While Israel is a global front-runner in the development of defensive cyber-technologies, its legal framework for protecting personal data is outdated and does not address contemporary threats to data privacy, Israeli attorneys said.
“The rise in the use of technologies that collect our personal data on a widespread and regular basis, combined with an increase in cyber-attacks on entities that collect and store such data, is creating a significant threat to individual privacy worldwide,” Timor Belan, a partner at at Tel Aviv-based Gornitzky & Co., said in an email interview. “As a result, countries around the world have responded by updating their cyber regulations and privacy laws. But Israel lags behind.”
Gornitzky & Co. is Israel’s eighth-largest law firm according to a Globes, Dun & Bradstreet 2016 ranking.
Israel’s data protection agency would indeed “benefit from stronger powers and updates to the Privacy Law, in order to better serve the public interest,” its Justice Ministry concurred (full response below).
Higher rates of mobile and web usage and social media are among the key factors contributing to the “explosive increase” in cyber threats, MarketsandMarkets, a Dallas, Texas-based market research firm said in a report. Meanwhile, Prime Minister Benjamin Netanyahu has proudly proclaimed that Israel’s southern city of Beersheba will be not only the cyber-capital of Israel but “one of the most important places in the cybersecurity field in the world.”
But the nation’s legal system still needs to catch up, it appears.
Israel has been working to make its state bodies more secure by allocating a cybersecurity budget and imposing new cyber-related requirements on government offices. The government is also establishing a national CERT (Cyber Event Readiness Team), which will provide cyber-related support and guidance to entities in both the public and private sectors, as well as a Security Operations Center (SOC), which will be an intelligence-based entity focusing mainly on the protection of government offices.
At the same time, regulators have been imposing cyber-related obligations on entities like banks, and in the near future on other financial institutions.
The government is also taking steps to regulate the local cyber-security market, setting new standards for training and certification of cyber-professionals as well as the testing and approval of cyber-products. Israel had also proposed expanding the supervision on the export of cyber-products from Israel but halted that initiative following criticism from the industry.
“Even as Israeli regulators are working to promote cybersecurity in the public sector and to set ground rules for the local cyber-industry, Israel appears to be far behind other countries when it comes to the protection of its residents from data privacy risks,” said Assaf Harel, who, together with Belan, leads Gornitzky’s cybersecurity, privacy and data protection practice.
The 35-year-old law
The main Israeli law that addresses this area is the Protection of Privacy Law, enacted in 1981.
“This law reflects an outdated concept that data privacy may be protected by requiring organizations that store personal data to register their ‘databases’ with the government,” said Harel. “This is a technical process under which the organization is required to provide a few general details on the database, its intended use and the types of data it contains.”
The Privacy Law does not require the govermnment, in a significant way, to ensure that personal data in such registered databases is protected, the attorneys said.
“In practice, the only protection individuals get is their right to be informed that providing information is subject to their consent and they have a right to review this information and a right to demand a correction of inaccuracies,” said Belan. “Clearly, the Privacy Law was not meant to deal with today’s data-saturated reality, where every online store may hold personal information of tens or even hundreds of thousands of civilians.”
More specifically, Belan and Harel said, the existing legal framework lacks basic elements that exist in modern data privacy laws in other countries, such as the requirement to inform the data subject and the relevant authorities in the event of a data breach, or the setting of minimum data security standards that every controller of personal data would have to adhere to. The Privacy Law only provides a general statement that the owner, controller and manager of a database are responsible for protecting the data stored in such database.
Given these deficiencies, “Israeli legislators and regulators should formulate a new legal framework consistent with the emerging international standards in the field of protection of data privacy and cybersecurity,” said Harel.
Israeli regulators should also mandate that more organizations become responsible for cybersecurity, the attorney said. Beyond financial institutions, regulators should focus on imposing such requirements on medical institutions, local government bodies and other public or semi-public entities.
“Israel should compel companies that collect personal data to obtain explicit consent, from the data subject, to hold and use such information,” said Belan. “Additionally, in cases of data breaches, companies should be required, within a reasonable time, to inform an authorized authority, like a designated government office or the police, of data breaches that compromise personal data, as well as to notify the affected individuals when such a breach could significantly harm them.”
The new legal framework would also have to take into account ethical and policy decisions regarding the role of privacy and the proper balance between the right to privacy and other competing rights. “Different countries hold different views as to how this balancing test should be applied,” said Harel.
Israeli legislators will furthermore need to consider their stand on new legal concepts like the “right to be forgotten” (an individual’s right to demand that his or her name and or other information be removed from a database, and, in particular, from search engine results) and “privacy by design” (an approach to protecting privacy by embedding it into the design specifications of technologies, business practices, and physical infrastructures).
“It is probable that if the legislature and local regulators do not act on their own initiative to formulate an updated legal framework addressing those issues, certain legal requirements may be imposed on Israel from outside, for example through restrictions that other countries could impose on the transfer of personal data to Israel,” said Belan. This may result in regulations that would not necessarily reflect the views of Israeli legislators, he said.
At the same time, with the imposition of new cybersecurity and privacy-related requirements, the government should also create incentives for sharing information among companies on cyber-attacks, and should devote more resources to educating the public on cybersecurity and privacy-related threats and on ways to mitigate such threats.
“Israel, a country with leading innovation in the field of cybersecurity, can certainly become a global leader in privacy and cyber-related laws,” Harel said. “Adopting a new Privacy Law, as well as imposing cybersecurity requirements on additional public entities, would be an important step toward promoting that goal.”
The Justice Ministry said in an emailed response that Israel has a “robust privacy protection legal regime” that includes the basic human right to privacy, the Protection of Privacy Law, regulation on cross border data transfers and an established data protection authority, the Israeli Law, Information and Technology Authority, (ILITA).
“ILITA has regulatory powers by which it conducts investigations of data breaches and other infringements of the Privacy Act,” said Limor Shmerling Magazanik, director of Strategic Relations at the ILITA, which is part of the Justice Ministry. “Both the laws and ILITA’s powers are in effect over all sectors, including corporations, businesses and the public administration. Sanctions on infringements include orders to rectify, orders to stop data processing, monetary fines and in severe cases imprisonment.”
In addition, she said, Israel was declared by the EU Commission as having “an adequate level of privacy protection, and is one of few states outside of the EU that personal data of EU citizens may be transferred to.”
“Although ILITA enforces the privacy act continuously, toward various personal data controllers, it would benefit from stronger powers and updates to the Privacy Law, in order to better serve the public interest,” Shmerling Magazanik said.