The year 2025 marked a significant turning point in Israeli privacy law with the entry into force of Amendment 13 to the Israeli Protection of Privacy Law, 5741-1981 (the “Amendment” or the “Law”) in August 2025. In addition to introducing new roles and responsibilities, expanding existing obligations, and updating key concepts, the Amendment significantly broadened the powers of the Privacy Protection Authority (the “Authority“). It granted the Authority the ability to impose administrative monetary sanctions for breaches of the Law and the regulations promulgated thereunder and expanded the grounds for awarding statutory damages. In light of these developments, and in recognition of International Privacy Day, observed annually on January 28th, this client update examines the practical implications of these changes and outlines key steps organizations can take to reduce their exposure to enforcement actions.
The Authority has announced that its enforcement activities in 2026 will extend across a broad range of business sectors and encompass numerous privacy-related obligations. The Authority intends to pursue enforcement both proactively and reactively, including by initiating proceedings on its own initiative and by addressing privacy-related complaints. Additionally, the Authority is expected to focus on areas involving heightened privacy risks, such as the processing of large volumes of information, the processing of sensitive information, and matters relating to children’s privacy. In addition, the Authority has identified workplace privacy as a key area of focus.
One of the main drivers of increased enforcement in recent years has been the Authority’s cross-sector audit program, which has operated since 2018 and conducts proactive audits to examine organizations’ compliance with the Law and its associated regulations. Following the entry into force of Amendment 13, these audits are now conducted in a new regulatory environment, as the Authority has been granted expanded enforcement powers, most notably the ability to impose administrative monetary sanctions. Recently, the Authority announced the launch of a new round of cross-sector audits across various industries. If, during such an audit, the Authority finds that an entity has not complied with applicable requirements, it may take enforcement actions, including the imposition of administrative monetary sanctions.
The administrative monetary sanctions introduced by the Amendment vary depending on the nature of the breached provision, the number of data subjects in the database, the size of the organization, and the security level applicable to the database under the Protection of Privacy Regulations (Data Security), 5777-2017 (the “Data Security Regulations“). The Authority’s power to impose administrative monetary sanctions may, in certain cases, amount to millions of NIS.
In light of the increased enforcement anticipated in 2026 following Amendment 13, companies are expected to face significantly greater exposure to enforcement actions. Accordingly, companies should prepare in advance and conduct a comprehensive review of the organization’s compliance framework. In that context, companies should consider and prioritize operational steps such as:
- Adopting an enforcement plan to systematically map and implement the privacy obligations applicable to the company;
- Updating privacy policies and privacy notices;
- Assessing whether there is an obligation to appoint a Data Protection Officer (DPO), and considering such an appointment even when not legally required, particularly for organizations that process significant volumes of personal information or that process sensitive;
- Updating database definition documents at least annually or upon any material change;
- Implementing the data minimization principle and periodically reviewing the necessity of retaining information, subject to record retention requirements for legal, regulatory, and litigation-defense purposes;
- Validating and updating information security procedures at least annually, and in response to material changes or emerging technological risks;
- Conducting training for employees with access permissions in accordance with regulatory requirements (and in any case, at least once a year);
- Establishing a procedure to implement the obligation to allow individuals to access information about themselves held in the company’s databases, and testing its effectiveness to ensure the organization can respond to access requests within the prescribed timeframe;
- Holding management and board discussions regarding security incidents, penetration tests, and privacy audits, and maintaining documentation of such discussions.
These steps, together with ongoing monitoring of the implementation of data protection requirements within the organization, can reduce regulatory exposure, improve preparedness for audits or enforcement proceedings, and strengthen the trust of customers, employees, and business partners in the organization’s information management practices. International Privacy Day, observed today, presents an opportunity to promote a proactive and structured review of the organization’s compliance framework and to close compliance gaps, with an emphasis on the areas on which the Authority is focusing its enforcement efforts.
Gornitzky’s Cyber and Privacy Group has extensive experience providing legal advice to Israeli and international companies regarding compliance with Israeli cyber and privacy requirements. We also provide Data Protection Officer (DPO) services and conduct compliance surveys within companies to identify and address gaps in compliance with the Law and the regulations promulgated thereunder.
Please feel free to contact us if you have any questions or would like to discuss this matter.
This client update is intended to provide general information only, does not constitute a full or complete analysis of the matters presented, and may not be relied upon as legal advice.
