In October 2021, a number of Israeli databases were hacked, the most notorious of which was the database of the gay dating software, Atraf (the Israeli equivalent of Grindr, which took its place when it collapsed). In an instant, highly sensitive personal information was exposed (including highly confidential details, nude photos, and more), and many users (including those who had not yet come out) entered Atraf (literally), for fear that their identity or details would be exposed. The affair ultimately ended in an investigation by the Privacy Protection Authority on suspicion of negligence in information security, which is unknown how it ended.
Two and a half years later, in early 2024, the Atraf application came back to life, and almost simultaneously with it, Amendment 13 to the Privacy Protection Law was also passed, the provisions of which enter into force in August 2025. It updates and clarifies the legislation in the field, while establishing new and advanced arrangements, and providing effective enforcement tools in accordance with the challenges of the digital age, with the intention of increasing the protection of the fundamental right to privacy and strengthening the fight against cyber threats. The amendment imposes responsibility on companies in the field of privacy protection and increasing supervision over the possession and trade of databases, while imposing high financial sanctions in the event of a violation, and the law also creates personal liability for directors and officers. This means that in a company that is not careful about protecting the privacy of its customers, directors and officers may be personally liable both civilly and criminally.
The amendment also corrects a historical distortion in the law, which in practice required almost every small business to hold a database license (a requirement that was practically unenforceable). After the amendment, there is no longer a need to register small databases managed by businesses, with the exception of databases managed with the intention of trading in information. The amendment also updates and clarifies the question of what is considered “particularly sensitive information,” for which there is a detailed notification obligation to the authority for every size of database, all while complying with international standards, including the European Union’s General Data Protection Regulation (GDPR).
Although the law currently does not explicitly determine the identity of the body that is supposed to oversee the implementation of the requirements, a position paper by the Privacy Protection Authority from January 2024 sets out detailed duties that are the responsibility of the company’s board of directors and requires board members not only to be involved in supervision and control in the field of information protection but also to pass an information security procedure, conduct risk surveys and ensure that the information is protected. This position of the Authority effectively creates a standard of care for directors and exposes directors to personal liability in a manner similar to that ruled, for example, in 1996 in the Delaware, USA court, where shareholders of Caremark filed a derivative suit against directors on the grounds that they did not establish adequate internal control systems. In that case, the American court determined that the company’s board of directors is obligated to ensure the implementation of control and monitoring systems regarding compliance with regulatory regulations and to monitor and that a breach of this duty will establish liability.
In light of the above, it is extremely important for any company that maintains a database to implement a well-organized information security procedure and an internal enforcement plan that will not only ensure the protection of the information but also protect directors and officers in the event of a risk to the information. It is very important that such a procedure and the internal enforcement plan be developed in collaboration with legal advisors with in-depth knowledge of the field, who will also be involved in the implementation and enforcement procedures of the plan.
