[codicts-css-switcher id=”346″]

Global Law Experts Logo
israels privacy reforms bite 2026 expanded

Israel's Privacy Reforms Bite in 2026: Expanded Powers, Tougher Fines and the Privacy–competition Overlap

By Global Law Experts
– posted 3 hours ago

Israel’s privacy reforms bite in 2026 with expanded enforcement muscle, materially higher administrative fines, and a new notification regime that demands immediate action from every organisation holding sensitive personal data at scale. Amendment 13 to the Privacy Protection Law, 1981, passed by the Knesset in August 2024 and operative in key respects since August 14, 2025, represents the most significant overhaul of Israeli privacy law in decades. Beyond the statute itself, the Privacy Protection Authority (PPA) is now actively coordinating with the Israel Competition Authority (ICA) on data-concentration risks, creating a dual regulatory front that affects mergers, platform conduct and data-sharing arrangements.

This guide unpacks the legal changes, maps the enforcement landscape and provides a practical 12-step compliance checklist for general counsel, DPOs and compliance leads operating in or from Israel.

  • Key takeaway 1. The PPA now wields broader investigatory powers, can seek court orders to halt processing or require data deletion, and operates under a clearer administrative fine framework.
  • Key takeaway 2. Databases containing sensitive personal data on more than 100,000 individuals must notify the PPA, a threshold that catches many mid-sized tech, fintech and HR platforms.
  • Key takeaway 3. Privacy and competition law are converging: counsel must integrate data-risk assessments into M&A due diligence and platform-conduct reviews as the PPA and ICA increasingly share intelligence.

What Amendment 13 changed, a quick legal summary of Israel’s privacy reforms

Amendment 13 rewrites significant sections of the Privacy Protection Law, 1981. At its core, the reform broadens the definition of personal data to expressly cover online identifiers, IP addresses and behavioural data, bringing the Israeli regime closer to the scope of the EU’s GDPR. It also introduces a clear statutory distinction between database registration and database notification, replacing the older, undifferentiated registration model with a risk-based framework that targets the largest and most sensitive data holdings.

Under the amended law, organisations that maintain databases containing specially sensitive personal data, such as health records, biometric identifiers, political opinions or data on minors, on more than 100,000 individuals must file a notification with the PPA through dedicated online mechanisms. Smaller or less sensitive databases remain subject to registration requirements, but the notification duty imposes additional obligations including the appointment of a Data Protection Officer (DPO) and enhanced security documentation.

The amendment also strengthens individual rights. Data subjects gain clearer entitlements to access, correction and deletion of their personal data, and organisations must document the lawful basis for processing. For the first time, the statute provides the PPA with explicit authority to impose administrative fines, a power that had previously been limited in scope and rarely exercised.

Timeline of Amendment 13

Date Event Why it matters
August 2024 Knesset approved Amendment 13 (passed into law) Legislative text amended; one-year transition period begins for key provisions.
August 14, 2025 Key provisions entered into force (notification regime, enhanced PPA powers) Enforcement-ready: PPA gains new investigatory and fine-imposing tools.
2025–2026 PPA issues sectoral guidance on AI, privacy-enhancing technologies (PETs) and breach response Operational detail emerges; enforcement signals sharpen for specific sectors.

Industry observers expect the PPA to use 2026 as a year of active compliance campaigns, particularly in the technology and financial-services sectors where large-scale processing of sensitive data is the norm.

Expanded enforcement powers and fines: the Privacy Protection Authority in practice

Before Amendment 13, Israel’s privacy enforcement landscape was widely characterised as “light-touch.” The PPA had limited administrative tools, modest fine caps and a track record of preferring guidance over penalty. That era is over. The 2025 amendments give the PPA a substantially expanded toolkit, and early indications suggest it intends to use it.

The PPA’s enhanced powers now include the authority to issue binding document requests, conduct on-site inspections of data-processing operations, and order organisations to cease specific processing activities where a violation is identified. Critically, the PPA can now apply to the courts for injunctive relief, including orders to stop processing entirely or to require the deletion of unlawfully held data. These court-backed remedies give the authority a credible deterrent that did not previously exist in the Israeli privacy framework.

The administrative fines Israel’s privacy regime can now impose represent the most visible change. The amendment establishes a clearer framework for calculating and levying fines, with higher caps that reflect the seriousness of the violation and the size of the offending organisation. While the PPA had previously possessed limited fine-imposing power, the new framework is designed for regular use, not exceptional circumstances.

Enforcement tool Before Amendment 13 After Amendment 13
Administrative fines Limited caps; rarely imposed Higher fines with a clearer administrative framework; regular use expected
Injunctive powers Primarily judicial routes; limited administrative orders PPA can seek court orders to stop processing and require data deletion
Investigatory powers Information requests and audits Broader authority including on-site inspections and cross-border cooperation

Enforcement signals and early lessons

Even before the full suite of Amendment 13 powers became operative, the PPA demonstrated a willingness to escalate enforcement activity. In its 2025 annual report and subsequent public communications, the authority signalled that it would prioritise sectors where sensitive data is processed at scale, notably health-tech, adtech and financial services. The likely practical effect will be a shift from reactive complaint handling to proactive, sector-wide investigations, a pattern familiar from GDPR enforcement in the EU.

For compliance teams, the lesson is clear: self-reported breaches and cooperative engagement with the PPA are expected to attract more lenient treatment, while delayed or obstructive responses will face the full weight of the new enforcement regime. Organisations should treat PPA inquiries with the same urgency they would afford a European Data Protection Authority investigation.

Registration, notification and breach rules in practice

One of the most operationally significant changes under Amendment 13 is the restructured notification obligation for sensitive databases. Under the previous regime, all database owners were required to register their databases with the PPA through a general registration process. The amended law replaces this blanket requirement with a tiered, risk-based system.

Databases containing specially sensitive personal data on more than 100,000 individuals must now notify the PPA using the authority’s dedicated online notification mechanism. The notification duty extends to databases holding categories such as health information, biometric data, genetic data, political opinions, sexual orientation or data concerning minors. Organisations that fall below the 100,000-record threshold for sensitive data, or that hold only non-sensitive personal data, remain subject to the standard registration process.

The breach notification Israel framework has also been clarified. Where a data security incident occurs that is reasonably likely to cause substantial harm to data subjects, the data controller must notify the PPA without undue delay. The content of the notification must include the nature of the breach, the categories and approximate number of affected individuals, the likely consequences, and the measures taken or proposed to mitigate harm.

For compliance teams, the decision flow is straightforward:

  1. Determine sensitivity. Classify every database by data category against PPA criteria.
  2. Count records. Assess whether sensitive databases exceed the 100,000-individual threshold.
  3. Decide registration vs notification. Databases above the threshold require notification; others require registration.
  4. Review security measures. Ensure technical and organisational measures meet PPA standards.
  5. Prepare breach-response protocols. Document incident-response procedures, assign roles, and conduct tabletop exercises.

The appointment of a DPO is triggered for organisations that are required to notify the PPA, that is, those holding sensitive data at scale. The DPO must have sufficient authority and resources to oversee compliance and serve as the PPA’s primary point of contact.

The privacy–competition overlap: data concentration and market power

A distinctive feature of Israel’s evolving data-regulation landscape, and one that sets it apart from many peer jurisdictions, is the growing coordination between the PPA and the Israel Competition Authority (ICA). Where personal data creates or reinforces market power, both regulators now have a stake in the outcome. This data concentration Israel competition overlap is generating new compliance considerations that neither privacy counsel nor competition lawyers can afford to ignore.

The ICA has signalled that it will scrutinise merger transactions where the combination of datasets could create unmatched consumer profiling capabilities or lock-in effects. Similarly, dominant platforms that use proprietary data access to exclude competitors may face joint scrutiny from both the PPA and the ICA. Early indications suggest that the two authorities are sharing intelligence informally and considering joint or parallel investigations in cases involving significant personal-data assets.

For in-house counsel managing M&A transactions or platform-conduct reviews, the practical implication is that privacy compliance can no longer be siloed from competition strategy. A data-mapping exercise that satisfies PPA notification requirements should simultaneously inform the competition-risk assessment required for ICA filings. Concession packages in merger reviews may need to include data-portability commitments, API access provisions, or data-escrow arrangements designed to address both privacy and competition concerns.

When privacy triggers competition scrutiny

Scenario Why competition authorities care Immediate legal steps
Merger combining two large consumer-data platforms Dataset combination may create unmatched profiling or customer lock-in File early cooling-off notices to PPA and ICA; prepare data mapping and mitigation proposals
Dominant platform using data to exclude rivals Tying data access to platform services or using exclusive data ingestion Assess remedies: data portability, API access, data-escrow arrangements
Exclusive data-sharing agreements reducing market entry Limits on rivals’ ability to match product features or pricing Engage competition counsel alongside privacy risk assessment before execution

Practical compliance checklist, 12 steps for 2026 readiness under Israel’s privacy reforms

With Israel’s privacy reforms now expanded and fully operative, DPOs and in-house counsel need a structured action plan. The following 12-step checklist translates statutory requirements into concrete tasks, each with a rationale and an indicative timeline for completion.

  1. Map personal data flows. Identify every system, vendor and process that collects, stores or transfers personal data. This mapping forms the foundation for every subsequent step. Timeline: 2–4 weeks.
  2. Classify data sensitivity. Match every data category against PPA criteria for “specially sensitive” personal data (health, biometric, genetic, political, minors, sexual orientation). Timeline: 1–2 weeks after mapping.
  3. Count records and assess the notification threshold. For each database classified as sensitive, determine whether it holds data on more than 100,000 individuals. If so, the notification obligation applies. Timeline: concurrent with classification.
  4. Confirm lawful basis and update documentation. Review the legal basis for every category of processing. Update privacy notices, consent mechanisms and internal policies to reflect Amendment 13 requirements. Timeline: 2–3 weeks.
  5. Appoint or confirm the DPO. Organisations that trigger the notification threshold must appoint a DPO with sufficient authority and resources. Ensure the appointment is documented and communicated to the PPA. Timeline: immediate if not yet in place.
  6. Update contracts and standard contractual clauses (SCCs) for cross-border data transfers. Review all data-transfer agreements with international vendors or group companies. Ensure transfer mechanisms reflect PPA guidance on adequacy and contractual safeguards. Timeline: 3–6 weeks.
  7. Review security measures and run tabletop breach exercises. Benchmark technical and organisational security controls against PPA expectations. Conduct at least one tabletop exercise simulating a data breach, including notification to the PPA and affected individuals. Timeline: quarterly thereafter.
  8. Prepare the PPA notification and registration pack. For databases above the threshold, assemble the notification filing using the PPA’s online mechanisms. For other databases, confirm registration is current. Timeline: 2–4 weeks.
  9. Train incident-response and communications teams. Ensure legal, IT-security and public-relations teams understand their roles in a breach scenario. Document escalation procedures and media-response protocols. Timeline: initial training within 4 weeks; annual refresher.
  10. Add competition-risk assessment to M&A due diligence. Integrate data-asset evaluation into every acquisition or investment review. Assess whether combined datasets create market-power concerns that could trigger ICA scrutiny. Timeline: embed in DD process immediately.
  11. Maintain robust records of processing activities. Keep detailed, up-to-date records of all processing operations, including purposes, categories of data subjects, retention periods and transfer destinations. These records are the first document the PPA will request in an investigation. Timeline: ongoing.
  12. Engage regulators early and consider voluntary remediation. Where a potential compliance gap is identified, early engagement with the PPA, including voluntary disclosure and remediation plans, is expected to attract more favourable regulatory treatment than reactive responses after an investigation begins. Timeline: as issues arise.

Downloadable micro-assets to support implementation include a PPA notification checklist for Israel, a breach-notification template for Israel, and a data concentration self-assessment for M&A, each of which translates these steps into ready-to-use working documents.

International comparison: what multinational businesses must do

For multinational organisations, Amendment 13 narrows the gap between Israeli privacy law and the GDPR, but important differences remain. Understanding where the regimes converge, and where they diverge, is essential for building a unified compliance programme that satisfies both frameworks without duplication.

Topic Israel (post-Amendment 13) EU (GDPR)
Personal data scope Broader than pre-amendment: now expressly covers IPs, online identifiers and behavioural data. Sensitive-database notification threshold at >100,000 individuals. Broad definitions with separate sensitive-data categories. No record-count threshold for notification; all processing must comply regardless of scale.
Enforcement and fines Stronger PPA administrative powers operative since August 2025. Higher fine framework; active enforcement expected across sectors. Well-established enforcement ecosystem. Fines up to 4% of global annual turnover or €20 million. Cross-border enforcement via the one-stop-shop mechanism.
Privacy–competition interplay Active coordination emerging between PPA and ICA on data concentration and mergers. Increasing cooperation between DPAs and competition authorities across EU member states, supported by EDPB guidance.

Non-Israeli firms with operations, customers or data flows touching Israel should map their Israeli data connections, update cross-border data transfer mechanisms to reflect PPA guidance, and prepare for PPA information requests. A compliance practice area specialist can advise on harmonising multi-jurisdictional programmes.

Conclusion: risk matrix and next steps as Israel’s privacy reforms bite in 2026

The risk profile varies by business model. Adtech and platform companies face high exposure given their reliance on behavioural data, large-scale processing and the emerging privacy–competition overlap. Fintech and health-tech firms sit at high to medium risk due to the volume and sensitivity of data they process. HR-data processors handling employee records at scale face medium risk, particularly where they cross the 100,000-record notification threshold. Businesses with limited personal-data processing face lower risk but must still confirm registration obligations are current.

Israel’s privacy reforms in 2026 are expanded in scope, sharpened in enforcement and increasingly connected to competition law. Organisations that act now, mapping data, filing notifications, training teams and integrating privacy risk into competition strategy, will be best positioned to navigate the new regime. For guidance tailored to your sector and operations, consult a specialist through the Israel lawyer directory.

Need Legal Advice?

This article was produced by Global Law Experts. For specialist advice on this topic, contact Idan Levy at MITIGATE Compliance & Risk Management, a member of the Global Law Experts network.

Sources

  1. Privacy Protection Authority, gov.il
  2. PPA Guide on Privacy-Enhancing Technologies (PETs), gov.il
  3. Library of Congress, Global Legal Monitor: Amendment 13 Entry into Force
  4. Tech Policy Institute, Overview of Amendment No. 13
  5. Chambers Global Practice Guides, Data Protection & Privacy 2026: Israel
  6. DataGuidance / OneTrust, Israel Jurisdiction Overview
  7. EBN Law, Draft PPA Guidance on AI

FAQs

What is Amendment 13 and when did it take effect?
Amendment 13 is the largest reform to Israel’s Privacy Protection Law, 1981 in decades. Passed by the Knesset in August 2024, its key enforcement provisions, including the notification regime and expanded PPA powers, came into force on August 14, 2025.
Databases containing specially sensitive personal data (health, biometric, genetic, political, data on minors or sexual orientation) on more than 100,000 individuals must notify the PPA using the authority’s online notification mechanism.
The PPA can impose administrative fines under a clearer, higher-cap framework and can seek court orders to stop processing or require deletion of unlawfully held data. Organisations should assume active enforcement is the new baseline.
The PPA and ICA are increasingly coordinating where personal data creates market power or affects merger outcomes. Counsel should integrate data-risk assessments into competition due diligence as a matter of course.
Yes. Amendment 13 and related PPA guidance clarify transfer requirements and grant the PPA more authority over adequacy determinations and contractual safeguards. Multinational businesses should update their transfer mechanisms accordingly.
Count records, classify sensitivity against PPA criteria, assess whether the 100,000-record notification threshold is met, review security controls, update breach-response plans and, if the threshold applies, prepare the PPA notification and appoint a DPO.
PPA contact channels and online services, including registration, notification and DPIA filing, are available through the authority’s dedicated pages on the gov.il platform.
brazils vat reform 2026 new cbs
By Global Law Experts

posted 3 hours ago

Find the right Legal Expert for your business

The premier guide to leading legal professionals throughout the world

Specialism
Country
Practice Area
LAWYERS RECOGNIZED
0
EVALUATIONS OF LAWYERS BY THEIR PEERS
0 m+
PRACTICE AREAS
0
COUNTRIES AROUND THE WORLD
0
Join
who are already getting the benefits
0

Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.

Naturally you can unsubscribe at any time.

About Us

Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Global Law Experts App

Now Available on the App & Google Play Stores.

Social Posts
[wp_social_ninja id="50714" platform="instagram"]
[codicts-social-feeds platform="instagram" url="https://www.instagram.com/globallawexperts/" template="carousel" results_limit="10" header="false" column_count="1"]

See More:

Contact Us

Stay Informed

Join Mailing List
About Us

Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Social Posts
[wp_social_ninja id="50714" platform="instagram"]
[codicts-social-feeds platform="instagram" url="https://www.instagram.com/globallawexperts/" template="carousel" results_limit="10" header="false" column_count="1"]

See More:

Global Law Experts App

Now Available on the App & Google Play Stores.

Contact Us

Stay Informed

GLE

Lawyer Profile Page - Lead Capture
GLE-Logo-White
Lawyer Profile Page - Lead Capture

Israel's Privacy Reforms Bite in 2026: Expanded Powers, Tougher Fines and the Privacy–competition Overlap

Send welcome message

Custom Message