Privacy Talk with Lior Etgar, Partner at Erdinast, Ben Nathan, Toledano & Co: What did data protection action come out during the war against cyberattack?
“This interview has been recorded on 5th August 2024 and discusses privacy and data protection legislation in Israel”
- What comes out after the amendment among private industries?
- What is the different definition under privacy law from other regions?
- What did data protection action come out during the war against cyberattack?
- What comes out after the amendment among private industries?
Lior: But I think that the most important one is that the authority itself and allow vast power and enforcement powers, especially forced to impose financial sanctions, administrative proceedings, the scope that was not there before.
And it will turn the Privacy Protection Authority into a very strong regulator that will be able to enforce its decisions, able to impose financial sanctions on corporations and individuals. And I think that it will first of all better protect the privacy rights in public. It will also elevate the processing of personal data.
And the entities will follow much closely on the founding requirements, regulations and the law itself. It’s gonna be a very interesting time we’re facing.
And the law itself is actually supposed to pass today, the Israeli Parliament approved the bill on August 5, 2024. After that, we will have approximately one year until it will enter into effect.
I assume that the big players, you know, the large companies, then the public entities, probably use this year more thoroughly to inherit the requirements, the new requirements, and the rest of the market will follow them.
This is how those usually regulatory compliance. And you know, if you want to review a little bit of the changed side of enforcement and sanction. I can say a few things. For example, a data protection officer will become a mandatory requirement for certain organizations.
Until now, it was voluntary only. But for now, it’s going to be mandatory. And you can say more or less or the following data brokers, public entities like governmental companies and authority, and also for organizations who are processing personal data on a large scale, pretty similar to GDPR requirements.
And also other organizations which are also processing a mass amount of very sensitive information, special category information, but It is not their main business.
For example, a hospital, and the business of hospitals to provide care for his patients, but a hospital, naturally, is processing a lot of personal health information. This organization will be subject to the DPO appointment requirement, as an example.
Now the big issue in Israel, similar to the UK, is that we have a registration requirement for database owners, it’s like, if you want to compare it, if a controller would have to register. with the regulator and to provide some sort of notification once he’s starting to process the personal data.
So we narrowed down the registration requirement. This needs maybe 95% living only in very specific organizations under the registration requirements. Also another thing, as I said, a lot of terms & definitions have been changed, personal data terms and processing or even identifiable person.
- What is the different definition under privacy law from other regions?
All of those are now part of the law. And of course, the definition of a special category is that we have something else. We have specialty sensitive information, especially sensitive information, which is similar to special categories of GDPR.
Which, by the way, contains specific local values that were important to the local legislator. For example, salary information which is not part of the other definitions abroad, US or the EU, another thing and evaluations of employees and candidates.
Professional evaluations are part of the specially sensitive information in Israel, which is very interesting, because these are specific issues that were regarded as such by the legislator.
Other things we have changed, the criminal offenses. The list of the offenses change to provide more emphasis on places whereby the person is intentionally making unlawful processing deceptive behaviors, deceptive processing, or deceptive basis to obtain information personal for a person.
Of course, a lot of authorities and powers regulate them, maybe two other interesting issues, I think that as opposed to the current law before the amendment, the law also contains a revised purpose limitation principle.
The purpose limitation was broadened, and now principle is a little bit covers more areas of the law as well, and also disclosure requirements, once for a processor or controller is collecting data, and now there is a increased disclosure requirement of scored that all of those there are issues, of course, but these are maybe the big ones.
All of those issues are making a very interesting, broad change for the market, generally speaking, Israeli companies align adequate data protection principles. As you can see, you can find in Europe, for example, and even California.
Maybe, I think they went after Europeans, but eventually you can find a very good sense of adequate data protection in Israel. But now we’re going to be under the law itself, of course, specifics, you know, make the change.
Let us say, you know, in the details, eventually. Companies will have to not only make a thorough gap analysis to adhere to the new requirements as well, we’ll also have to adopt compliance programs now.
Today, compliance programs are, you know, adopted usually by large entities, large companies, public companies, and you know, they have very thorough risk management.
But now also, and now it’s not, it’s not an option. Now everybody will have to do it. And of course, the compliance program is something that we know how to do.
We’re doing it already. But now we will have to expand it into adjusted the new requirements, and also to adjust it to new entities will need it, you know, because that you know, small example, if you want for legislation, we have the information security relations for a few years and the de facto, they added a lot of requirements to the stack it already.
But those requirements, you know, sometimes they are being performed on a material basis. Now, once you have administrative sanctions if you’re not complying with the requirements, then you cannot work on a material basis anymore.
You have to work on a full basis of compliance. It’s a different standard. But you know, maybe the authority, the regulator, at first, they will give you a notice before they will give you a sanction, but you cannot rely on it, and you don’t know exactly what the policy is at any given time.
So it’s better to deal with her all the requirements. So it’s a bit of a different ballgame. Now, a little bit in that sense, good, good for the market. The market will be a lot more advanced, and it will give us much more protection, also the data subjects.
But the thing that also data matters in general, so it’s good for the market, and the market will be much more advanced. I think that will also strict the line GDPR as well. And you know the new states, the new US states that are working after California adopting new privacy laws, then we will.
Everybody is talking about the same principles eventually. So it’s a very good thing, very good progress, you know, for privacy matters in Israel and for Israeli market general.
Because it’s good for the tech industry and it’s good for the economy. We expect that it will. They know better protection of rights and better protection, and you have very substantiated clauses and statutes. So it’s good for the market, good for business, and we hope, we hope for the best.
Kohei: Thank you for sharing that’s been I’m very impressed with what there’s supposed to be. There are many things that have changed since before the Israeli privacy law. So that’s been very important to all the practitioners to do the work and together with Israeli companies as well.
So thank you for sharing. And the next topic is also the very important as for the atmosphere, then between Middle East is becoming so important at this moment, especially for the cyber attacking or disinformation, misinformation that have been shared on the descriptions.
Especially for the platform company that’s been a requirement under the Digital Service Act, the Digital Market Act. It’s European regulations, but directly affects the platform operations.
So in the next topic, I’m gonna ask you about what data protection shouldn’t come out during the world against a cyber attack. And also, do you have any legal moves, since the wars are coming like in recent actions?
- What did data protection action come out during the war against cyberattack?
Lior: Thanks for this question. Cyber security issues are very mini courses. And you know, Israel, we experienced a lot of cyber attacks from enemies. Eventually you can see that in many cases, they are targeting Israel or Israeli companies, Israeli public.
You can see it in social media, but you can surely sense it in cyber attacks. I think that, in general, the Israeli companies are really well acknowledged with cyber security issues and some of the most prominent cyber companies in the world come from Israel.
Israel is a hub for cyber security. And there are a lot of examples. I’m not going to name them, but, you know, there are a lot of very known companies that are working on cyber solutions.
So in Israel, you know, I think that every company has some sort of awareness. Almost every company, their awareness is very high compared to other places in the world.
At least from my experience that I saw from Israeli founders, even small startups are very aware of cybersecurity risk, and they are making other things that companies at this side are not doing usually have a place.
I think that the law, by the way, the privacy protection law, is supposed to, you know, give it to make effective legislation towards a better cybersecurity standard.
Once you have information security regulations and you have enforcement and you’re maybe accused of negligence in case you are not protecting the data well, and you know, there is a regulator to watch it.
So eventually it helps make the cycle in the better standard all the time, the good standard and the high standard all the time. I think if you ask for a few legal aspects, first of all, once you have a security incident in Israel, there is a reporting requirement, the criteria that only if it’s a severe security incident,
You also have criteria among the paper regulations, but generally speaking, when you have a severe security incident, you must report to the Israel Privacy Protection Authority.
There is also the Israel cyber department, the government, and usually they are letting you know once you are being attacked or they found them, there is a link your information, so you’re not supposed to be there all the cases, but it’s very strong Guardian that is also assisting the market.
Two other issues aside from the reporting requirement, first of all, preparations and directors, members of board management, members are all subject to personal liability. You’re not protecting the data, assets and personal data processed and being used by the organization.
So first of all, you must make a very well, very good preparation. You can be from a very risk assessment. Start from a risk assessment, and, you know, move through cyber drills for cyber security procedures.
And together with privacy protection, privacy policies, this is very important to have policies and procedures. And of course, if you want to gain a very good awareness of your organization, you have to do it all the time, not only during an assessment.
And therefore it’s very important to have advisors like CISOs, and if it’s in privacy and DPOs, you know, we of course, we lawyers usually provide DPO services and DPO related, privacy related advice, the cybersecurity advisors provide the security advice.
It’s important to work together. Of course, those are my tips for now.
Kohei: Thank you. In addition to the data protection you describe in your publishing about the misinformation and disinformation action. So is there any kind of approach in Israel to prevent some of the manipulative actions and the platform.
It’s not only legal but also there are some ideas to prevent these kinds of things?
Thank you for reading and please contact me if you want to join interview together.
Privacy Talk is the global community with diversified expert, and contact me below Linkedin if we can work together!
