Despite Increased Fines and Expanded Obligations Arab Businesses Remain Unprepared for Amendment 13 of the Privacy Protection Law

Despite the significant increase in fines and the expansion of legal obligations, many Arab businesses remain unprepared to comply with the amended Privacy Protection Law in Israel. On August 15, Amendment No. 13 to the Privacy Protection Law entered into force, introducing far-reaching changes to the legal obligations applicable to any business, or organization that processes personal data relating to individuals—whether customers, employees, or service providers. Unfortunately, we continue to observe that the vast majority of businesses and institutions within Arab society are still far from complying with the law’s requirements. This

exposes them to substantial risks, including the imposition of very high administrative fines by the Israeli Privacy Protection Authority and the growing wave of class actions filed against companies in recent months.

In light of this reality, it is now critically important for business owners and employers—across all sectors and regardless of business size—to pause and conduct a meaningful assessment: Are we complying with the obligations imposed by law? Do we truly understand the scope of the risks we may face if our business is audited by the Privacy Protection Authority?

At the outset, it is important to emphasize that the right to privacy is a fundamental right in Israel, protected under Basic Law: Human Dignity and Liberty and regulated by the Privacy Protection Law of 1981. In today’s era of rapid and profound technological development, states around the world are competing to enact data protection and privacy legislation. Personal data has become the driving fuel behind technological advancement—particularly in fields such as artificial intelligence and personalized medicine.

Against this backdrop, Amendment No. 13 constitutes the most comprehensive reform to the Privacy Protection Law since its enactment. Its purpose is to align Israel’s data protection framework with the challenges of the digital age by imposing concrete and enforceable obligations on every entity—individuals, companies, non-profits, service providers, local authorities, and even government bodies—that collects and processes personal data for commercial purposes.

Accordingly, any business owner, whether operating a medical clinic, law firm, marketing agency, educational institution, beauty salon, or civil society organization, may be considered a “controller of a database” under the law. This designation entails compliance with multiple requirements, including: preparing a database definition document (מסמך הגדרות מאגר), implementing information security procedures (נוהל אבטחת מידע), fulfilling transparency and notice obligations, notifying individuals and obtaining their consent for data collection, and, in certain cases, appointing a Data Protection Officer. Naturally, additional and stricter requirements apply where artificial intelligence systems are developed or used in connection with personal data.

As a legal professional, I welcome the entry into force of this amendment. I firmly believe in the necessity of establishing legal safeguards to address the unchecked expansion of technology that permeates every aspect of our lives—healthcare, banking, education, social media platforms, and even criminal and military law.

At the same time, I consider it my professional and ethical duty to call upon Arab businesses and institutions to take immediate steps toward compliance. This obligation stems from our collective responsibility to respect every individual’s ownership of their privacy. Transparency is a foundational pillar for building customer trust and for avoiding the substantial fines that the Privacy Protection Authority is empowered to impose on non-compliant entities—starting as early as the coming August.

It is important to stress that these fines are not symbolic. They can reach hundreds of thousands of shekels and, in certain cases, may be imposed without any requirement to prove actual harm. For example, a business that fails to prepare a database definition document may face fines ranging from NIS 2,000 up to NIS 160,000. Failure to notify the Privacy Protection Authority of a personal data breach involving unauthorized access may result in fines of up to NIS 320,000—without accounting for reputational damage and legal exposure. The level of fines is

determined based on factors such as the sensitivity of the data collected (for example, medical data is more sensitive than address information), the scope of the database (a database containing data on 200,000 individuals differs significantly from one containing data on 250 individuals), and additional considerations.

For these reasons, it is of paramount importance to consult professionals with expertise in this field—professionals who can provide tailored legal advice based on the nature of your business, the technologies and digital systems you use, and the contractual obligations governing your relationships with customers and service providers. Digital and information security risks must not be underestimated. Businesses have increasingly become targets for cyber-attacks, with studies indicating that Israeli organizations face approximately 2,000 cyber-attack attempts per week across all sectors. In this context, I am pleased and honored to offer legal advisory and compliance support to organizations seeking to

assess their data protection posture, draft website privacy policies, prepare Data Processing Agreements (DPAs), and provide guidance and training to management teams and employees.

Ultimately, preparing for compliance is no longer optional—it is a necessity. Whether you operate a small retail store, a medical clinic, a non-profit organization, or a technology startup, I strongly encourage you to review your organization’s legal compliance today—before being confronted by a regulatory audit, a cyber incident, or a costly legal claim that could have been avoided.

Nisreen Massarwi-Odeh, adv. (DPO and CIPP/E)

Founder of NMO Legal- Legal Consultancy