Privacy Protection Amendment 13: What AI and Technology Companies in Israel Must Do

The Privacy Protection Law, 1981, is Israel's primary legislation governing personal data. For decades it was considered outdated relative to digital-age challenges. Amendment 13, passed by the Knesset in 2023 and phased in progressively, has brought Israeli law closer to GDPR standards. **Key changes:** - Mandatory appointment of a Data Protection Officer (DPO) for certain entities - Obligation to conduct Data Protection Impact Assessments (DPIA) for high-risk processing - Enhanced transparency obligations — detailed privacy policies, informed consent - Expanded enforcement powers for the Israeli Privacy Protection Authority (ILPPA) — including fines of up to millions of shekels - Recognition of Privacy Enhancing Technologies (PETs) as the preferred approach to data processing

The DPO obligation applies to: - Public bodies - Organisations for which data processing is a core activity - Organisations that process sensitive data at significant scale (health, biometric, location, children's data) - Organisations engaged in systematic large-scale monitoring of individuals **For AI companies:** If your product analyses user data, generates personalised recommendations, or processes user-generated images/code/text — you likely fall within scope. Specific legal advice is essential before drawing a firm conclusion. **What a DPO does:** Acts as the point of contact with the authority, advises the organisation on compliance, supervises DPIA implementation, and serves as data protection trustee. The DPO is not directly liable — the organisation is.

A DPIA is a structured process to identify and manage privacy risks before launching a new product or process that involves high-risk data processing. **When a DPIA is mandatory:** - Deployment of new technology processing personal data - Large-scale sensitive data processing - Systematic monitoring of public spaces - Profiling of individuals (recommendations, credit, employment) - Processing of children's data **For AI:** Almost every consumer-facing AI product requires a DPIA. If your product generates personal profiles, assesses predispositions, recommends content, assigns credit scores, or makes accept/reject decisions — a DPIA is mandatory. **What a DPIA includes:** Description of processing and its purposes; necessity and proportionality assessment; identification of privacy risks; planned mitigation measures; outcome: acceptable-risk process vs. process requiring authority approval.

Amendment 13 adds a new dimension to the AI discussion — a transparency obligation. **Hallucinations and incorrect outputs:** What happens when an AI model generates false information about a person? For example: an AI credit recommendation system based on erroneous data, or an HR system that rejects candidates based on faulty analysis. Amendment 13 requires: (a) disclosure that a decision was made by an automated system; (b) a right to review and correction; (c) an appeals mechanism. **Deepfakes:** Creating harmful AI-generated content (deepfake video, synthetic voice) increases exposure to privacy + defamation claims. Amendment 13 does not address this directly, but the transparency obligation continues to apply. **AI vendor agreements:** If you use an OpenAI, Google, or other provider API, you are a "data processor" not a "database owner". Obligations still apply: sign a Data Processing Agreement (DPA) with the vendor, verify the vendor meets GDPR/Amendment 13 standards, and document the chain.

**Fines under Amendment 13:** The Israeli Privacy Protection Authority (ILPPA) now has authority to impose administrative fines: - Minor violations: up to NIS 100,000 - Serious violations: up to NIS 1,000,000 - Aggravating circumstances (intent, negligence, large scale): up to millions of shekels **Individuals can sue directly:** In addition to authority fines, individuals whose data was breached can bring civil claims — including damages without proving actual loss. **What increases risk:** - Failure to appoint a DPO when required - Failure to conduct DPIA for high-risk processes - Failure to notify the authority of a data breach within 72 hours - Retaining data beyond the required period

Amendment 13 encourages — and in some cases requires — the use of technologies that reduce privacy intrusion. **PETs relevant to AI:** - **Differential Privacy:** Adding statistical noise to training data so specific individuals cannot be identified - **Federated Learning:** Decentralised model training — data stays on the device, only parameters are shared - **Anonymisation & Pseudonymisation:** Removing/replacing personal identifiers before training - **Synthetic Data:** Using AI-generated synthetic data for training instead of real data **Practical recommendation:** Building AI training pipelines with recognised PETs from the outset — not only reduces legal risk but becomes an investment policy: large buyers and enterprise clients increasingly require it.