Israel’s Amendment 13: What the new data protection law means for your business

Israel has rolled out its biggest privacy reform in 40 years. Amendment 13 to the Protection of Privacy Law, which took effect on August 14, 2025, now sets stricter rules for how organizations collect, store, and use personal data.

The new rules expand what counts as sensitive data, introduce mandatory Data Protection Officers (DPOs), tighten consent requirements, and give regulators stronger enforcement powers, including the ability for individuals to sue without proving harm. The amendment also briefly addresses AI use, making Israel one of the first countries to weave AI-driven decisions into its framework.

The scope isn’t limited to Israel. If your company processes data on Israeli residents—even without a local office—you must comply.

Here’s what’s changing, how it compares to global standards, and the steps your organization should take now.

Timeline: When does Israel Amendment 13 apply?

• March 2024: Amendment 13 passed by the Knesset.
• August 14, 2025: Law entered into force.

Key changes in Israel’s new data protection law

Amendment 13 brings Israel’s privacy framework up to modern standards, but it also introduces several obligations that go beyond what most businesses expect. The most important changes include:

Expanded scope of personal and sensitive data

• Personal data now explicitly includes IP addresses, online identifiers, and geolocation data, bringing common digital identifiers into scope.
• “Sensitive data” is redefined as “especially sensitive”, covering biometrics, genetic data, criminal records, sexual orientation, and financial details.
• Companies should map where these categories appear in their systems—for example, IPs in server logs or biometric access data in HR systems.

Further reading: What is Sensitive Data and How Companies Can Protect It

Mandatory DPOs and stronger accountability

• Public bodies, data brokers, organizations whose main activity is processing especially sensitive data, or those conducting systematic monitoring must appoint a Data Protection Officer (DPO).
• The DPO must be independent, with direct access to senior management.
• In practice, this means not just naming someone on paper but giving them authority and resources to monitor compliance across departments.

Database registration and notifications

• Unlike GDPR, Israel continues to require registration for certain databases.
• Public bodies and direct-marketing databases of over 10,000 individuals must register with the regulator.
• Databases holding especially sensitive data on more than 100,000 individuals must submit a notification.

Consent and transparency requirements

• Consent must be explicit, documented, and granular. Blanket consent is no longer acceptable.
• Privacy notices must now explain what is collected, why it’s collected, the risks, and who it’s shared with.
• This requires organizations to review existing consent forms and rewrite them to meet higher standards of disclosure.

AI and automated decision-making

• Amendment 13 is one of the first data protection laws to explicitly cover AI, requiring the same rigor as other data use: informed consent, clear disclosures, and accountability.
• Data subject rights—access, correction, and deletion—will be strictly enforced for AI systems.
• Organizations should conduct Data Protection Impact Assessments (DPIAs) to identify risks and document safeguards before deploying AI.

Further reading: Strategies for Balancing AI and Data Security

Ongoing security testing

• Large sensitive databases must undergo risk assessments and penetration testing every 18 months.
• Organizations must treat penetration testing as part of their compliance calendar, not just an optional IT initiative.

Enforcement and private claims

• The Privacy Protection Authority (PPA) can suspend databases, issue binding orders, and publish violators’ names for up to 4 years.
• Administrative fines can reach into the millions of shekels (USD 500,000+ / EUR 460,000+), with multipliers for large-scale or sensitive data processing.
• Individuals can file civil claims without proof of harm, with statutory damages of up to NIS 100,000 (USD 27,000 / EUR 25,000) per person.
• Organizations may also face class actions and, in severe cases, criminal liability for offenses such as breaches of confidentiality or misleading the regulator.

Advance rulings from the regulator

• Companies can request a binding opinion from the PPA before launching new data processing activities.
• This mechanism reduces uncertainty and allows businesses to validate compliance strategies before investing heavily in new systems.

Who must comply with Israel’s privacy law

The new Israeli data protection law applies broadly to:

• Israeli companies of any size handling personal data.
• Foreign companies processing data on Israeli residents.
• Public bodies and data brokers managing large-scale data.

Specific triggers make compliance mandatory even for smaller organizations:

• Holding a direct-marketing database of 10,000+ individuals.
• Conducting systematic monitoring of individuals.
• Processing large volumes of especially sensitive data.

For IT managers and business owners, this impacts how data is handled daily—who can access it, how it’s secured, and how incidents are reported. Leaders must allocate resources for DPOs, audits, and training to meet these new. Expectations

How Amendment 13 compares to GDPR and other laws

If your business already complies with GDPR, you have a strong foundation, and the compliance gap won’t be huge. But Israel’s rules add extra obligations that aren’t covered by EU standards.    

What’s the same:

• DPO requirement.
• Strong consent rules and privacy notices.
• Records of processing and security controls.
• Obligations to secure sensitive data.

How they’re different:

• Civil claims without proof of harm: In Israel, simply violating privacy rights can be enough to spark a lawsuit. GDPR usually requires individuals to show actual damage.
• Database registration and notifications: Still required for high-risk datasets like sensitive data or large marketing databases (10,000+ records). The EU dropped this years ago.
• Mandatory security testing: Large sensitive databases must undergo penetration tests and risk assessments—something neither GDPR (nor CCPA) requires.
• AI oversight: The regulator explicitly links AI to privacy duties. That means DPIAs before deployment, detailed disclosures, and internal rules for generative AI tools.

Comparing Amendment 13 to other frameworks:

• CCPA (California): Strong on consumer rights (access, deletion, opt-out), but far lighter on security, thresholds, and penalties than Israel.
• Switzerland’s nFADP: GDPR-aligned but lighter in enforcement. Israel is tougher because of civil claims and AI oversight.
• Japan’s APPI: Strong on cross-border transfer rules, but less prescriptive on security testing. Israel pushes organizations harder on technical safeguards and notifications.

What Amendment 13 means in practice

Amendment 13 doesn’t affect all sectors in the same way. Its requirements each industry differently—here’s what it could look like in practice:

Fintech

Startups using AI for credit scoring, fraud detection, or investment tools must explain how decisions are made and document privacy risks through DPIAs. Training data can’t be scraped without consent, and customers must receive clear disclosures before AI models process their information. Read more about DLP in fintech.

What to do now: Conduct a DPIA before launching or updating AI-driven tools.

Healthcare

Hospitals and clinics handle the most sensitive categories of data: medical records, genetic information, and biometrics. Amendment 13 requires encryption, access logs, and penetration tests on large databases. Patient data handling must now be auditable and provably secure. Read more about DLP in healthcare.

What to do now: Audit access to patient data and ensure encryption is in place across all systems.

Finance

Banks and insurers process financial details classified as “especially sensitive.” Sharing statements, credit reports, or risk profiles now requires stricter controls and explicit consent. Encryption and vendor checks are now mandatory under the law. Read more about DLP in finance.

What to do now: Review third-party contracts and strengthen encryption on financial data transfers.

Logistics

Shipment tracking and driver monitoring involve geolocation data, now explicitly regulated as personal data. Companies must obtain consent for tracking, set retention limits, and secure location records. Automated systems for routing or workforce monitoring may trigger a DPIA obligation.

What to do now: Update driver and customer consent forms to cover geolocation tracking.

Manufacturing

Factories often use biometric access systems and large employee databases—both fall under “especially sensitive” data. That means security audits, access restrictions, and in some cases registration or notification to the regulator are mandatory.

What to do now: Review biometric access controls and confirm database registration requirements.

Compliance checklist for Amendment 13

Since Amendment 13 entered into force in August 2025, companies that process personal data in Israel should already be adapting. The following steps will help ensure you’re compliant:

1. Map your data flows—Identify what sensitive data you hold, where it resides, and how it moves between systems. Pay special attention to logs, HR systems, and cloud apps where sensitive data often hides.
2. Appoint a DPO—Required for public bodies, data brokers, organizations conducting systematic monitoring, or databases primarily handling sensitive data. Even if not mandatory, a DPO can reduce risk by coordinating privacy practices across departments.
3. Update consent processes—Notices must explain what’s collected, why, risks, recipients, and data sources. Make sure consent is explicit, documented, and granular—especially for sensitive data.
4. Strengthen security—Run risk assessments and penetration tests (every 18 months for large sensitive databases), tighten access controls, and log incidents to create an audit trail.
5. Implement AI usage policies—Conduct DPIAs before deploying AI, update consent and notices to disclose AI use, adopt internal rules for generative AI tools (e.g., which tools are allowed and what data can be uploaded), and block unlawful data scraping.
6. Train employees and build a culture of compliance—Regularly train staff who handle data on consent, security, and reporting obligations. Compliance depends on everyday decisions, not just policies.
7. Deploy DLP—Use Data Loss Prevention tools to classify and monitor data in real time, prevent unauthorized transfers, and provide audit-ready logs for regulators.

How Safetica helps you meet Israel’s data protection law

Israel’s Amendment 13 is a signal that data protection in the region is entering a new era. The law raises the bar for how organizations collect, secure, and use personal data. While that means new obligations, it also creates opportunities. Companies that adapt early will not only avoid penalties but also strengthen trust with customers, partners, and regulators.

Safetica’s DLP solution is designed to make compliance practical. With Safetica, organizations can:

• Identify and classify sensitive data automatically—across endpoints, cloud apps, and storage.
• Monitor and control data use to prevent unauthorized transfers, whether intentional or accidental.
• Create an audit-ready trail of access logs and security incidents to satisfy regulators.
• Protect AI pipelines by ensuring sensitive data isn’t misused in training or automated processes.
• Support your DPO with centralized visibility, reporting, and policy enforcement tools.
• Strengthen customer trust by showing that your data protection practices go beyond minimum compliance.

With Safetica, you can turn compliance into confidence—meeting the requirements of Israel’s new data protection law while protecting your business-critical information worldwide.

Ready to see how Safetica can help your company prepare for Amendment 13?