Law Library Stacks

Back to Online Privacy Law

*A 2017 updated version of this report is available

Online privacy protection in Israel is based on the constitutional right to privacy, on statutory law, and on court rulings. The country’s Privacy Protection Law requires a person’s informed consent as a precondition for the storage and use of information deriving from, among other means, online communication. The Law also provides a right to request the removal or blockage of information from a database upon the request of the person concerned. Israeli courts have extended the scope of information for which there is a right to privacy under the Law. Violators face criminal, civil, and administrative sanctions. The Israeli Law, Information and Technology Authority regulates different aspects of privacy protection regarding online data, including the registration of databases that collect personal information. The law imposes a requirement of transparency regarding the identity of owners and managers and the type of information they collect and store. Online privacy protection extends to geo data, and in the case of information collected by Google’s Street View cars such data is subject to the conditions enumerated in Street View’s database registration authorization.

I. Legal Framework

In Israel online privacy protection is based on the constitutional principle guaranteeing privacy as provided in Basic Law: Human Dignity and Liberty;[1] on statutory law, specifically the Privacy Protection Law, 5741-1981;[2]and on court rulings.

Basic Law: Human Dignity and Liberty, as amended, provides as follows:

7. Privacy

  • (a)  All persons have the right to privacy and to intimacy.
  • (b) There shall be no entry into the private premises of a person who has not consented thereto.
  • (c)  No search shall be conducted on the private premises of a person, nor in the body or personal effects.
  • (d)  There shall be no violation of the confidentiality of conversation, or of the writings or records of a person.[3]

The constitutional right to privacy is qualified by a “limitation clause” in section 8 of the Basic Law, which requires that any law that limits the rights set out in the Basic Law, including the protected right to privacy, must “[comport with the] values of the State of Israel, [be] enacted for a proper purpose, and [be enacted] to an extent no greater than is required.”[4]

Israel’s data protection legislation is governed mainly by the Privacy Protection Law, 5741-1981, as amended (PPL). The PPL was one of the first privacy laws of its kind in the world.[5] Although the PPL contains a special chapter that specifically regulates the protection of privacy in databases, Israeli jurisprudence has extended the general privacy protections provided in the PPL’s first chapter to online information as well.

Online privacy protection in Israel is not absolute. Based on the Criminal Procedure (Enforcement Authorities–Telecommunication Data) Law, 5768-2007,[6] the disclosure of otherwise protected online information may be ordered by a court in special cases involving criminal offenses or where it is needed to save or protect a life, investigate or prevent offenses, or contribute to the indictment of offenders or to lawful confiscation of property.

In discussing online privacy protection under Israeli law it is important to recognize that the Israeli legal system adheres to stare decisis. Supreme Court decisions on the scope and application of privacy protection with regard to online data bind all other courts and form an integral part of the applicable law.  A discussion of relevant decisions by Israel’s Supreme Court is provided in Section IV of this report.

Back to Top

II. Current Statutory and Regulatory Law

A.    Collection, Storage and Use of Personal Data by Online Media or Services

The collection, storage, and use of certain types of personal data by online media or services, including smartphones, are prohibited unless such activities are based on the informed consent of the data subject and under conditions enumerated by law.

Based on the PPL general part contained in Chapter A, the infringement of a person’s privacy without his informed consent is prohibited whether or not it results in the collection of personal information.[7] The following is a summary of actions listed in the PPL general part that may constitute an infringement of privacy:

  1. Spying or trailing a person in a manner likely to harass him,[8] or any other harassment
  2. Listening in, where prohibited under any law
  3. Photographing a person while he is in the private domain
  4. Publishing a person’s photograph under such circumstances that publication is likely to humiliate him or subject him to contempt
  5. Publishing a photograph of an injured person taken at the time of the injury or soon thereafter in a way that allows him to be identified and under circumstances that may cause embarrassment, except for a photograph taken instantly that does not deviate from what is reasonable under the circumstances[9]
  6. Publication of the photograph of a deceased person in a way that allows that person to be identified without the deceased’s prior permission, permission of relatives listed by law, or the passage of fifteen years since his death
  7. Copying or using, without permission from the addressee or writer, the contents of a letter or any other writing, including digitally transmitted information that is not intended for publication, unless the writing is of historical value or fifteen years have passed since the time of the writing
  8. Using a person’s name, title, picture, or voice for profit
  9. Infringing a duty of secrecy laid down by law or by express or implicit agreement with respect to a person’s private affairs
  10. Using or passing on information about a person’s private affairs for a purpose other than that for which it was given
  11. Publication of a matter relating to a person’s personal affairs, including his sexual history, his health status, or his behavior in the private domain[10]

Chapter B of the PPL specifically addresses protection of privacy in databases. It defines protected “information” as “data on the personality, personal status, intimate affairs, state of health, economic position, vocational qualifications, opinions and beliefs of a person.”[11]

Israeli courts have extended the scope of privacy protection that is applicable to online databases by subjecting them to the application of the PPL general part contained in Chapter A, discussed above.[12] Additionally, in the absence of a definition of the term “private affairs” in either chapter, the types of data that enjoy privacy protection based on inclusion under this category have been continuously added by the Israeli courts and jurisprudence.

B.  The Requirement of Informed Consent and the Right to Object

The PPL requires the following details to accompany any request for information that is intended for “keeping and use thereof in a data base”:

  • (1) whether that person is under a legal duty to deliver that information or whether its delivery depends on his volition and consent;
  • (2) the purpose for which the information is requested;
  • (3) to whom the information is to be delivered and the purpose of such delivery.[13]

Additional provisions apply specifically to “direct mail.” This type of communication is defined by the PPL as any direct contact, including online communication, with a person that is based on his affiliation with a population group that was determined on the basis of one or more characteristics of persons whose names are included in a database.[14]

Any request for information from direct mail requires the placing of a clear and prominent notice containing the following details:

  1. Identification of the request as direct mail
  2. Notice of the right to be erased from a database that is being used for the collection of information by direct mail, and contact information gathered for that purpose
  3. The identity and the address of the database owner and the sources from which he retrieved the information[15]

Under the PPL any person may request to have information about him originating from direct mail and found in a database removed, or access to the information temporarily or permanently blocked with regard to a person or category of persons. The database owner must honor the request and inform the requester in writing of the owner’s action. In the event the database owner fails to so inform the requester within thirty days from the date of the request the requester may file his request in court.[16]

C.  The Scope of Personal Data That Enjoys Privacy Protection

An interpretation of the term “private affairs” for the purpose of privacy protection, as listed in the first part of the PPL, is included in the Attorney General’s Directives Regarding Transfer of Information from Telephone Companies to Bodies with Investigation Authority. This interpretation, as reflected in the Directives, is based on leading decisions of the Supreme Court. For the purpose of online privacy protection, the Directives provide that the term “private affairs” “should be interpreted in a dynamic way, according to what is acceptable at a specific time, place and society, in a way that will  reflect  the  reasonable  expectations  of  the public concerned.”[17]

The Directives further recognize that details such as a subscriber’s bank account and credit card number that are provided by a subscriber to a telecommunications company for the purpose of receipt of services qualify as a person’s “private affairs.” Furthermore, in the absence of the subscriber’s consent such details should not be used or transferred by the telecommunications   company   for   purposes   other   than   those  for which  they   were initially provided.[18]

 The Directives similarly recognize that the right to privacy extends to information on a person’s telecommunications record, including

telephone numbers from and to whom conversations were made, the time of the dialing or receipt of the conversation and its duration. These details, possessed by the telephone companies, are not delivered to them by the subscriber, but are collected through technology that enables the provision of service to the subscriber. These details are undoubtedly “a person’s private affairs,” and also constitute sensitive information as defined in section 7 of the Privacy Protection Law, because they may point to the persons with whom he is in touch, the frequency of the contact, the types of services that he consumes and many additional details that may be deduced from the data over time.[19]

The list provided by the Directives is not an exhaustive list. For additional types of online data regarding private affairs that enjoy privacy protection, see Section IV of this report, titled “Court Decisions.”

D.    Regulation of Data Activity

The PPL regulates the management, possession, and use of databases. A database is defined as a collection of data stored by magnetic or optical means and designated for digital processing, excluding a collection for personal use (not for business purposes), and a collection that includes only names, addresses, and communications data, the existence of which by itself does not affect the privacy of the persons whose names it includes, as long as the owner or a corporation under his control does not have an additional collection.[20]

According to the PPL, the management and possession of a database generally requires registration with the registrar of databases, who is appointed by the government. A database must be registered if it contains information that has not already been published or made available based on legal authority[21] and fulfills one of the following conditions:[22]

  1. Contains information regarding over 10,000 persons
  2. Contains sensitive information (defined as relating to a person’s character, intimate affairs, health or economic status, views and beliefs[23]
  3. Contains information regarding persons that was obtained without their consent
  4. Belongs to local governmental or other bodies fulfilling public duties by law or by a decree issued by the Minister of Justice under conditions enumerated by the law
  5. Is utilized for direct mail services based on a person’s affiliation with a population group designated in accordance with one or more characteristics of persons whose names are included in the database[24]

E.  Transparency of Data

The PPL authorizes the government to appoint a registrar of databases. The registrar must keep a register that includes information regarding the identity of the owners and possessors of databases and the purpose for which the databases were established.  The register must also include information regarding the types of information the database is intended to store; details regarding the transfer of data outside of Israel’s borders; and any routine retrieval of data from governmental, local, and other bodies fulfilling public duties by law.[25]

The register will be open for full public inspection. However, specific information regarding databases maintained by a defense agency, including the types of data included in such databases, its transfer outside of state borders, and its receipt on a permanent basis from public bodies without the consent of the data subject, is not available to the public.[26]

The PPL recognizes the right of every person to inspect any information about him kept in a database.[27] However, a database owner may refuse to provide information relating to a person’s medical or mental state to that person if he believes that it would endanger his physical or mental health. Instead, the information will be delivered to a physician or to a psychologist on the requester’s behalf.[28]

The legal right to view information regarding a person’s private affairs does not apply to databases managed by Israel’s Police, the Intelligence Branch of the General Staff and the Military Police of the Israel Defense Forces, the General Security Police, Israel Secret Intelligence Service (the Mossad),[29] and the Authority for Protection of Witnesses.[30] The legal right to view information regarding a person’s private affairs similarly does not apply to the database of Israel’s Prisons Authority or Tax Authority.[31]

Exceptions to the legal right to view information regarding a person’s private affairs further include situations where the State’s security, foreign relations, or legislative provisions require nondisclosure of information about a person; where the Minister of Justice, after consultation with the Ministers of Defense or Foreign Affairs, determines that the data should not be disclosed based on requirements of state security or foreign relations; and where the information concerns law enforcement, criminal investigations, or special data collected at the Ministry of Justice regarding money laundering.[32]

F.  Users Anonymity

The law regarding the preservation of anonymity of users is based on court rulings and is discussed under Section IV of this report, titled “Court Decisions.”

G.  Limits on Geo Data

On August 10, 2011, Israel’s data protection authority, the Israeli Law Information and Technology Authority (ILITA), authorized Google to operate its Street View cars in public areas in Israel and to include the photos collected by cars in Google Maps.[33] According to ILITA, considering the type of “data collected, the scope of the footage, the attribution of the exact geographical location of photos taken, and the advancements in facial and plate automatic identification technologies . . . the collection of photographs recorded by Google is a ‘database’” under the PPL.[34] The registration of the Google Street View database was authorized by the registrar of databases subject to conditions that were designed to safeguard the rights of the Israeli public, “especially in this case where Google is based outside of Israel’s jurisdiction.”[35] The authorization to register the Street View database is subject to the following terms:

  1. Civil Jurisdiction– Google Inc., the service provider based in the USA, will appoint Google Israel as an authorized recipient of court papers in Israel on its behalf . . . ; this appointment will allow Israeli citizens to file civil litigation against Google with regards to the services’ [sic] operated in Israel, despite the fact that the company is based outside Israel’s jurisdiction and that the database will be held outside of it as well.
  2. Administrative and Criminal Jurisdiction – Google has agreed to abstain from claims regarding ILITA’s administrative or criminal powers by the law regarding its operation of Google Street View in Israel, despite the fact it is based outside Israel’s jurisdiction.
  3. Requests for blurring – Google Street View’s website which provides photos taken in Israel, will offer the public an effective and efficient online mechanism to request that further images, license plates and homes will be blurred after the photo is made public, in cases where the automatic blurring applied to photos before making them public malfunctioned or was inadequate.
  4. Transparency – Google will provide the public online and in newspapers with information about the service, the right to request further blurring and general information about the planned photography route. Also, the Google Street View cars will be clearly marked in order to enable the public to recognize them easily.
  5. Privacy by Design – Google has agreed to operate the service while applying principles of Privacy by Design and to apply the strictest of standards regarding the collection and processing of photographs.[36]

H.  Protection of Minors

Israeli law does not currently contain any specific regulation of harmful content on the Internet. Instead, online activities are subject to laws that regulate telecommunications, advertisements, and computers in general. The following legal provisions may apply to protect minors from Internet-related offenses:

  • The Prevention of Sexual Harassment Law, 5758-1998, prohibits harassment through the use of a computer, computer software, or data, and subjects convicted offenders to three to five years’ imprisonment;[37]
  • The Penal Law subjects persons who publish, display, organize, or produce obscene materials to three years’ imprisonment; those who publish obscene advertisements depicting an image of a minor, including by Photoshop or by a drawing of a minor, to five years’ imprisonment; those who use the body of a minor for such purposes to seven years’ imprisonment, and those who committed any of the above while being parents or guardians of the minor to ten years’ imprisonment.[38] The Law defines “advertisement” as including dissemination by a computer.[39]

In December 2010 ILITA published a draft proposal for Ethical and Behavioral Rules for Database Owners who Collect Information on Minors.[40] Information regarding these rules is contained in Section VI, “Pending Reforms,” below.

I.  Rights and Remedies for Users

1.  Civil and Criminal Remedies

A violation of the right to privacy constitutes a civil wrong.[41] If committed intentionally and with malice, it may, under certain circumstances, also constitute a criminal offense punishable by five years’ imprisonment.[42] In addition to a criminal penalty, the court may impose a fine on the convicted person in an amount not exceeding 50,000 New Israeli Shekels (about US$13,049), or double this amount in cases where an intent to harm is proved. These fines may be imposed by the court even without proof that actual injury was incurred by the victim.[43]

The PPL lists possible defenses in both civil and criminal trials involving violations of privacy, including among others the defendant’s lack of knowledge or ability to know of the potential harm to a person’s privacy, perpetration of the violation in the regular course of the defendant’s job, and the justifiable need to disclose information for reasons of public interest.[44]

2.  Strict Liability Provisions

The PPL further establishes offenses that result in one year of imprisonment if the accused is convicted, without the need to prove negligence or criminal intent. Such offenses include the management or use of data from an unregistered database and the provision of misleading information in an attempt to obtain private information from a database.[45]

3.  Administrative Injunctions

In addition to any other remedy, the PPL authorizes the court to order any of the following in any civil or criminal trial for violation of the right to privacy:

  • Prohibition or confiscation of harmful materials
  • Payment of costs associated with publication of the verdict by the defendant
  • Delivery of the harmful materials to the injured party
  • Destruction of or prohibition on the use of information received unlawfully[46]

J. Cross-border Application

Although the PPL does not specifically address its cross-border application, in the absence of any contrary provision Israeli victims could presumably use the PPL to sue online services that operate internationally  over harm incurred in Israel. Similarly, under  Israeli criminal law offenses committed either fully or partially in Israel are subject to the jurisdiction of Israeli courts.[47] Offenses committed by online services operating internationally may, therefore, be subject to Israeli jurisdiction.

As discussed above, the registration authorization of the Google Street View database by Israel’s Registrar of Databases on August 10, 2011, expressly subjects its operations to civil, criminal, and administrative jurisdiction in Israeli.[48]

Back to Top

III. Role of Data Protection Agencies

The Israeli Law, Information and Technology Authority (ILITA), was established as Israel’s data protection authority by the Ministry of Justice of Israel in September 2006. The Ministry of Justice website describes ILITA’s mission as the reinforcement of personal data protection, the regulation of the use of electronic signatures, and the increase of the enforcement of privacy and IT-related offenses. “ILITA also acts as a central knowledge-base within the Government for  technology-related  legislation  and  large  governmental  IT  projects,  such as eGovernment.”[49]

According to the Ministry of Justice website, ILITA as a data protection regulator constitutes a merger of the following three preexisting regulatory functions:

  • The Database Registrar which according to Protection of Privacy Act, 5761-1981 is responsible for data protection regulation and enforcement.
  • The Credit Data Services Registrar which according to Credit Data Services Act, 5782-2002 is responsible for the licensing and oversight of credit data bureaus.
  • The Certification Authorities Registrar which according to Electronic Signature Act, 5781-2001 is responsible for the registration and supervision of electronic signature certification authorities.[50]

In accordance with the above laws, ILITA’s mandate and regulatory authority apply to both the private and public sectors, and include the following powers:

  • Inspections at [sic] data controllers and license holders, including powers of search and seizure
  • Complaint handling
  • Investigation of criminal offences
  • Imposition of administrative fines
  • Licensing of credit data services and certification authorities
  • Registration of databases that include personal information
  • Setting guidelines and standard codes of practice for data controllers and license holders
  • Raising public awareness to [sic] the right to the data protection among both data controllers and data subjects[51]

According to its website, ILITA also represents Israel in the international data protection arena and promotes international cooperation. Specifically, ILITA

  • acts as delegate of the Israeli government to the Committee on Information, Communications and Computer Policy and the Working Party on Information Security      and Privacy of the Organisation for Economic Co-operation and Development,
  • handles Israel’s application to the EU for recognition under Article 25(6) of Directive 95/46/EC[52] as offering an “adequate level of protection” for personal data, and
  • conducts a twinning data protection program funded by the EC in collaboration with the Agencia Española de Protección de Datos (AEPD, the Spanish Agency for Data Protection).[53]

Back to Top

IV. Court Decisions

The Supreme Court has contributed extensively to the development of Israel’s online privacy law. The following is a brief summary of landmark decisions on online data protection.

A.  Constitutional Protection of the Right to Privacy

As discussed earlier in this report, Basic Law: Human Dignity and Liberty, as amended,[54] expressly recognizes the right to privacy, subject to the conditions enumerated in its limitation clause. Accordingly, any law that limits the right to privacy must itself “[comport with the] values of the State of Israel, [be] enacted for a proper purpose, and [be enacted] to an extent no greater than is required” (hereafter the “triple test”).[55]

A decision rendered by the Supreme Court prior to the enactment of the Basic Law interpreted the legality of statutory and regulatory provisions authorizing a violation of privacy in a manner consistent to that set out in the Basic Law and its limitation clause.   The case concerned a petition submitted by the Association for Human Rights in Israel to prohibit the State from transferring data from the Ministry of Interior to private sector financial bodies. The respondents argued that the transfer to public bodies was authorized by the PPL and that the transfer of data to banks was “anchored in laws that require banks to identify their clients.”[56]

The Court recognized that the transfer of information to public bodies was authorized under the conditions enumerated by the PPL and regulations issued in accordance with this law. The Court held, however, that the legal basis for the transfer lacked specificity and had a disproportionate effect on personal privacy, and therefore failed the triple test of the limitation clause.[57] The court further held that appropriate legislation that would improve privacy protection safeguards had to be put in place before the transfer of data from the Ministry of Interior’s database to banks could resume.[58]

B.  The Scope of Application of the Right to Online Privacy

In a 1990 decision regarding a bank’s request for release of information regarding vehicle owners that was stored in the database of the Vehicle Registration Authority, the Supreme Court held that

the term “information” apparently refers only to data concerning an individual person (Section 7 of the [PPL]). Yet I do not believe it should be interpreted so narrowly as to exclude data such as those concerning automobile license plates discussed herein. The term “information” must be interpreted in line with the legislative intent of the [PPL]. It should include data that can be derived from a database which is not indexed according to individual names. In other words . . . if financial data concerning an individual can be derived from a database that is not indexed on a personal basis, it should be regarded as “information” under Section 7 of the [PPL].[59]

In a subsequent leading decision rendered in 1994 the Supreme Court added the following details to those included in the definition of “information” protected under Chapter 2 of the PPL: “any information relating to a person’s private life, including his name, address, telephone number, place of work, identity of his friends, and his relationship with his wife and a spouse and with other members of his family, etc.”[60]

A person’s telecommunication record has similarly been viewed as part of his “private affairs” that should be protected from disclosure.  In a leading 2007 decision the Supreme Court confirmed that penetration into the computer of a cellular phone company for the purpose of surveying a life partner’s telecommunications record constituted, among other things, a violation of his right to privacy because the information was related to his private affairs.[61]

C.  Anonymity of Internet Protocol (IP) Addresses

In a 2010 decision regarding slanderous messages in comments on a blog, the Supreme Court rejected a request to disclose the IP addresses of the slanderers. The Court held that “to a large extent anonymity makes the Internet what it is, and without it freedom in the virtual world will be lacking.”[62]

Back to Top

V. Public and Scholarly Opinion

In his analysis on the legal framework of data protection in Israel, Ian Bourne, the Head of Data Protection Projects, Information Commissioner’s Office, UK commented as follows:

Respect for personal privacy is a well established part of Israel’s culture. Its roots go back to the founding of the state. Israel has a population that is certainly not afraid to take action when it feels its privacy rights are being infringed. There is certainly no prospect of ILITA’s workload diminishing in the immediate future.[63]

Israeli scholars have repeatedly cautioned that technical developments, particularly the abilities to cross-reference information among various databases and compile profiles of certain groups in society, pose a threat to the constitutional right to privacy. At the end of the day, one scholar has proposed, a public debate on the right to privacy is an attempt to determine the quality of society’s public, political, and individual well-being.[64]

Back to Top

VI. Pending Reforms

A. Protection of Personal Information in the Workplace

A draft guide on protecting personal information in workplace environments was recently published by ILITA with a June 17, 2012, deadline for receipt of public comments.[65] Once formally released, the guide is intended to serve as a basis for ILITA’s enforcement activities in workplace environments.[66]

The guide recognizes that modern technologies enable employers to collect personal information regarding employees from a variety of technical systems, such as office computers, email, the Internet, smartphones, and iPads that are provided to employees by their employers.[67] It therefore proposes the adoption of the following principles to guide employers in this regard:

  1. An ongoing review of the data collected by the employer throughout the employment term and the purposes of data collection
  2. Mapping the data stored by the employer, the purpose of its use, and identification of those who have accessed it
  3. Maintaining adequate information security rules, procedures, and mechanisms to prevent leaks or misuse by authorized users
  4. Providing ongoing, appropriate guidance to relevant personnel
  5. Maintaining close supervision on outsourcing services
  6. Setting an explicit and clear policy that covers the permitted use of information technologies and the employer’s ability to monitor such use[68]

Israeli lawyers specializing in  computer law have noted that although some of the provisions contained in the proposed guide are already implemented by many employers in Israel, employers who have not yet implemented them “will need to allocate additional attention and resources to meet the guide’s requirements.”[69]

B.  Protection of Minors

In December 2010 ILITA published a draft proposal for Ethical and Behavioral Rules for Databases Owners Who Collect Information on Minors.[70] According to the Knesset Center for Research and Information, the proposed Rules express ILITA’s view regarding the interpretation of privacy laws that should guide enforcement in cases involving minors.[71]

Among the proposed rules are a general duty to protect the privacy of minors and minimize their vulnerability for harm, and prohibitions on the misuse of a minor’s weaknesses, collection of indecent information, collection of any information regarding a minor under fourteen, and collection of sensitive information regarding a minor under eighteen in the absence of parental consent.

The proposed Rules will further require the provision of clear information to parents and minors regarding the use of the requested information, as well as the adoption of a privacy policy by suppliers who collect information regarding minors. In addition, the proposed rules prohibit the publication of information that enables the identification of a child younger than fourteen years of age.[72]

Back to Top

Ruth Levush
Senior Foreign Law Specialist
June 2012

[1] Basic Law: Human Dignity and Liberty, SEFER HAHUKIM [SH] No. 1391, 5752 (Mar. 25, 1992), as amended, Israel does not have a written constitution contained in one document. Based on the 1951 Harari Knesset (Israel’s Parliament) Resolution, Israel’s Basic Laws were intended to form chapters in its future constitution. See “The Harari Proposal,” in The Constitution, THE KNESSET, (last visited May 16, 2012). Basic Law: Human Dignity and Liberty as well as Basic Law: Freedom of Occupation, both enacted in 1992, however, contain provisions that have been interpreted by the Supreme Court as providing the Court with the authority to repeal statutory legislation that conflicts with the Laws’ provisions.

[2] The Privacy Protection Law, 5741-1981, 35 LAWS OF THE STATE OF ISRAEL [LSI] 136 (5741-1980/81), as amended, up-to-date version available at NEVO LEGAL DATABASE, (in Hebrew; by subscription).

[3] Basic Law: Human Dignity and Liberty § 7, SH No. 1391, 5752 (Mar. 25, 1992), as amended.

[4] Id. § 8.

[5] Michael Birnhack & Niva Elkin-Koren, Does Law Matter Online? Empirical Evidence on Privacy Law Compliance, 17 MICH. TELECOMM. TECH. L. REV. 337, 351 (2011),

[6] Criminal Procedure (Enforcement Authorities–Telecommunication Data) Law, 5768-2007, SH No. 2122 p. 72.

[7] The Privacy Protection Law § 1.

[8] Note that references to “him” or “he” throughout this report are intended to be gender equal.

[9] Protection of Privacy Law (Amendment No. 11) 5771-2011, data/18/3/358_3_3.rtf; see Ruth Levush, Israel: Prohibition on Publishing Photos of Injured or Deceased, GLOBAL LEGAL MONITOR (Apr. 22, 2011), //

[10] The Privacy Protection Law §§ 2, 2A.

[11] Id. § 7.

[12] In a leading decision on interpretation of the authorities of the Registrar of Databases under the PPL, the Supreme Court determined that the Registrar’s authority to enforce the PPL enables him to check, at the time of registration, the legality of the collection, storage, and use of online data also under Chapter A, which deals with collection of data without consent, thereby applying Chapter A requirements to databases that are specifically regulated under Chapter B of the PPL.  CA 439/88 Database Registrar v. Ventura, 48(3) PD 808, 821 (1994).

[13] The Privacy Protection Law § 11.

[14] Id.§ 17C.

[15] Id.§ 17F.

[16] Id.

[17] Attorney General’s Directives Regarding Transfer of Information from Telephone Companies to Bodies with Investigation Authority 2 (Feb. 16, 2003, revised May 16, 2007), MINISTRY OF JUSTICE, (in Hebrew; translation by author).

[18] Id.

[19] Id. at 6 (translation by author).

[20] The Privacy Protection Law § 7.

[21] Id. § 8(d).

[22] Id. § 8(c).

[23] Id. § 7.

[24] Id. §§ 8(c), 17C.

[25] Id. §§ 9, 12, 23.

[26] Id. §§ 12, 9.

[27] Id. § 13(a).

[28] Id. § 13(c).

[29] For information on the Mossad’s objectives see ISRAEL SECRET INTELLIGENCE SERVICE WEBSITE, (last visited May 7, 2012).

[30] The Privacy Protection Law §§ 13(e)(1), 19(c).

[31] Id. § 13(e)(1a, 3).

[32] Id. § 13(e)(3–6).

[33] See Letter from Yoram HaCohen, Registrar of Databases, to Attorney Doron Avni, Representative of Google in Israel, Approving a Request for Registration of Street View Data Database (Aug. 10, 2011), available at (in Hebrew). ILITA’s role and authority are discussed in more detail in Section III, “Role of Data Protection Agencies,” below.

[34] ILITA Authorized Google to Operate Street View in Israel, MINISTRY OF JUSTICE, ILITA, il/MOJEng/ILITA/News/googlestreetview.htm (last visited May 11, 2012).

[35] Id.

[36] Id.

[37] Prevention of Sexual Harassment Law, 5758-1998, SH 5758 No. 1661 p. 166 (1998), as amended.

[38] 38 Penal Law, 5737-1977, §§ 214, 368A, LSI SPECIAL VOLUME, as amended (hereinafter Penal Law).

[39] Id. § 34W.

[40] ILITA, Request for Comments: Ethical and Behavioral Rules for Database Owners Who Collect Information on Minors (Dec. 2010),

[41] The Privacy Protection Law § 4.

[42] Id. § 5.

[43] Id. § 29A.

[44] Id. § 18.

[45] Id. § 31A.

[46] Id. § 29.

[47] See Penal Law § 7.

[48] ILITA Authorized Google to Operate Street View in Israel, supra note 34.

[49] About ILITA, MINISTRY OF JUSTICE, ILITA, (last visited May 8, 2012).

[50] Id.

[51] Id.

[52] In its January 31, 2011, decision pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the State of Israel with regard to automated processing of personal data, the European Commission held that “[f]or the purposes of Article 25(2) of Directive 95/46/EC, the State of Israel is considered as providing an adequate level of protection for personal data transferred from the European Union in relation to automated international transfers of personal data from the European Union or, where they are not automated, they are subject to further automated processing in the State of Israel.” Commission Decision of 31 January 2011, 2011 OFFICIAL JOURNAL OF THE EUROPEAN UNION (L 27) 39, (2011/61/EU).

[53] Id.

[54] Basic Law: Human Dignity and Liberty § 7, SH No. 1391, 5752 (Mar. 25, 1992), as amended.

[55] Id. § 8.

[56] HC 8070/98 Association for Human Rights in Israel v. Minister of Interior, 58(4) Piske Din [PD] [Decisions of the Supreme Court] 842 (2004).

[57] Id.

[58] Id. at 855.

[59] CA 86/89 State of Israel v. Bank HaPoalim, 24(2) PD 726, 731, para. 10 (5750/51-1990), as translated  by IAN BOURNE, A GUIDE TO DATA PROTECTION IN ISRAEL 9 (Twinning Project IS/2007/ENPAP/JH/019, Jan. 2010),  Note that Bourne translates the cited law’s name as the “Protection of Privacy Act” (PPA) rather than as the “Privacy Protection Law” (PPL).

[60] CA 439/88 Database Registrar v. Ventura, 48(3) PD 808, 821 (1994).

[61] CA 9893/06 Laufer v. State of Israel (Dec. 31, 2007), NEVO LEGAL DATABASE (by subscription).

[62] Request for CA 4447/07 Mor v. Barak ITC, para. 16 (Mar. 25, 2010), NEVO LEGAL DATABASE (by subscription; translation by author).

[63] BOURNE, supra note 59, at 20.



[66] Id. at 3, para. 1.

[67] Id. para. 2.

[68] ILITA, MINISTRY OF JUSTICE, supra note 65, at 3–4.

[69] Id.

[70] Request for Comments: Ethical and Behavioral Rules, supra note 40.


[72] Request for Comments: Ethical and Behavioral Rules, supra note 40.

Back to Top



Last Updated: 12/30/2020