Israel Privacy Protection Law 2023: What Multinational Tech Teams Must Build

Israel's Privacy Protection Law (PPL) has been in force in various forms since 1981. For most of that time, it was a relatively light-touch framework compared to European data protection law. The 2023 amendment, which came into effect in August 2024, changes that substantially. The amended PPL introduces obligations comparable in scope and enforcement posture to GDPR — mandatory breach notification, enhanced data subject rights, cross-border transfer restrictions, and significant administrative penalties. Engineering teams building systems that serve Israeli users are now operating under a materially different regulatory environment than they were two years ago.

What Changed From the 1981 Framework

The major changes in the 2023 amendment: mandatory breach notification to the Privacy Protection Authority (PPA) within 72 hours of becoming aware of a breach that poses a "significant risk" to data subjects, new data subject rights including the right to access, rectification, and deletion of personal data, mandatory appointment of a Data Protection Officer for organisations that process large volumes of personal data or sensitive data categories, restrictions on cross-border transfers to countries without adequate protection, and penalties up to NIS 3.8 million (approximately USD 1 million) per violation for severe breaches.

The cross-border transfer provisions are the most architecturally significant change for multinational engineering teams. Under the 1981 PPL, there was no meaningful restriction on transferring personal data out of Israel. The amendment introduces a whitelist of countries with adequate protection and requires contractual safeguards or explicit consent for transfers to non-whitelist countries. If the system transfers personal data from Israel to the United States — not on the whitelist — a Data Transfer Agreement based on the PPA's standard contractual clauses is required.

Engineering for PPL Breach Notification

The 72-hour notification requirement means the incident response workflow must have a PPL notification pathway alongside the GDPR notification pathway. The workflow must: detect the incident, classify whether it meets the PPL's "significant risk" threshold, identify Israeli data subjects affected, and trigger notification to the PPA within 72 hours of becoming aware. "Becoming aware" is the point at which the organisation has sufficient information to know that a breach has occurred — not the point at which all details are confirmed.

Data Inventory and Israeli Data Subjects

The amended PPL creates obligations scoped to data about Israeli data subjects. If the organisation's data stores do not currently tag records by data subject nationality or residence, it may not be possible to determine which records are covered by the PPL in response to a subject access request or an erasure request. The data inventory must identify which data stores contain records of Israeli data subjects and tag those records at the data subject level with a jurisdiction flag — the same requirement that GDPR created for EU data subjects.

1. Tag data subjects by jurisdiction in the data inventory — Israeli data subjects have distinct PPL obligations separate from GDPR obligations for EU data subjects
2. Add a PPL notification pathway to the incident response workflow with a 72-hour trigger from becoming aware of a significant-risk breach
3. Review cross-border data transfers from Israel to the US and other non-whitelist countries — Data Transfer Agreements or derogations are required
4. Appoint a Data Protection Officer if the organisation processes large volumes of Israeli personal data or sensitive data categories
5. Build PPL data subject rights handling into the rights management system alongside GDPR rights — the procedural requirements differ
6. Review the sensitive data categories under the PPL against current data handling practices — financial data is sensitive under the PPL in ways GDPR does not capture