Israel’s Privacy Protection Authority (PPA) has begun active enforcement of Amendment 13 to the Privacy Protection Law, 1981, following the expiration of initial grace periods that gave organizations time to comply with sweeping new requirements. The amendment, which took effect on August 14, 2025, represents the most significant overhaul of Israeli privacy law in over four decades, bringing the country’s data protection framework in closer alignment with the EU’s GDPR while incorporating Israel-specific provisions that reflect the country’s unique technological, security, and cultural landscape.

Executive Summary

Amendment 13 introduces fundamental changes to Israel’s data protection regime that affect virtually every organization processing personal data in or from Israel. The amendment expands the Privacy Protection Authority’s enforcement powers, creates new compliance obligations including mandatory Data Protection Officer (DPO) appointments for qualifying organizations, enhances transparency requirements, and establishes significant criminal and civil liability for violations.

The PPA’s January 2026 shift from guidance to enforcement marks a critical transition period. Organizations that viewed the grace period as optional preparation time now face investigations, fines, and potentially criminal complaints for non-compliance. Early enforcement actions in Europe—including €5,000-€40,000 fines for DPO conflicts of interest—provide clear signals of what Israeli organizations can expect as the PPA looks to EU regulatory precedents when charting its enforcement course.

Key developments include:

  • DPO requirement enforcement begins: Organizations meeting specified criteria must appoint qualified, independent DPOs or face sanctions- Enhanced PPA enforcement powers: Authority can now conduct investigations, demand information, and impose administrative sanctions- Board-level oversight obligations: Directors of certain companies must oversee data protection policy implementation- Expanded notification requirements: Controllers must provide detailed privacy notices and breach notifications- New criminal and civil liability: Violations can result in both criminal prosecution and civil lawsuits- Database registration changes: Modified requirements for registering databases with the PPA

Background: Why Amendment 13 Matters

Israel’s Privacy Law Evolution

1981: Original Privacy Protection Law Israel’s Privacy Protection Law was progressive for its time, establishing:

  • Protection against unlawful collection and use of personal data- Database registration requirements- Individual rights to access and correct data- Criminal penalties for violations

Decades of Patchwork Updates Over 40 years, the law was amended incrementally to address:

  • Digital communications- Biometric data- Credit information- Direct marketing- Cross-border data transfers

The Problem: By the 2020s, Israel’s privacy framework had fallen significantly behind international standards, particularly the EU’s GDPR. This created:

  • Adequacy decision risk: EU questioned whether Israeli law provided adequate protection for personal data transfers- Competitive disadvantage: Israeli tech companies faced compliance barriers when operating in Europe- Enforcement gaps: PPA lacked tools and authority to effectively regulate modern data processing- Unclear obligations: Outdated language didn’t address cloud computing, AI, big data analytics

Amendment 13: Modernization and GDPR Alignment

Amendment 13 represents a comprehensive overhaul designed to:

  1. Achieve EU adequacy: Strengthen Israeli law to maintain and enhance EU adequacy decision2. Harmonize with GDPR: Adopt GDPR-inspired concepts while maintaining Israeli legal traditions3. Empower regulator: Give PPA enforcement tools comparable to European DPAs4. Address modern technology: Update obligations for contemporary data processing practices5. Enhance accountability: Shift from reactive to proactive compliance through DPIAs, DPOs, and board oversight

Key Provisions of Amendment 13

1. Data Protection Officer (DPO) Requirement

Who Must Appoint a DPO:

The PPA’s draft guidance clarifies that DPO appointment is mandatory for:

a) Public Bodies

  • Government ministries and agencies- Local authorities- State-owned companies- Any entity performing governmental functions

b) Data Brokers

  • Entities whose primary business involves collecting and selling consumer data- Marketing data providers- People-search websites- Credit reporting agencies (with limitations based on existing sector regulation)

c) Systematic and Ongoing Monitoring

  • Organizations engaged in large-scale, continuous surveillance or tracking of individuals- Examples: social media platforms, advertising networks, location-based services- Focus on systematic nature (not one-off monitoring) and ongoing operations

d) Large-Scale Processing of Sensitive Data

  • Healthcare providers processing patient data at scale- Financial institutions handling sensitive financial information- Organizations processing biometric data, genetic information, or location data- Educational institutions with extensive student data

Determining “Large-Scale”: The PPA guidance indicates consideration of:

  • Number of data subjects affected- Volume of data processed- Geographic scope of processing- Duration and permanence of processing activities

DPO Qualifications and Expertise

Required Qualifications:

1. In-Depth Knowledge of Privacy Law

  • Comprehensive understanding of Israeli Privacy Protection Law and regulations- Familiarity with international frameworks (GDPR, CCPA, etc.)- Awareness of sector-specific regulations applicable to the organization- Understanding of relevant case law and regulatory guidance

2. Sound Understanding of Technology

  • Technical knowledge of data processing systems and architectures- Awareness of cybersecurity principles and practices- Understanding of data flows, APIs, databases, and cloud computing- Ability to assess technical security measures

3. Familiarity with the Organization

  • Understanding of business model and data processing purposes- Knowledge of organizational structure and decision-making processes- Awareness of industry-specific practices and challenges- Ability to provide context-appropriate guidance

Professional Background: DPOs commonly come from:

  • Legal backgrounds with privacy specialization- Information security or IT backgrounds with legal training- Compliance or risk management roles- External privacy consulting firms

DPO Rights and Obligations

Rights (to ensure independence and effectiveness):

1. Direct Reporting to Senior Management

  • DPO must report to the highest management level- Cannot report through compliance, legal, or IT departments that may have conflicting interests- Must have direct access to board or CEO

2. Adequate Resources

  • Sufficient budget for training, tools, and professional development- Access to legal counsel when needed- Staff support for administrative functions- Ability to engage external experts

3. Protection from Dismissal

  • Cannot be dismissed or penalized for performing DPO duties- Employment protection against retaliation- Safeguards when DPO raises compliance concerns

4. Time Allocation

  • Sufficient time to perform DPO responsibilities- Not burdened with excessive non-DPO duties- Ability to prioritize privacy matters appropriately

Obligations:

1. Monitor Compliance

  • Assess organization’s compliance with privacy law- Identify gaps and recommend remediation- Review data processing activities regularly- Oversee implementation of privacy policies

2. Advise on Privacy Matters

  • Provide guidance on Data Protection Impact Assessments (DPIAs)- Advise on privacy-by-design in new projects- Review contracts with processors- Guide responses to data subject requests

3. Serve as Contact Point

  • Liaison with Privacy Protection Authority- Point of contact for data subjects exercising rights- Interface with external stakeholders on privacy matters

4. Foster Privacy Culture

  • Conduct privacy awareness training- Promote privacy-by-design principles- Raise awareness of privacy risks- Embed privacy in organizational culture

DPO Conflicts of Interest: The Critical Issue

The Fundamental Problem: A DPO cannot effectively monitor compliance if they also determine the purposes and means of processing—the very decisions they’re supposed to independently assess.

Prohibited Roles (in addition to DPO):

Senior Management Positions:

  • CEO, COO, CFO, CTO- Business unit heads- Product managers making data processing decisions- Marketing directors determining advertising practices

IT and Technology Leadership:

  • CIO or IT Director- Chief Security Officer (in some contexts)- Technology architects designing data systems- Database administrators

Legal and Compliance:

  • General Counsel (may have conflicts)- Compliance officers with operational authority- Contract negotiators determining data processing terms

Commercial Roles:

  • Sales leadership setting customer data practices- Business development determining partner data sharing- Procurement deciding vendor relationships

European DPO Conflict of Interest Enforcement

The PPA has explicitly stated it looks to EU regulators when charting enforcement approaches. Recent European fines provide clear warning signals:

Austria: DSB Fine (2024)

  • Amount: €5,000- Violation: Company appointed its managing director as DPO- Reasoning: Managing director determines purposes and means of processing—the exact activities DPO must independently monitor- Context: Diagnostic laboratory processing significant health data during COVID-19 pandemic- Key Finding: Conflict of interest exists even if individual has sufficient knowledge and time; structural independence is required

Croatia: AZOP Fines (2024)

Case 1: Procurator as DPO

  • Amount: €12,000- Violation: Company appointed its procurator (person with authority to conclude contracts and undertake legal actions) as DPO- Reasoning: Procurator’s significant decision-making powers created inherent conflict with DPO monitoring role

Case 2: Director as DPO

  • Amount: €40,000- Violation: Business information publisher appointed director as DPO, plus other GDPR violations- Reasoning: Director role compromised DPO independence; combined with other compliance failures, resulted in substantial fine

What These Cases Signal for Israel:

1. Independence is Structural, Not Personal

  • Even competent, well-intentioned individuals cannot overcome structural conflicts- Organization must separate DPO role from operational decision-making- Good faith and best efforts don’t cure conflicts of interest

2. Health and Sensitive Data Increase Scrutiny

  • Organizations processing sensitive data face heightened enforcement attention- DPO independence is especially critical when stakes are highest- Healthcare, financial services, and biometric data processors should be particularly cautious

3. Fines Will Be Significant

  • €5,000-€40,000 fines in European context- Israeli fines likely to be comparable (adjusted for local economic conditions)- Reputational damage from public enforcement actions- Potential criminal exposure for willful violations

4. Multiple Violations Compound Penalties

  • DPO conflicts often identified alongside other compliance failures- Regulators view inadequate DPO as indicator of broader compliance dysfunction- Initial DPO violation can trigger comprehensive compliance audits

Board of Directors Oversight Obligations

New Requirement: Boards of directors of companies meeting certain criteria must oversee implementation of data protection policies.

Affected Organizations:

  • Public companies- Large private companies (thresholds in PPA guidance)- Organizations processing significant sensitive data- Data brokers and entities with data-centric business models

Board Responsibilities:

1. Policy Approval

  • Review and approve comprehensive data protection policies- Ensure policies address all legal requirements- Periodically review and update policies

2. Resource Allocation

  • Allocate sufficient budget for compliance programs- Approve hiring of DPO and privacy team- Invest in necessary technical infrastructure

3. Risk Oversight

  • Receive regular reports on privacy risks- Review results of data protection impact assessments- Oversee incident response and breach management- Monitor regulatory developments and compliance status

4. Accountability

  • Hold management accountable for privacy compliance- Include privacy metrics in executive performance evaluations- Ensure privacy is part of enterprise risk management

Practical Implications:

  • Privacy is now a board-level governance issue, not just IT or legal matter- Directors can face personal liability for gross negligence in oversight- Board minutes should document privacy discussions and decisions- Independent directors should include privacy expertise

Expanded PPA Enforcement Powers

New Authorities:

1. Investigation Powers

  • Authority to investigate suspected violations- Power to enter premises (with appropriate authorization)- Ability to examine documents and electronic systems- Right to interview personnel

2. Information Demands

  • Can require organizations to produce documents- May demand technical information about processing activities- Authority to request access to systems and databases- Power to examine contracts with processors and third parties

3. Administrative Sanctions

  • Monetary penalties for violations- Orders to cease unlawful processing- Mandates to implement specific security measures- Public disclosure of enforcement actions

4. Urgent Measures

  • Authority to act immediately in cases of serious harm- Power to order temporary cessation of processing- Ability to impose interim measures pending investigation

Comparison to Pre-Amendment Powers: Before Amendment 13, the PPA primarily:

  • Investigated complaints reactively- Provided guidance and recommendations- Referred serious matters to police for criminal investigation- Had limited ability to impose direct sanctions

Amendment 13 transforms the PPA from advisory body to true regulator with teeth comparable to European Data Protection Authorities.

Enhanced Notification Obligations

Privacy Notices Must Include:

1. Controller Identity and Contact Information

  • Name and contact details of data controller- DPO contact information (if DPO appointed)- Representatives in other jurisdictions (if applicable)

2. Processing Purposes

  • Specific, explicit purposes for data collection- Legal basis for each processing purpose- Legitimate interests pursued (if applicable)

3. Data Categories

  • Types of personal data collected- Sources of data (direct collection vs. third-party)- Special category data explicitly identified

4. Recipients and Transfers

  • Categories of recipients (processors, partners, etc.)- International data transfers and safeguards- Data sharing arrangements

5. Retention Periods

  • How long data will be retained- Criteria for determining retention periods- Deletion and anonymization practices

6. Data Subject Rights

  • Rights to access, correction, deletion- Right to object to processing- Right to lodge complaint with PPA- How to exercise rights

7. Automated Decision-Making

  • Whether automated decisions are made- Logic and significance of such decisions- Consequences for data subjects

8. Security Measures

  • General description of security practices (without revealing vulnerabilities)- Measures to protect sensitive data- Encryption and access controls

Data Breach Notification

When Notification is Required: Organizations must notify the PPA and affected individuals when a breach:

  • Poses significant risk to individuals’ rights and freedoms- Involves sensitive data (health, financial, biometric, etc.)- Affects large numbers of individuals- Results in unauthorized access to secure systems

Notification Timeline:

  • To PPA: Without undue delay, typically within 72 hours of discovery- To individuals: Without undue delay when high risk to rights and freedoms- Documentation: Must document all breaches, even those not requiring notification

Required Information:

  • Nature of the breach (unauthorized access, loss, alteration)- Categories and approximate number of affected individuals- Likely consequences of the breach- Measures taken to address breach and mitigate harm- DPO contact information- Recommendations for affected individuals

Database Registration Changes

Modified Requirements: Amendment 13 revises database registration obligations to:

  • Focus registration on high-risk databases- Streamline registration process- Update categories requiring registration- Align with modern data processing practices

Key Changes:

  • Certain low-risk databases may be exempt- Simplified registration for standard business databases- Enhanced requirements for sensitive data databases- Updated categories reflecting contemporary technology

Criminal and Civil Liability

Criminal Offenses:

Serious Violations:

  • Unauthorized disclosure of personal data- Processing sensitive data without legal basis- Systematic violations despite regulatory orders- Intentional obstruction of PPA investigations

Penalties:

  • Imprisonment for serious willful violations- Criminal fines- Personal liability for responsible individuals (directors, officers)

Civil Liability:

Private Rights of Action: Individuals harmed by privacy violations can sue for:

  • Actual damages (financial loss, harm to reputation)- Emotional distress- Statutory damages for certain violations- Injunctive relief to stop unlawful processing

Class Actions: Israeli law permits class action lawsuits for:

  • Large-scale data breaches- Systematic violations affecting many individuals- Deceptive privacy practices- Failures to provide required notices

Enforcement Timeline and Grace Periods

August 14, 2025: Amendment Takes Effect

Most Amendment 13 provisions became effective immediately on August 14, 2025.

Initial Grace Period (August 2025 - December 2025)

The PPA announced initial enforcement grace periods for:

  • DPO appointments- Board oversight implementation- Enhanced privacy notice deployment- Database registration updates

PPA Approach During Grace Period:

  • Published comprehensive guidance documents- Conducted workshops and webinars- Provided technical assistance to organizations- Answered specific compliance questions- Focused on education rather than enforcement

Grace Period Expiration (Late 2025/Early 2026)

The PPA announced that enforcement grace periods for most provisions expired by late 2025 or early January 2026.

Active Enforcement Phase (January 2026 Onward)

What Organizations Are Experiencing:

1. Compliance Assessments

  • PPA sending questionnaires to organizations- Requests for documentation of DPO appointments- Inquiries about data protection governance structures- Reviews of privacy notices and policies

2. Complaint Investigations

  • Increased investigation of individual complaints- Follow-up on reported violations- Faster turnaround on complaint responses

3. Sector-Specific Initiatives

  • Targeted reviews of specific industries (healthcare, finance, tech)- Examination of common compliance gaps- Industry guidance based on findings

4. Publicity of Enforcement

  • Public disclosure of enforcement actions (anonymized or named)- Educational case studies from investigations- Warning letters to non-compliant organizations

DPO Services Market in Israel

Growing Demand

The DPO requirement has created significant demand for qualified privacy professionals:

In-House DPOs:

  • Large organizations hiring full-time DPOs- Mid-sized companies hiring privacy managers evolving into DPO roles- Recruitment challenges due to limited pool of qualified candidates

External DPO Services:

  • Law firms offering DPO services (with careful attention to conflicts)- Privacy consulting firms providing outsourced DPO roles- Fractional DPO services for smaller organizations- DPO-as-a-Service platforms

Qualification Pathways:

  • Legal professionals obtaining privacy certifications (CIPP/E, CIPM)- IT security professionals transitioning to privacy roles- Compliance officers expanding into DPO responsibilities- International privacy experts entering Israeli market

DPO Service Providers

Law Firms: Several Israeli law firms now offer DPO services, including:

  • Technology law specialists- Data protection boutiques- Full-service firms with privacy practices

Considerations for External DPO:

  • Cost-effective for organizations not needing full-time DPO- Access to specialized expertise and broader experience- Potential conflicts if law firm provides other legal services- Less integration with day-to-day operations- May require internal privacy coordinator to interface with external DPO

In-House vs. External Decision Factors:

  • Organization size and complexity- Volume of data processing activities- Budget constraints- Need for daily privacy guidance vs. periodic reviews- Regulatory risk profile

International Context: Israel’s Unique Position

EU Adequacy Decision

What It Means: The European Commission’s adequacy decision for Israel allows free flow of personal data from the EU to Israel without additional safeguards. This is critical for:

  • Israeli tech companies serving European customers- Multinational corporations with Israeli operations- Research collaborations between EU and Israeli institutions- Cloud services and data processing services

Amendment 13’s Role: Maintaining and strengthening the adequacy decision was a primary driver for Amendment 13. The EU Commission periodically reviews adequacy decisions and could revoke or suspend if Israeli law falls below EU standards.

US and Global Context

Israel as Privacy Bridge: Israel occupies unique position in global privacy landscape:

  • EU adequacy allows data flow from Europe- Close US-Israel tech relationships facilitate transatlantic data flows- Growing importance in global tech ecosystem (cybersecurity, AI, biotech)- Model for other countries seeking to balance privacy protection with innovation

Implications for Multinational Organizations:

  • Israeli operations can serve as EU data hub- Compliance with Israeli law often satisfies EU requirements- Understanding Israeli privacy law increasingly important for global compliance- Israeli DPO can sometimes serve broader Middle East/Mediterranean region

Compliance Priorities for 2026

Immediate Actions (Q1 2026)

1. DPO Assessment and Appointment

Step 1: Determine if DPO is Required

  • Review PPA guidance criteria- Assess organization against thresholds- Document determination

Step 2: If Required, Identify Suitable DPO

  • Assess internal candidates’ qualifications- Evaluate potential conflicts of interest- Consider external DPO services if internal appointment not feasible- Document selection rationale

Step 3: Formalize Appointment

  • Issue formal appointment letter defining role, responsibilities, resources- Notify PPA of DPO appointment- Publish DPO contact information in privacy notices- Allocate budget and resources

Step 4: Enable DPO Effectiveness

  • Provide access to training and professional development- Grant access to relevant systems and information- Establish reporting line to senior management/board- Define relationship with legal, IT, compliance functions

2. Privacy Notice Updates

Review and Revise:

  • Ensure all required elements present- Use clear, plain language accessible to average person- Make easily accessible (website, apps, point of collection)- Provide in Hebrew (primary) and English (if serving English speakers)- Update regularly as processing practices change

Special Attention to:

  • DPO contact information (if applicable)- Legal basis for each processing purpose- International data transfers- Retention periods- Data subject rights and exercise procedures

3. Board-Level Governance

For Organizations with Board Obligations:

  • Present privacy overview to board- Seek board approval of data protection policies- Establish regular board reporting on privacy matters- Include privacy in board meeting agendas- Consider privacy expertise in board composition

Documentation:

  • Board minutes reflecting privacy discussions- Board resolutions approving policies- Regular privacy risk reports to board- Board training on privacy obligations

4. Breach Readiness

Establish Incident Response Plan:

  • Procedures for detecting and assessing breaches- Decision tree for when to notify PPA and individuals- Templates for notification communications- Designated incident response team- Contact information for PPA breach notification

Conduct Tabletop Exercise:

  • Simulate realistic breach scenarios- Test notification procedures- Identify gaps in response capabilities- Train personnel on their roles

5. Compliance Documentation

Create/Update:

  • Data inventory and mapping- Records of processing activities (ROPA)- Data Protection Impact Assessments for high-risk processing- Processor contracts and Data Processing Agreements- Consent records and legal basis documentation- Data subject rights request logs- Breach incident logs (even if no notification required)

Medium-Term Initiatives (Q2-Q4 2026)

1. Privacy-by-Design Integration

  • Incorporate privacy reviews in project planning- Conduct DPIAs for new processing activities- Build privacy into product development lifecycle- Train developers and product managers on privacy-by-design

2. Vendor and Processor Management

  • Inventory all processors with access to personal data- Ensure Data Processing Agreements are in place and compliant- Assess processor security and compliance- Establish processor oversight procedures- Address any inadequate processor relationships

3. Employee Training

  • General privacy awareness for all employees- Role-specific training (developers, marketers, HR, customer service)- Refresher training periodically- Training documentation for compliance records

4. Data Minimization and Retention

  • Review data collection practices for necessity- Implement or enforce retention schedules- Automate deletion where feasible- Anonymization or pseudonymization of older data

5. Security Enhancements

  • Access controls based on least privilege- Encryption of sensitive data at rest and in transit- Regular security assessments and penetration testing- Logging and monitoring of access to personal data- Incident detection and response capabilities

Enforcement Expectations

What to Expect from PPA

2026 Enforcement Priorities:

1. DPO Compliance

  • Verification that required organizations have appointed DPOs- Assessment of DPO qualifications and independence- Investigation of DPO conflicts of interest- Review of DPO effectiveness (resources, reporting, role)

2. High-Risk Processing

  • Healthcare and medical data processing- Financial services and payment data- Biometric and location data- Large-scale surveillance or tracking- AI and automated decision-making

3. Data Breaches

  • Timely and complete breach notifications- Adequacy of security measures- Breach response and remediation- Repeat breaches indicating systemic failures

4. Transparency

  • Adequacy of privacy notices- Accessibility and clarity of information- Compliance with disclosure requirements- Deceptive or misleading privacy practices

5. Data Subject Rights

  • Responsiveness to access requests- Completeness of provided data- Timeliness of responses- Unjustified refusals or obstacles

Penalties and Sanctions

Administrative Fines: The PPA can impose monetary penalties for violations. While specific amounts are at PPA discretion based on violation severity, expect:

  • Warnings and compliance orders for first-time, minor violations- Fines for moderate violations (likely thousands to tens of thousands of NIS)- Substantial fines for serious or repeated violations (potentially hundreds of thousands of NIS)- Enhanced penalties for violations involving sensitive data or large numbers of individuals

Criminal Prosecution: For serious willful violations:

  • Referral to police for criminal investigation- Prosecution under criminal provisions of Privacy Protection Law- Potential imprisonment for responsible individuals- Criminal fines in addition to administrative penalties

Civil Liability:

  • Class action lawsuits for large-scale violations- Individual lawsuits for privacy harms- Damages for financial losses, emotional distress, reputational harm- Injunctive relief to stop ongoing violations

Reputational Consequences:

  • Public disclosure of enforcement actions- Media coverage of significant violations- Loss of customer trust- Business relationship implications- Competitive disadvantage

Practical Guidance

Finding a Qualified DPO

Internal Candidates:

  • Legal department privacy specialists- Compliance officers with privacy training- Information security managers with legal knowledge- Former regulators or privacy consultants

External Services:

  • Law firms with technology/privacy practices (Arnon, Herzog, others)- Privacy consulting boutiques- International firms with Israeli offices- Fractional/shared DPO services

Key Selection Criteria:

  • Demonstrated privacy law knowledge (certifications helpful: CIPP/E, CIPM, Israeli privacy certifications)- Technical understanding sufficient for organization’s operations- Organizational knowledge or ability to rapidly learn business- Independence from decision-making roles- Communication skills for training and stakeholder engagement

Addressing DPO Conflicts

If Current Structure Creates Conflicts:

Option 1: Restructure Roles

  • Separate DPO from operational decision-making- Transfer conflicting duties to another individual- Redefine reporting lines to ensure independence

Option 2: External DPO

  • Engage external firm or consultant as DPO- Maintain internal privacy coordinator for day-to-day matters- Ensure external DPO has adequate access and authority

Option 3: Dedicated DPO Hire

  • Recruit individual solely for DPO role- Structure position to avoid operational conflicts- Report directly to board or CEO

Budget Considerations

Typical Costs:

In-House Full-Time DPO:

  • Senior privacy professional salary: ₪25,000-50,000+/month depending on experience and organization size- Benefits and overhead- Training and professional development: ₪10,000-30,000/year- Tools and subscriptions: ₪5,000-20,000/year

External DPO Services:

  • Retainer-based: ₪10,000-30,000/month depending on organization complexity- Hourly: ₪500-1,500/hour for privacy consultants/attorneys- Fractional: ₪5,000-15,000/month for shared DPO services

Supporting Compliance Program:

  • Privacy management software: ₪5,000-50,000/year- Legal counsel for complex matters: ₪500-1,500/hour- Training programs: ₪2,000-10,000/year- Assessments and audits: ₪20,000-100,000+ for comprehensive DPIA

Return on Investment: While compliance costs are significant, consider:

  • Avoided fines from non-compliance- Reduced breach risk and associated costs- Enhanced customer trust and competitive advantage- Maintaining EU adequacy and international business relationships- Earlier detection and correction of compliance gaps

Conclusion: The New Era of Israeli Privacy

Amendment 13 marks a watershed moment in Israeli data protection. The shift from guidance to enforcement in January 2026 signals that the Privacy Protection Authority is serious about compliance expectations and willing to use its expanded enforcement powers.

For Israeli organizations, Amendment 13 represents:

  • Operational Change: Privacy is now a board-level governance issue requiring senior leadership attention and resource allocation- Professional Development: The DPO requirement creates careers and elevates privacy as a professional discipline- International Alignment: Closer harmonization with EU standards facilitates cross-border data flows and international business- Cultural Shift: From reactive complaint-based privacy to proactive privacy-by-design and accountability

Early warning signs from Europe—€5,000-€40,000 fines for DPO conflicts of interest—demonstrate that regulators mean business when it comes to structural independence and genuine compliance. The PPA has explicitly stated it looks to EU enforcement precedents, making European DPO enforcement actions a reliable preview of Israeli enforcement priorities.

Organizations that invested in Amendment 13 compliance during the grace period are now positioned for success. Those that waited or hoped for leniency face immediate enforcement risk, potential fines, and the challenge of playing catch-up while under regulatory scrutiny.

The message is clear: Israeli privacy law has entered a new era. The question is whether your organization is ready.

About This Analysis This report is published by Compliance Hub and CISO Marketplace, providing privacy and data protection professionals with analysis of global regulatory developments and practical compliance guidance.

Sources:

  • Israeli Privacy Protection Authority (PPA)- Amendment 13 to the Privacy Protection Law, 1981- PPA Draft Guidance on DPO Requirements- European Data Protection Authority enforcement actions- Arnon, Tadmor-Levy (Israeli privacy law firm)- Austrian DSB and Croatian AZOP enforcement decisions