I. Legal Framework
Constitutional privacy framework
Israel's Constitution operates as a body of "basic laws" that are interpreted by the courts.1 In terms of a constitutional right to privacy, Section 7 of the Basic Law on Human Dignity and Freedom (1992) states that: "(a) All persons have the right to privacy and to intimacy. (b) There shall be no entry into the private premises of a person who has not consented thereto. (c) No search shall be conducted on the private premises or body of a person, nor in the body or belongings of a person. (d) There shall be no violation of the confidentiality of the spoken utterances, writings or records of a person."2 According to Supreme Court Justice Mishael Cheshin, this law elevated the right of privacy to the level of a basic right.3
Data protection framework
The Protection of Privacy Law regulates the processing of personal information in computer data banks in an effort to protect privacy.4 The law sets out 11 categories of prohibited activities and provides for civil and criminal penalties for violating individual privacy.5 All holders of data banks containing more than 10,000 names or various confidential information must register with the Registrar of Databases and report their purpose, use, means of data collection, and data security measures implemented.6 The law limits the use of information in these databases to the purposes for which they were intended, and database holders must provide access to database subjects. Under the Privacy Law, individuals have a right to access their personal information held in both government and private sector databanks. The owner of the database must provide for such inspection in Hebrew, Arabic, or English.7 The European Commission considers that Israel's data protection laws are likely to offer an adequate level of protection for personal data transferred to Israel from countries in the European Union.8
In June 2007, the Privacy Law was amended to include the following provision: "A person's consent for invasion of privacy must be 'conscious.' An injured plaintiff may be awarded statutory damages of up to NIS 50,000 (8,550 EUR). If the invasion to privacy is found to be the result of a willful act, then the sum of statutory damages may be doubled."9
Evidence acquired through infringement of privacy is inadmissible under the Privacy Law, although courts have the discretion to make exceptions. The Privacy Law contains broad exemptions for police and security services as well as a wide range of defenses.10 For example, actions in good faith or in furtherance of the public interest are statutory defenses. The law also sets up basic privacy regulations relating to surveillance, publication of confidential information, criminal records, and the legal obligations of the government with respect to confidential information.
The Credit Data Service Law of 2002 created a shared center for storing consumers' credit information among different competing creditors and broke up the dominance of the two banks that controlled most credit information.11 The law gives consumers access to their information, the opportunity to correct information collected (including "positive" records, such as evidence of good credit), and features a procedure for opting out of collection. Some politicians have argued, however, that it unduly invades privacy by automatically sharing credit information and penalizing those who opt out of the database.12
Unauthorized access to computers is punishable by the Computer Law of 1995.13 Many routine activities prohibited by this law, such as accessing a computer or erasing information, are illegal only when performed without proper authorization.14 In June 2002, an Israeli teenager was sentenced under this law to 18 months in jail for masterminding a series of high-profile hacks into the computer systems at the Massachusetts Institute of Technology, the National Aeronautics and Space Administration, the Federal Bureau of Investigations, the United States Air Force and the United States Department of Defense.15 An appeals court overruled the teenager's original sentence of six months community service after the Israeli government, under pressure from the United States, pushed for a stricter sentence.16
The Postal and Telegraph Censor, which operates as a civil department within the Ministry of Defense, has the power to open any postal letter or package to prevent harm to state security or public order.17
The 1996 Patient Rights Law imposes a duty of confidentiality on all medical personnel.18 The Genetic Information Law of 2000 protects the rights of individuals with respect to their DNA samples and their genetic information. The Genetic Information Law and existing ethical guidelines cover most issues of informed consent, confidentiality, and rules of access for both identified and non-identified DNA samples or genetic information in the individual or family-based, small-scale collections.19 Criminal records are governed by the Criminal Register and Rehabilitation Law, which allows more than 30 government agencies to access the records.20
The obligation to maintain bank secrecy stems from Israel's adoption of English bank laws in 1922, by Section 46 of the British Order-in-Council.21 The obligation of bank secrecy is limited to consumers and not to companies.22 The obligation includes information regarding clients' accounts, transactions effected through the account and the collateral toward the account.23
On September 28, 1995, the Israeli-Palestinian Interim Agreement on the West Bank and the Gaza Strip was signed by the Israeli Government and the Palestine Liberation Organization (PLO). Annex III of the Agreement, the Protocol Concerning Civil Affairs contains Article 33, which provides that Israeli and Palestinian social welfare systems will cooperate to protect the confidentiality and individual privacy in the exchange of personal information.24
In January 2006, the Israeli Government established the Legal Authority for Information Technologies and Privacy Protection under the Ministry of Justice.25 The Authority merges three Registrars operating within the Ministry of Justice, one of which is the Registrar of Databases. The Authority's objectives include enforcing privacy protection, coordinating government activities in its fields of operation (IT, privacy and computer crimes) and promoting legislation regarding these issues. While still in its infancy, operating under a tight budget and having only a handful of employees, the Authority has been quite active. For example, the Authority has investigated the exposure of e-mail addresses by EL-AL, Israel's national airline, toughened procedures for registering databases, and placed strict restrictions on the transfer and use of personal information held by pension funds following recent mergers and acquisitions in Israel's financial sector.26
- 1. http://www.mfa.gov.il/MFA/Facts%20About%20Israel/State/THE%20STATE-%20Th...
- 2. http://www.mfa.gov.il/mfa/go.asp?MFAH00hi0
- 3. Alon Kaplan & Paul Ogden eds., Israeli Business Law: An Essential Guide (Boston: Kluwer Law International) 1997, at 30.01.
- 4. The Protection of Privacy Law 5741-1981 (hereinafter Privacy Law), 1011 Laws of the State of Israel 128, amended by the Protection of Privacy Law (Amendment) 5745-1985.
- 5. Privacy Law, supra at Chapter 1, Section 5. It should be noted that, although, until recently, Section 2 of the Privacy Law was usually interpreted by Israeli courts (in view of Section 3 of the Privacy Law) as applying only to individuals (and not to corporations). However, in February 2002, Tel Aviv District Court Judge Yehuda Zaft ruled that Section 2(5) of the Privacy Law may be used to protect the privacy of corporations as well. This issue has not been reviewed yet by the Supreme Court. See Civil Case (Tel Aviv) 2324/01 Multilock Ltd. v. Rav Bariach Hashkaot Ltd. and Others.
- 6. http://www.ifla.org/IV/ifla66/papers/018-160e.htm
- 7. Privacy Law, supra at Chapter 2, Section 13.
- 8. "Global Data Protection and Security Issues in the Cards Arena," Cards International, September 26, 2001.
- 9. http://www.law.co.il/privacy/privacy_amendment_9.pdf
- 10. Privacy Law, supra at Chapter 3, Section 18-19.
- 11. Credit Data Service Law, 5762-2002.
- 12. "MKs to Duke it out in Credit Data Service Law Battle," Israel Business Arena, July 5, 2001.
- 13. The Computer Law (5755-1995), 1534 Laws of the State of Israel 366, see Miguel Deutch, Computer Legislation: Israel's New Codified Approach, 14 J. Marshall J. Computer & Info. L. 461 (Spring 1996).
- 14. Id.
- 15. Boaz Guttman, "The Analyzer: Following the State's Appeal," May 6, 2002.
- 16. Bob Sullivan, "Analyzer Gets 18-Month Jail Term," MSNBC, June 6, 2002.
- 17. Regulation 89 of the Mandatory Defence (Emergency) Regulations, 1945.
- 18. Patient Rights Law, 5756-1996.
- 19. "Population Based Large-Scale Collections of DNA Samples and Databases of Genetic Information," in Report of the Bioethics Advisory Committee of the Israel Academy of Sciences and Humanities, December 2002, at 2.
- 20. Criminal Register and Rehabilitation Law, 5741-1981.
- 21. Nahum Bitterman, "The Extent of the Obligation of Secrecy," Israeli Business Law: An Essential Guide (Kluwer Law International 1996).
- 22. Id.
- 23. Id.
- 24. http://www.mfa.gov.il/MFA/Peace+Process/Guide+to+the+Peace+Process/THE+I...
- 25. http://www.mfa.gov.il/MFA/Government/Communiques/2006/Cabinet+Communique...
- 26. E-mail from Haim Ravia, Chair of the Internet, IT & Copyright Group, Pearl Cohen Zedek Latzer, Israel, to Allison Knight, Research Director, Electronic Privacy Information Center, July 19, 2007 (on file with EPIC).