Our Expert in Israel
No results available
Israel’s privacy reforms bite in 2026 with expanded enforcement muscle, materially higher administrative fines, and a new notification regime that demands immediate action from every organisation holding sensitive personal data at scale. Amendment 13 to the Privacy Protection Law, 1981, passed by the Knesset in August 2024 and operative in key respects since August 14, 2025, represents the most significant overhaul of Israeli privacy law in decades. Beyond the statute itself, the Privacy Protection Authority (PPA) is now actively coordinating with the Israel Competition Authority (ICA) on data-concentration risks, creating a dual regulatory front that affects mergers, platform conduct and data-sharing arrangements.
This guide unpacks the legal changes, maps the enforcement landscape and provides a practical 12-step compliance checklist for general counsel, DPOs and compliance leads operating in or from Israel.
Amendment 13 rewrites significant sections of the Privacy Protection Law, 1981. At its core, the reform broadens the definition of personal data to expressly cover online identifiers, IP addresses and behavioural data, bringing the Israeli regime closer to the scope of the EU’s GDPR. It also introduces a clear statutory distinction between database registration and database notification, replacing the older, undifferentiated registration model with a risk-based framework that targets the largest and most sensitive data holdings.
Under the amended law, organisations that maintain databases containing specially sensitive personal data, such as health records, biometric identifiers, political opinions or data on minors, on more than 100,000 individuals must file a notification with the PPA through dedicated online mechanisms. Smaller or less sensitive databases remain subject to registration requirements, but the notification duty imposes additional obligations including the appointment of a Data Protection Officer (DPO) and enhanced security documentation.
The amendment also strengthens individual rights. Data subjects gain clearer entitlements to access, correction and deletion of their personal data, and organisations must document the lawful basis for processing. For the first time, the statute provides the PPA with explicit authority to impose administrative fines, a power that had previously been limited in scope and rarely exercised.
| Date | Event | Why it matters |
|---|---|---|
| August 2024 | Knesset approved Amendment 13 (passed into law) | Legislative text amended; one-year transition period begins for key provisions. |
| August 14, 2025 | Key provisions entered into force (notification regime, enhanced PPA powers) | Enforcement-ready: PPA gains new investigatory and fine-imposing tools. |
| 2025–2026 | PPA issues sectoral guidance on AI, privacy-enhancing technologies (PETs) and breach response | Operational detail emerges; enforcement signals sharpen for specific sectors. |
Industry observers expect the PPA to use 2026 as a year of active compliance campaigns, particularly in the technology and financial-services sectors where large-scale processing of sensitive data is the norm.
Before Amendment 13, Israel’s privacy enforcement landscape was widely characterised as “light-touch.” The PPA had limited administrative tools, modest fine caps and a track record of preferring guidance over penalty. That era is over. The 2025 amendments give the PPA a substantially expanded toolkit, and early indications suggest it intends to use it.
The PPA’s enhanced powers now include the authority to issue binding document requests, conduct on-site inspections of data-processing operations, and order organisations to cease specific processing activities where a violation is identified. Critically, the PPA can now apply to the courts for injunctive relief, including orders to stop processing entirely or to require the deletion of unlawfully held data. These court-backed remedies give the authority a credible deterrent that did not previously exist in the Israeli privacy framework.
The administrative fines Israel’s privacy regime can now impose represent the most visible change. The amendment establishes a clearer framework for calculating and levying fines, with higher caps that reflect the seriousness of the violation and the size of the offending organisation. While the PPA had previously possessed limited fine-imposing power, the new framework is designed for regular use, not exceptional circumstances.
| Enforcement tool | Before Amendment 13 | After Amendment 13 |
|---|---|---|
| Administrative fines | Limited caps; rarely imposed | Higher fines with a clearer administrative framework; regular use expected |
| Injunctive powers | Primarily judicial routes; limited administrative orders | PPA can seek court orders to stop processing and require data deletion |
| Investigatory powers | Information requests and audits | Broader authority including on-site inspections and cross-border cooperation |
Even before the full suite of Amendment 13 powers became operative, the PPA demonstrated a willingness to escalate enforcement activity. In its 2025 annual report and subsequent public communications, the authority signalled that it would prioritise sectors where sensitive data is processed at scale, notably health-tech, adtech and financial services. The likely practical effect will be a shift from reactive complaint handling to proactive, sector-wide investigations, a pattern familiar from GDPR enforcement in the EU.
For compliance teams, the lesson is clear: self-reported breaches and cooperative engagement with the PPA are expected to attract more lenient treatment, while delayed or obstructive responses will face the full weight of the new enforcement regime. Organisations should treat PPA inquiries with the same urgency they would afford a European Data Protection Authority investigation.
One of the most operationally significant changes under Amendment 13 is the restructured notification obligation for sensitive databases. Under the previous regime, all database owners were required to register their databases with the PPA through a general registration process. The amended law replaces this blanket requirement with a tiered, risk-based system.
Databases containing specially sensitive personal data on more than 100,000 individuals must now notify the PPA using the authority’s dedicated online notification mechanism. The notification duty extends to databases holding categories such as health information, biometric data, genetic data, political opinions, sexual orientation or data concerning minors. Organisations that fall below the 100,000-record threshold for sensitive data, or that hold only non-sensitive personal data, remain subject to the standard registration process.
The breach notification Israel framework has also been clarified. Where a data security incident occurs that is reasonably likely to cause substantial harm to data subjects, the data controller must notify the PPA without undue delay. The content of the notification must include the nature of the breach, the categories and approximate number of affected individuals, the likely consequences, and the measures taken or proposed to mitigate harm.
For compliance teams, the decision flow is straightforward:
The appointment of a DPO is triggered for organisations that are required to notify the PPA, that is, those holding sensitive data at scale. The DPO must have sufficient authority and resources to oversee compliance and serve as the PPA’s primary point of contact.
A distinctive feature of Israel’s evolving data-regulation landscape, and one that sets it apart from many peer jurisdictions, is the growing coordination between the PPA and the Israel Competition Authority (ICA). Where personal data creates or reinforces market power, both regulators now have a stake in the outcome. This data concentration Israel competition overlap is generating new compliance considerations that neither privacy counsel nor competition lawyers can afford to ignore.
The ICA has signalled that it will scrutinise merger transactions where the combination of datasets could create unmatched consumer profiling capabilities or lock-in effects. Similarly, dominant platforms that use proprietary data access to exclude competitors may face joint scrutiny from both the PPA and the ICA. Early indications suggest that the two authorities are sharing intelligence informally and considering joint or parallel investigations in cases involving significant personal-data assets.
For in-house counsel managing M&A transactions or platform-conduct reviews, the practical implication is that privacy compliance can no longer be siloed from competition strategy. A data-mapping exercise that satisfies PPA notification requirements should simultaneously inform the competition-risk assessment required for ICA filings. Concession packages in merger reviews may need to include data-portability commitments, API access provisions, or data-escrow arrangements designed to address both privacy and competition concerns.
| Scenario | Why competition authorities care | Immediate legal steps |
|---|---|---|
| Merger combining two large consumer-data platforms | Dataset combination may create unmatched profiling or customer lock-in | File early cooling-off notices to PPA and ICA; prepare data mapping and mitigation proposals |
| Dominant platform using data to exclude rivals | Tying data access to platform services or using exclusive data ingestion | Assess remedies: data portability, API access, data-escrow arrangements |
| Exclusive data-sharing agreements reducing market entry | Limits on rivals’ ability to match product features or pricing | Engage competition counsel alongside privacy risk assessment before execution |
With Israel’s privacy reforms now expanded and fully operative, DPOs and in-house counsel need a structured action plan. The following 12-step checklist translates statutory requirements into concrete tasks, each with a rationale and an indicative timeline for completion.
Downloadable micro-assets to support implementation include a PPA notification checklist for Israel, a breach-notification template for Israel, and a data concentration self-assessment for M&A, each of which translates these steps into ready-to-use working documents.
For multinational organisations, Amendment 13 narrows the gap between Israeli privacy law and the GDPR, but important differences remain. Understanding where the regimes converge, and where they diverge, is essential for building a unified compliance programme that satisfies both frameworks without duplication.
| Topic | Israel (post-Amendment 13) | EU (GDPR) |
|---|---|---|
| Personal data scope | Broader than pre-amendment: now expressly covers IPs, online identifiers and behavioural data. Sensitive-database notification threshold at >100,000 individuals. | Broad definitions with separate sensitive-data categories. No record-count threshold for notification; all processing must comply regardless of scale. |
| Enforcement and fines | Stronger PPA administrative powers operative since August 2025. Higher fine framework; active enforcement expected across sectors. | Well-established enforcement ecosystem. Fines up to 4% of global annual turnover or €20 million. Cross-border enforcement via the one-stop-shop mechanism. |
| Privacy–competition interplay | Active coordination emerging between PPA and ICA on data concentration and mergers. | Increasing cooperation between DPAs and competition authorities across EU member states, supported by EDPB guidance. |
Non-Israeli firms with operations, customers or data flows touching Israel should map their Israeli data connections, update cross-border data transfer mechanisms to reflect PPA guidance, and prepare for PPA information requests. A compliance practice area specialist can advise on harmonising multi-jurisdictional programmes.
The risk profile varies by business model. Adtech and platform companies face high exposure given their reliance on behavioural data, large-scale processing and the emerging privacy–competition overlap. Fintech and health-tech firms sit at high to medium risk due to the volume and sensitivity of data they process. HR-data processors handling employee records at scale face medium risk, particularly where they cross the 100,000-record notification threshold. Businesses with limited personal-data processing face lower risk but must still confirm registration obligations are current.
Israel’s privacy reforms in 2026 are expanded in scope, sharpened in enforcement and increasingly connected to competition law. Organisations that act now, mapping data, filing notifications, training teams and integrating privacy risk into competition strategy, will be best positioned to navigate the new regime. For guidance tailored to your sector and operations, consult a specialist through the Israel lawyer directory.
This article was produced by Global Law Experts. For specialist advice on this topic, contact Idan Levy at MITIGATE Compliance & Risk Management, a member of the Global Law Experts network.
posted 35 minutes ago
posted 36 minutes ago
posted 58 minutes ago
posted 2 hours ago
posted 2 hours ago
posted 2 hours ago
posted 3 hours ago
posted 3 hours ago
posted 3 hours ago
No results available
Find the right Legal Expert for your business
Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Send welcome message