On Anniversary of GDPR Enactment, Israel’s Privacy Laws Still Far Behind

Not a day goes by without a cybersecurity breach of some sort, with thousands, if not millions, of personal data records getting leaked. Two years ago, the E.U. lead the way with its General Data Protection Regulation (GDPR), ensuring that companies that collect data about EU citizens are protecting the data adequately and that EU citizens have “digital rights” over this data, meaning that they can know what data is kept about them and access it, consent to what data is used for, and can tell a company to delete all data about them. In Israel, this remains far from the case.

Israel has struggled to keep its privacy policies updated, despite its global position as a small yet worthy tech hub and a leading developer of data processing technologies. The country's privacy laws are embarrassingly outdated, as Israel's privacy protection law has had very few amendments since 1981. This situation is making it hard for the state to protect citizens against invasions of privacy, which could explain why Israelis get so heavily spammed with marketing text messages and emails.

“The enactment of the GDPR which came into effect two years ago was followed by a worldwide trend towards enacting new data protection laws and strengthening and revising existing data protection laws. However, as each national legislation focuses on other matters and introduces different aspects of the privacy rights, compliance with the divergent global data privacy and security regulations can be challenging,” Ella Tevet, head of the intellectual property and privacy practice at Israel-based GKH Law Offices said in a Monday interview with CTech.

“The Israeli privacy law which came into effect 40 years ago is not adjusted to the challenges that we are facing these days. The coronavirus (Covid-19) crisis also exacerbated the challenges of protecting personal information in the technological age. Amid the epidemic, there is a clear need for data subjects to know that personal information collected about them is protected. They would likely be surprised to find that privacy laws in their countries, including the Privacy Law in Israel, are in many cases outdated and do not address the challenges of the century 21,” she said.

“Thus, while location and traffic monitoring apps may have been an effective and important tool in dealing with the epidemic, the coronavirus crisis has proven that these goals will not be achieved in democratic societies unless state citizens trust enforcement agencies and believe their privacy is preserved, which will only be ensured through clear, comprehensive and satisfactory regulations. Now that Israel is finally forming a government after more than a year of deadlock, we hope that Israel will act to amend the privacy law in order to adjust its laws to the global standards with respect to privacy matters,” Tevet said.

“I don’t expect such a comprehensive plan to happen overnight, but given that Israel’s government could last up to four years, surely in that amount of time they could finally enact some comprehensive data privacy laws,” she added.

“Legislation must be written to be technology-neutral, the simple reality is the two evolve at very differing paces. I learned the need for this many years ago supporting the Budapest convention, which is the basis for many countries’ cybercrime laws; these were written around impact rather than technology. However, even principle-based GDPR could not predict how fast technology is changing both what and how we digitally exchange data,” Greg Day, vice president and chief security officer EMEA at NYSE-listed cybersecurity company Palo Alto Networks Inc. said in a statement.

“Like much else, GDPR compliance is under strain right now. There’s no doubt there will be a GDPR debt coming out of the Covid-19 crisis. The immediate switch that many organizations have had to make to new methods of online collaboration, with nearly everyone forced to work from home, has meant security and privacy have needed to quickly adapt and catch up to very significant change,” he said.

“What’s still striking to me is how few organizations really know where their data sits in the cloud, who has access to it, and remain confused about their security responsibilities. For many Covid-19 has accelerated this process, challenging security teams' readiness because of a shift in focus and a more distributed workforce. All regulations, GDPR included, must be applied to this and to newer technology waves, like the approaching interconnectivity impact of 5G networking and ubiquitous device proliferation,” he added.

“We are only starting to understand the new normal for work, but regardless of the current difficult situation we should take time to reflect on how organizations must keep evolving their GDPR compliance on the road of continuous privacy and security improvement to protect our online societies and economies,” Day said.