Israel Privacy Protection Law — Amendment 13 and AI

Key New Obligations

1. Expanded Definition of Personal Data

The definition of personal data is broadened to align with the EU GDPR. It now covers any information that can be used to identify an individual, including online identifiers (IP addresses, cookies, device IDs) and behavioral profiles. This is significant for SaaS, analytics, and advertising organizations that previously assumed aggregated data fell outside the law's scope.

2. Mandatory Database Registration Updates

The obligation to register personal data databases has existed since 1981, but Amendment 13 renews the requirement and mandates periodic updates. Any change in processing purposes, data categories, or vendors with data access triggers an update obligation. In the AI era, switching model providers is an event that may require a registration update. For mapping AI systems as registered databases, see Databases, Israeli Law, and AI.

3. Data Protection Officer (DPO) Appointment

Organizations processing large volumes of personal data or handling sensitive data are required to appoint a DPO. The DPO must be independent, must not be subject to a commercial conflict of interest within the organization, and must report directly to senior management. The DPO serves as the point of contact with the PPA and with data subjects.

4. 72-Hour Security Incident Reporting

A serious security incident — data exposure, loss, or unauthorized access — must be reported to the PPA within 72 hours of detection. Notification to affected data subjects may also be required depending on severity. For documentation and access controls under the security regulations, see Regulation 13 and Artificial Intelligence.

5. Privacy Impact Assessment (PIA)

Processing involving high-sensitivity data — including profiling, automated decision-making, and systematic monitoring — requires a prior assessment of the impact on data subjects' privacy. A PIA is a documented process demonstrating which risks were identified and how they were mitigated.

How AI Intersects with Amendment 13

Amendment 13 does not mention the word "AI," but it applies directly to every AI use case that processes personal data. The key intersections are:

Automated Decisions

When an AI system makes a decision that affects an individual — credit approval, resume screening, service prioritization — the data subject is entitled to an explanation and to appeal to a human reviewer. This mirrors Article 22 of the GDPR. In the context of the EU AI Act, it corresponds to the human oversight obligation for high-risk systems.

AI Vendors Abroad

Transferring personal data to OpenAI, Anthropic, Google, or other international providers requires careful analysis: does a vendor processing Israeli personal data constitute a "transfer outside the country" under the law? In most cases the answer is yes, requiring the Data Processing Agreement (DPA) to include provisions on international transfers and an adequate legal basis.

Training Models on Personal Data

If an organization trains or fine-tunes a model on customer data, it needs a legal basis (consent, contract performance, or legitimate interest), must be transparent about it, and must maintain a process for erasure when a data subject requests it. This is one of the most complex compliance areas in the AI era.

Readiness Timeline

Our portal focuses on the mapping and gap-identification phase: the questionnaire flags which systems hold personal data, which vendors have or lack an adequate DPA, and which processes are missing from your organization.