In Effect Law Data Protection Context Relevance PRA

Israel Privacy Amendment 13

Amendment 13 to the Protection of Privacy Law, 5741-1981

Israel's most significant privacy reform in 40 years, explicitly covering AI systems. Requires Data Protection Officers (DPOs) for entities processing sensitive data at scale, mandates Data Protection Impact Assessments (DPIAs) before AI deployment, and enhances Protection of Privacy Authority enforcement powers. One of first data protection laws to explicitly require DPIAs before AI development or deployment.

Jurisdiction

Israel

Enacted

Aug 5, 2024

Effective

Aug 14, 2025

Enforcement

Protection of Privacy Authority (PPA)

Approved by Knesset August 5, 2024; most provisions effective August 14, 2025

What It Requires

Transparency

Must disclose AI nature, data practices, or algorithmic decisions

User Rights

Must honor access, correction, and deletion requests

Who Must Comply

This law applies to:

• Entities processing sensitive data at scale
• Organizations engaged in systematic monitoring
• Public authorities
• Data brokers
• Organizations deploying AI systems that process personal data

Capability triggers:

● personalDataProcessing (required)

◐ sensitiveDataProcessing (increases)

● Required ◐ Increases applicability

Who bears obligations:

Data Controller Data Processor

Safety Provisions

• AI systems explicitly covered under data protection framework
• DPIAs required before AI development or deployment
• Mandatory DPO appointment for entities processing sensitive data at scale
• DPO must have comprehensive knowledge of privacy law, IT, and information security
• Risk assessments and penetration tests every 18 months for large sensitive databases
• Informed consent required for AI use
• Clear disclosures about AI processing
• Data subject rights strictly enforced for AI systems (access, correction, deletion)

Compliance Timeline

Aug 14, 2025

• Most provisions take effect
• Mandatory DPO appointments and DPIAs required

Enforcement

Enforced by

Protection of Privacy Authority (PPA)

Penalties

5% revenue; ILS 100K/violation

Revenue %: 5%

Per violation: $100,000

Up to 5% of annual turnover; statutory damages up to ILS 100,000 without proving harm; extended 7-year limitation period for civil claims

Private Right of Action

Individuals can sue directly without waiting for regulatory action. This significantly increases liability exposure.

Primary Source

Knesset (Israeli Parliament) - verify at knesset.gov.il (opens in new tab)

https://www.knesset.gov.il

Quick Facts

Binding: Yes
Mental Health Focus: No
Child Safety Focus: No
Algorithmic Scope: Yes
Private Action: Yes

Why It Matters

Sets high bar for AI governance with substantial penalties and private right of action. First data protection law to explicitly require DPIAs before AI deployment. Relevant for any AI service with Israeli users processing personal data. Enhanced PPA enforcement powers and ability to sue without proving harm creates significant compliance pressure.

Recent Developments

Most significant Israeli privacy reform in 40 years. Approved August 2024, effective August 14, 2025. One of first data protection laws globally to explicitly require DPIAs before AI deployment. Enables private right of action without proving direct harm.

What You Need to Comply

Organizations must appoint qualified DPOs, conduct DPIAs before deploying AI, implement risk assessments and security testing, obtain informed consent for AI processing, and provide clear disclosures about AI use. DPOs must operate independently with direct senior management reporting.

NOPE can help

Cite This

APA

Israel. (2024). Amendment 13 to the Protection of Privacy Law, 5741-1981. Retrieved from https://nope.net/regs/il-amendment-13

BibTeX

@misc{il_amendment_13,
  title = {Amendment 13 to the Protection of Privacy Law, 5741-1981},
  author = {Israel},
  year = {2024},
  url = {https://nope.net/regs/il-amendment-13}
}

Related Regulations

In Effect LB • Data Protection

Lebanon Law 81/2018

Lebanon's electronic transactions and data protection law lacking independent supervisory authority, relying on court remedies for enforcement.

In Effect JO • Data Protection

Jordan PDPL

Jordan's data protection law with medical data processing exceptions, data portability rights, and oversight including security services.

In Effect SA • Data Protection

Saudi Arabia PDPL

Saudi Arabia's comprehensive personal data protection law with extraterritorial scope, DPO requirements for sensitive processing, and National Data Governance Platform registration.

In Effect EG • AI Safety

Egypt AI Strategy 2025

Ambitious national strategy positioning Egypt as regional AI hub for Africa and Middle East. Targets 7.7% ICT sector GDP contribution by 2030, training 30,000 AI specialists, establishing 250 AI companies. Built on six strategic pillars: governance, infrastructure, technology, data, ecosystem, and talent. Accompanied by Egyptian Charter for Responsible AI (April 2023) with ethics principles.

In Effect QA • AI Safety

Qatar QCB AI Guidelines

Binding AI governance requirements for Qatar's financial sector. Mandates board-level accountability, risk assessments, human-in-the-loop for high-impact decisions, and prior QCB approval for high-risk AI systems.

In Effect AE • Online Safety

UAE Media Law

Comprehensive media regulation requiring licensing for all digital platforms, social media operations, and influencers. 20 binding content standards with significant penalties.

Back to all regulations Check if this applies to you