Israel's Privacy Protection Amendment 13: Grace Period Ends as DPO Enforcement Wave Begins

Israel's Privacy Protection Authority (PPA) has begun active enforcement of Amendment 13 to the Privacy Protection Law, 1981, following the expiration of initial grace periods that gave organizations time to comply with sweeping new requirements. The amendment, which took effect on August 14, 2025, represents the most significant overhaul of Israeli privacy law in over four decades, bringing the country's data protection framework in closer alignment with the EU's GDPR while incorporating Israel-specific provisions that reflect the country's unique technological, security, and cultural landscape.

Executive Summary

Amendment 13 introduces fundamental changes to Israel's data protection regime that affect virtually every organization processing personal data in or from Israel. The amendment expands the Privacy Protection Authority's enforcement powers, creates new compliance obligations including mandatory Data Protection Officer (DPO) appointments for qualifying organizations, enhances transparency requirements, and establishes significant criminal and civil liability for violations.

The PPA's January 2026 shift from guidance to enforcement marks a critical transition period. Organizations that viewed the grace period as optional preparation time now face investigations, fines, and potentially criminal complaints for non-compliance. Early enforcement actions in Europe—including €5,000-€40,000 fines for DPO conflicts of interest—provide clear signals of what Israeli organizations can expect as the PPA looks to EU regulatory precedents when charting its enforcement course.

Key developments include:

• DPO requirement enforcement begins: Organizations meeting specified criteria must appoint qualified, independent DPOs or face sanctions
• Enhanced PPA enforcement powers: Authority can now conduct investigations, demand information, and impose administrative sanctions
• Board-level oversight obligations: Directors of certain companies must oversee data protection policy implementation
• Expanded notification requirements: Controllers must provide detailed privacy notices and breach notifications
• New criminal and civil liability: Violations can result in both criminal prosecution and civil lawsuits
• Database registration changes: Modified requirements for registering databases with the PPA

Background: Why Amendment 13 Matters

Israel's Privacy Law Evolution

1981: Original Privacy Protection Law
Israel's Privacy Protection Law was progressive for its time, establishing:

• Protection against unlawful collection and use of personal data
• Database registration requirements
• Individual rights to access and correct data
• Criminal penalties for violations

Decades of Patchwork Updates
Over 40 years, the law was amended incrementally to address:

• Digital communications
• Biometric data
• Credit information
• Direct marketing
• Cross-border data transfers

The Problem:
By the 2020s, Israel's privacy framework had fallen significantly behind international standards, particularly the EU's GDPR. This created:

• Adequacy decision risk: EU questioned whether Israeli law provided adequate protection for personal data transfers
• Competitive disadvantage: Israeli tech companies faced compliance barriers when operating in Europe
• Enforcement gaps: PPA lacked tools and authority to effectively regulate modern data processing
• Unclear obligations: Outdated language didn't address cloud computing, AI, big data analytics

Amendment 13: Modernization and GDPR Alignment

Amendment 13 represents a comprehensive overhaul designed to:

1. Achieve EU adequacy: Strengthen Israeli law to maintain and enhance EU adequacy decision
2. Harmonize with GDPR: Adopt GDPR-inspired concepts while maintaining Israeli legal traditions
3. Empower regulator: Give PPA enforcement tools comparable to European DPAs
4. Address modern technology: Update obligations for contemporary data processing practices
5. Enhance accountability: Shift from reactive to proactive compliance through DPIAs, DPOs, and board oversight

Key Provisions of Amendment 13

1. Data Protection Officer (DPO) Requirement

Who Must Appoint a DPO:

The PPA's draft guidance clarifies that DPO appointment is mandatory for:

a) Public Bodies

• Government ministries and agencies
• Local authorities
• State-owned companies
• Any entity performing governmental functions

b) Data Brokers

• Entities whose primary business involves collecting and selling consumer data
• Marketing data providers
• People-search websites
• Credit reporting agencies (with limitations based on existing sector regulation)

c) Systematic and Ongoing Monitoring

• Organizations engaged in large-scale, continuous surveillance or tracking of individuals
• Examples: social media platforms, advertising networks, location-based services
• Focus on systematic nature (not one-off monitoring) and ongoing operations

d) Large-Scale Processing of Sensitive Data

• Healthcare providers processing patient data at scale
• Financial institutions handling sensitive financial information
• Organizations processing biometric data, genetic information, or location data
• Educational institutions with extensive student data

Determining "Large-Scale":
The PPA guidance indicates consideration of:

• Number of data subjects affected
• Volume of data processed
• Geographic scope of processing
• Duration and permanence of processing activities

DPO Qualifications and Expertise

Required Qualifications:

1. In-Depth Knowledge of Privacy Law

• Comprehensive understanding of Israeli Privacy Protection Law and regulations
• Familiarity with international frameworks (GDPR, CCPA, etc.)
• Awareness of sector-specific regulations applicable to the organization
• Understanding of relevant case law and regulatory guidance

2. Sound Understanding of Technology

• Technical knowledge of data processing systems and architectures
• Awareness of cybersecurity principles and practices
• Understanding of data flows, APIs, databases, and cloud computing
• Ability to assess technical security measures

3. Familiarity with the Organization

• Understanding of business model and data processing purposes
• Knowledge of organizational structure and decision-making processes
• Awareness of industry-specific practices and challenges
• Ability to provide context-appropriate guidance

Professional Background:
DPOs commonly come from:

• Legal backgrounds with privacy specialization
• Information security or IT backgrounds with legal training
• Compliance or risk management roles
• External privacy consulting firms

DPO Rights and Obligations

Rights (to ensure independence and effectiveness):

1. Direct Reporting to Senior Management

• DPO must report to the highest management level
• Cannot report through compliance, legal, or IT departments that may have conflicting interests
• Must have direct access to board or CEO

2. Adequate Resources

• Sufficient budget for training, tools, and professional development
• Access to legal counsel when needed
• Staff support for administrative functions
• Ability to engage external experts

3. Protection from Dismissal

• Cannot be dismissed or penalized for performing DPO duties
• Employment protection against retaliation
• Safeguards when DPO raises compliance concerns

4. Time Allocation

• Sufficient time to perform DPO responsibilities
• Not burdened with excessive non-DPO duties
• Ability to prioritize privacy matters appropriately

Obligations:

1. Monitor Compliance

• Assess organization's compliance with privacy law
• Identify gaps and recommend remediation
• Review data processing activities regularly
• Oversee implementation of privacy policies

2. Advise on Privacy Matters

• Provide guidance on Data Protection Impact Assessments (DPIAs)
• Advise on privacy-by-design in new projects
• Review contracts with processors
• Guide responses to data subject requests

3. Serve as Contact Point

• Liaison with Privacy Protection Authority
• Point of contact for data subjects exercising rights
• Interface with external stakeholders on privacy matters

4. Foster Privacy Culture

• Conduct privacy awareness training
• Promote privacy-by-design principles
• Raise awareness of privacy risks
• Embed privacy in organizational culture

DPO Conflicts of Interest: The Critical Issue

The Fundamental Problem:
A DPO cannot effectively monitor compliance if they also determine the purposes and means of processing—the very decisions they're supposed to independently assess.

Prohibited Roles (in addition to DPO):

Senior Management Positions:

• CEO, COO, CFO, CTO
• Business unit heads
• Product managers making data processing decisions
• Marketing directors determining advertising practices

IT and Technology Leadership:

• CIO or IT Director
• Chief Security Officer (in some contexts)
• Technology architects designing data systems
• Database administrators

Legal and Compliance:

• General Counsel (may have conflicts)
• Compliance officers with operational authority
• Contract negotiators determining data processing terms

Commercial Roles:

• Sales leadership setting customer data practices
• Business development determining partner data sharing
• Procurement deciding vendor relationships

European DPO Conflict of Interest Enforcement

The PPA has explicitly stated it looks to EU regulators when charting enforcement approaches. Recent European fines provide clear warning signals: