The New Regulatory Framework: What Changed in Amendment 13
Amendment 13 to the Privacy Protection Law, 1981, which took effect in January 2025, introduced fundamental changes to the requirements for transferring personal data outside Israel. The central change relates to the explicit establishment of the "adequate level of protection" principle, replacing the general approach that existed previously.
The amended law stipulates that personal data transfers outside Israel will only be permitted if the destination country has an "adequate level of protection for personal data." This principle, familiar from international models such as the EU's GDPR, establishes a more structured approach to risk assessment in international transfers.
The amendment also grants the Privacy Protection Authority new authority to establish a list of countries deemed to have adequate protection levels, similar to the list of approved countries maintained by the European Commission. This decision is designed to provide legal certainty for companies and reduce implementation complexity.
Impact on Technology Companies
For SaaS companies, fintech firms, and other technology companies operating internationally, this change requires a comprehensive reassessment of all international data flows. Companies that previously relied on generic practices must now specifically analyze the level of protection in each destination country.
Defining Adequate Protection: The Legal Criteria
The amended Privacy Protection Law does not explicitly define what constitutes an "adequate level of protection," but refers to criteria that the Privacy Protection Authority will publish in regulations. Based on preparations for secondary legislation and observation of international practices, several key criteria can be anticipated.
Expected Criteria for Protection Level Assessment
- Existence of comprehensive privacy legislation including fundamental rights for data subjects
- Independent and effective supervisory authority for privacy protection
- Rights of access, correction, and deletion for data subjects
- Restrictions on data transfers to third countries
- Effective enforcement mechanisms, including significant sanctions
- Independent judicial remedies and oversight procedures
As of the date of this article, the Privacy Protection Authority is still developing regulations that will precisely define these criteria. Companies are advised to monitor the Authority's publications and prepare for adaptation when the criteria are published.
Impact of International Recognition
The Privacy Protection Authority is expected to consider reciprocal decisions by equivalent authorities in other countries. For example, countries that receive recognition as "countries with adequate protection levels" by the European Commission may receive similar treatment from Israel, subject to independent verification.
Countries with Adequate Protection: Current Status and Expectations
As of the date of this article, the Privacy Protection Authority has not yet published the official list of countries with adequate protection levels. However, based on Authority statements and comparison to international models, certain countries can be identified as having a high probability of inclusion on the list.
Countries with High Approval Probability
- European Union Member States - due to GDPR and comprehensive regulatory framework
- United Kingdom - UK-GDPR legislation is essentially identical to EU legislation
- Switzerland - updated privacy law (nDSG) aligned with GDPR standards
- Canada - federal PIPEDA law and provincial legislation
- Japan - receives EU recognition based on mutual agreement
- South Korea - Personal Information Protection Act (PIPA) aligned with international standards
It's important to note that this list is only a preliminary assessment, and the final list will be determined solely by the Privacy Protection Authority. Companies are advised not to rely on this assessment until official publication.
Countries with Complex Status
United States presents an interesting test case. While the US lacks comprehensive federal privacy legislation, sectoral laws (HIPAA, FERPA) and state laws (such as California's CCPA) exist. Additionally, federal oversight mechanisms (FTC) provide significant enforcement. The Israeli Privacy Protection Authority's decision regarding the US will affect most Israeli companies operating internationally.
Countries such as Australia and New Zealand are also in an intermediate position - they have comprehensive privacy legislation but do not yet receive full recognition at the European level.
Transfer Mechanisms for Countries Without Adequate Protection
Even when the destination country does not appear on the approved countries list, Amendment 13 allows data transfers through alternative mechanisms. These mechanisms, similar to the GDPR model, are designed to create legal "protection bridges."
Data Transfer Agreements
The primary mechanism is data transfer agreements between the transferring entity in Israel and the receiving entity in the destination country. These agreements must include precise commitments to protect data at a level equivalent to that existing in Israel.
- Technical commitments - encryption, data security, access restrictions
- Legal commitments - respect for data subject rights, restrictions on further transfers
- Oversight mechanisms - reporting on security incidents, periodic audits
- Termination rights - ability to terminate the agreement in case of breach
Binding Corporate Rules
Multinational companies will be able to adopt binding internal rules that apply to all entities in the corporate group. This mechanism is particularly suitable for large technology companies with significant international presence.
Explicit Consent of Data Subject
In certain cases, it will be possible to rely on explicit consent from the data subject for the transfer. However, this mechanism is limited to specific circumstances and is not suitable for mass or routine processing of personal data.
Compliance Requirements: What Technology Companies Must Do Now
Adapting to Amendment 13 requirements necessitates a structured approach and implementation of several practical steps. Companies operating internationally should begin the adaptation process now, even before publication of the final list of approved countries.
Mapping Existing Data Flows
The first step is comprehensive mapping of all international data flows. This includes:
- Cloud services (AWS, Google Cloud, Microsoft Azure) - where servers are actually located
- Tracking and analytics tools (Google Analytics, Mixpanel, Hotjar) - where data is sent
- CRM and marketing platforms (Salesforce, HubSpot, Mailchimp) - data processing location
- Customer support tools (Zendesk, Intercom) - conversation storage location
- Payment processors (Stripe, PayPal) - where credit data is processed
Each flow should be examined for destination country, type of data transferred, and business justification for the transfer.
Assessing Need for Adaptations
After mapping, each flow should be checked against the new requirements:
- Flows to approved countries - no adaptation required (subject to list publication)
- Flows to non-approved countries - alternative protection mechanism required
- Multi-stage flows - examination of each stage in the transfer path
Updating Contractual Commitments
Contracts with service providers must be updated to include specific commitments to Amendment 13. This includes:
- Provider's commitment to comply with Israeli law provisions
- Mechanism for reporting requests from investigative or security authorities
- Right to audit or receive compliance certifications from provider
- Commitments regarding sub-contractors
Cloud Services and Data: Special Considerations for Technology Companies
Cloud services present unique challenges within the framework of new data transfer requirements. SaaS companies and other technology companies relying on major cloud providers need to understand the specific complexities.
The Geographic Multiplicity Problem
Major cloud providers operate servers worldwide, and data may move between different geographic regions. Even when a company chooses a specific region for storage (e.g., "EU-West"), transfers to other countries may still occur for backup, processing, or maintenance purposes.
- Amazon Web Services (AWS) - allows region selection and "data residency" but service limitations must be understood
- Microsoft Azure - offers "data boundary" for Europe but with exceptions for certain services
- Google Cloud Platform - allows region selection but with "global services" that may cross borders
Practical Solutions for Cloud Services
Companies should take several steps to ensure compliance:
- Conscious region selection - preference for regions in countries expected to be included on the approved list
- Updated DPA agreements - ensuring Data Processing Agreements are aligned with Israeli requirements
- Tailored service configuration - canceling "global" services that may create unwanted transfers
- Application-level encryption - ensuring data is encrypted in a way that even the provider cannot access it
Considerations for Additional Services
Beyond basic storage, companies use various cloud services, each of which may create data flows:
- Content Delivery Networks (CDN) - Cloudflare, Amazon CloudFront - may replicate data to many countries
- Monitoring services - Datadog, New Relic - send logs and metrics to processing centers
- Security services - SOC and security monitoring products that may transfer data for analysis
Each service represents a potential transfer point that should be examined and included in the overall compliance strategy.
Practical Implementation: Preparing the Company for New Requirements and the Future
Adapting to Amendment 13 requirements is not a one-time event but an ongoing process requiring building internal capabilities and establishing long-term work processes. Technology companies should approach the issue strategically.
Building Internal Compliance Team
Medium and large companies should allocate dedicated resources to privacy protection and international transfers:
- Appointing a Data Protection Officer (DPO) - while not mandatory in all cases under Israeli law, recommended for companies with international operations
- Establishing a privacy committee - including representatives from legal, technology, and product departments
- Training development teams - ensuring developers understand constraints in data location and processing
Work Processes for New Products
Every new product or service should undergo a Privacy Impact Assessment including examination of:
- What personal data the product will collect and why
- Where the data will be stored and which vendors will be involved
- Whether international transfers are expected and under what circumstances
- What technical controls will be implemented to limit unwanted transfers
Monitoring Regulatory Changes
The privacy protection regulatory landscape changes rapidly, and the Privacy Protection Authority is expected to publish additional guidelines and regulations. Companies should:
- Regularly monitor Privacy Protection Authority publications
- Participate in professional conferences and seminars in the field
- Maintain contact with specialized legal advisors
- Monitor international developments that may affect Israel
Preparing for Increased Enforcement
Amendment 13 significantly strengthened the Privacy Protection Authority's enforcement powers, including substantial administrative fines. Companies should prepare for increased oversight:
- Comprehensive documentation - maintaining documentation of all decisions and actions in data transfer matters
- Procedures for handling inquiries - preparing to handle inquiries from the Privacy Protection Authority or data subjects
- Appropriate cyber insurance - ensuring the policy also covers regulatory fines
Investment in compliance today will save companies significant expenses and complexities in the future, especially when they want to expand to international markets requiring high privacy standards.
The information contained in this article is general in nature and does not constitute legal advice. For advice tailored to the specific circumstances of your company, we invite you to contact our firm.
