100,000 individuals but that is not required to be registered must notify the PPA of their identity, address, methods of communication, the identity of the data protection officer (DPO) if such an appointment is required, and relevant changes as required under the law. (§ 8 A (b).)
Appointing a Data Protection Officer
The amendment law regulates the required qualifications and the roles played by DPOs. (§ 17 B2-B3.) Under the amendment law, the following entities must appoint a DPO:
- public entities or entities that hold databases of public entities,
- database controllers whose main objective is to collect personal information for the purpose of transferring it to others as a business or for compensation, including direct mailing services, and whose databases hold information on more than 10,000 individuals,
- controlling owners or holders of databases whose main activities include or involve data processing operations which, by their nature, scope, or purpose, require ongoing and systematic monitoring of individuals, including systematic tracking or tracing of a person’s behavior, location, or actions on a significant scale, or whose primary occupation involves such activities, including but not limited to mobile telecommunications companies and online search engines, and
- controllers or holders of databases whose main occupation includes processing ISS on a significant scale; the law explicitly states that banks, insurance companies, hospitals, and health funds are required to appoint a DPO. (§ 17 B1.)
Awarding Damages without Proof of Harm
Amendment 13 authorizes the courts to impose “exemplary damages” for violations of the provisions of the Privacy Protection Law of up to NIS10,000 (about US$3,000), on several grounds enumerated in the law. (§ 15 A.)
Extension of Limitation Period for Civil Privacy Claims
Under the amendment law, a significant change has been introduced regarding civil claims for privacy violations. Previously, individuals were required to file such claims under the Privacy Protection Act within two years of the alleged violation. The amendment extends this limitation period to align with the general limitation period of seven years (or longer) applicable to other civil claims, in accordance with the general limitation laws. This new provision applies only to causes of action that arose after August 14, 2025, the date the amendment came into force. (§ 34.)
By Ruth Levush
November 17, 2025
Read more Global Legal Monitor articles.
Read Law Library reports on Israel.