Amendment 13 to Israel's Privacy Protection Law: A Manager's Guide to Avoiding Heavy Fines in 2026

Adv. Samuel Even

Amendment 13 to Israel's Privacy Protection Law: A Manager's Guide to Avoiding Heavy Fines in 2026

Amendment 13 to Israel’s Privacy Protection Law: A Manager’s Guide to Avoiding Heavy Fines in 2026

The bottom line: Israel’s Privacy Protection Authority has announced that its 2026 enforcement plan includes dozens of open cases. Many companies are expected to be fined in the coming months. The maximum penalty: up to 5% of annual revenue.

If you run a business in Israel and haven’t prepared yet — time is running out.

What Changed? (The Short Version)

On August 14, 2025, Amendment 13 came into effect — the most significant reform in Israeli privacy law since 1981. The amendment aligns Israel with the European GDPR and grants the Privacy Protection Authority dramatic enforcement powers.

Three critical changes every manager must know:

1. Heavy Financial Penalties The Authority can impose administrative fines of hundreds of thousands and up to millions of shekels — without going through a court. The maximum fine is capped at 5% of the business’s annual revenue.

2. Mandatory Appointment of a Data Protection Officer (DPO) Public bodies, organizations engaged in data trading, organizations conducting systematic monitoring at significant scale, and organizations processing sensitive data — all must appoint a DPO. The officer can be an external party, such as a lawyer.

3. Criminal Liability Serious violations can lead to criminal offenses carrying prison sentences of up to 5 years. This is no longer just a civil matter.

What’s Your Real Exposure?

Let’s talk numbers:

A small business with a database of 200,000 customers that processed data unlawfully — a possible fine of NIS 800,000 (~$220,000).

Failure to report a cyber incident in a high-security database — a fine of up to NIS 320,000 (~$88,000).

Damages without proof of harm — courts can award up to NIS 10,000 per violation, even without proving actual damage. The implication: an open door to class-action lawsuits.

The statute of limitations was extended from 2 years to 7 years. What happened in 2020 can still come back to haunt you.

What To Do Now: 6 Practical Steps

Step 1: Conduct a Compliance Audit

Map all data processing activities in your organization. Identify the gaps between your current state and the law’s requirements.

Step 2: Check If You Need a DPO

If you’re a public body, engage in data trading, conduct systematic large-scale monitoring, or process sensitive data at significant scale — you must appoint one. The DPO must report directly to the CEO.

Step 3: Update Your Privacy Policy

Your privacy notice must now include: the purpose of data collection, the identity and contact details of the data controller, data subjects’ rights (access, correction, deletion), and the name of the DPO.

Step 4: Classify Your Databases

Determine the security level (basic, medium, high) for each database. Even at the basic level, there’s an obligation to report serious security incidents.

Step 5: Update Vendor Agreements

Every agreement with a third party that processes data on your behalf needs to reflect the new requirements — data processing agreements, data transfer agreements, and service contracts.

Step 6: Train Your Employees

Raise awareness across the organization. Most violations stem from lack of knowledge, not malicious intent.

An Opportunity, Not Just a Threat

Amendment 13 isn’t only a regulatory burden. Organizations that prepare properly will benefit from:

International business advantage — alignment with GDPR standards opens doors to partnerships with European companies that demand privacy compliance.

Stronger customer trust — transparency in data management builds trust and strengthens your reputation.

Reduced litigation risk — proactive preparation significantly minimizes the risk of civil lawsuits and administrative penalties.

How Our Firm Can Help

Samuel Even & Co. Advocates assists businesses and organizations in preparing for Amendment 13, including:

  • Comprehensive compliance audits — mapping databases, identifying gaps, and creating remediation plans
  • DPO advisory services — including external DPO services
  • Updating agreements and privacy policies — adaptation to the new legal requirements
  • Representation before the Privacy Protection Authority — in enforcement proceedings and administrative inquiries

Don’t wait for the first fine. Contact us today for an initial consultation.

03-6348020 | [email protected]