Privacy protection acts:
The right to privacy in Israel gained a constitutional status with the adoption of the Basic Law: Human Dignity and Freedom, (the “Basic Law”). Section 7(a) of the Basic Law provides that every person is entitled to privacy.
The law that provides the principles and details regarding the protection of privacy in Israel is the Protection of Privacy Law – 1981 (the “Law”), which was enacted prior to the adoption of the Basic Law. The Law does not protect the privacy of corporations but only the privacy of individuals.
Section 1 of the Law prohibits any violation of the privacy of others without consent. Section 2 of the Law defines:
“2(9): using, or passing on to another, information on a person’s private affairs, otherwise than for the purpose for which it was given”.
2(10): publishing or passing on anything that was obtained by the way of violation of privacy …”
as a "violation of privacy" if made without consent.
In addition to the general right for privacy, Amendment no. 4 (Databases), enacted in 1996, adjusted chapter B of the Law to the new reality of the information market.
The amendment defines “database” in Section 7 of the Law as follows: "a collection of information that is held by magnetic or optical means and that is intended to be processed by a computer", excluding:
· Collection for personal use, which is not for business purposes.
· Collection which includes only names, addresses and connection possibilities, which, by itself, does not create a characterization which may violate the privacy of the individuals whose names are mentioned, and under the condition that the owner of the collection does not control any additional collection.
In addition, the Law defines "sensitive data" as: "(1) data regarding the personality of a person, privacy, health, financial situation, ideas and beliefs; data which was ordered to be regarded as sensitive data by an order of the Minister of Justice".
The use of the data regarding individuals is limited to the same cause it was given for by the individual, unless an explicit consent for a different use was given.
Section 8 of the Law sets the duty of registration of databases as well as the limits of using the stored data. Section 8(c) of the Law sets out the circumstances under which the owner of the database must register his database with the Registrar of Databases. The applicable situations are:
(1) The database includes data about more than 10,000 people; or
(2) The database includes sensitive information; or
(3) The database includes data about people that was not provided by those people or
not provided with their consent to this database; or
(4) The database belongs to a public entity; or
(5) The database is intended to be used for the purposes of direct mailing
Special duties for the management and holding of a database:
Sections 17A and 17B defines the holder of a database as the one who holds a database on a regular basis and has the right to use it. A database manager is "the active manager of a body that owns or holds a database or the one that a manager of such a body has empowered to in that matter".
Special duties and regulations for direct mailing:
Direct mailing is defined as a "personal application to a person, on the basis of his belonging to a certain group of people, which was fixed by one characterization or more, and that their names are mentioned in the database".
The term application includes written application by facsimile, print, mail, e-mail and other computerized types of information transfer and "any other form of application".
Direct mailing services are defined as the direct mailing of lists or data by any means.
Of course, the duties abovementioned place a heavy burdenon the direct mailing companies. Moreover, the definition of a direct mailing application includes also telephone calls and as such place the same burden on the telemarketing companies.
Section 31A of the Amendment sets a list of offences in connection with chapters B and D of the Law. All may lead to a punishment of one year imprisonment.
· Managing, holding or using a database that acts in a way that contradicts the instructions of Section 8 of the Law.
· A petition for the registration of a database that provides false details in the registration request in contradiction with Section 9 of the Law.
· The delivery of false details in the statement that accompanies a request to receive data under Section 11, or not providing the required details in such a statement.
· Not following the instructions of Sections 13 and 13A regarding the right of inspection of the data of the database or not changing such data in accordance with Section 14 of the Law.
· Allowing access to the database in contradiction with Section 17A(a) or not delivering to the Registrar of databases documents or affidavit in accordance with the instructions of Section 17A(b).
· Not appointing a person in charge of the security of the data.
· Managing or holding a database that serves direct mailing services in contradiction with Sections 17D to F.
· Delivery of data in contradiction with Sections 23B to E.
All the above-mentioned offences are considered as absolute responsibility, so there is no need to prove menas rea nor neglect to prove that the offense was made. Moreover, these offences are considered as torts by the Israeli Tort Act.
The transfer of data out of Israel:
The articles of the protection of privacy (the transfer of data outside of the country’s borders) – 2000 (the “Articles”) legislate what is permissible regarding the transfer of data outside of Israel.
The Articles rule that one shall not transfer data from Israel to another country, unless the privacy law of that country provides the same degree of protection that the Israeli law provides. The law of such country has to provide for a legal collecting of data, and dictates that the data should be accurate and updated.
Furthermore, the Articles determine that the owner of the database can transfer the data from his database in Israel to another country under certain conditions, such as with the consent of the person to whom the data relates.
The owner of the database must ensure that the receiver of the data takes all necessary measures to protect the privacy of those to whom the data relates. The receiver of the data must also make sure that the data will not be passed to another person, in that country or in another.