Israel's data privacy regulator has significantly intensified its enforcement activity. Companies that previously treated Israeli data protection rules as a secondary compliance concern now face material exposure. The Reshut HaGanat HaPrivatiyut (Israel Privacy Protection Authority – the DPA) has expanded its audit scope, accelerated its investigation timelines, and issued penalties that signal a clear shift in regulatory posture.
Israel's data protection legislation – anchored in the Privacy Protection Law and its associated regulations – has been substantively updated to align more closely with international standards, including GDPR compliance benchmarks. The DPA now applies enhanced scrutiny to data controllers and data processors operating in Israel, with particular focus on cross-border data transfer arrangements and the adequacy of consent mechanisms. International businesses with Israeli operations, data partnerships, or customer databases in the country should treat these developments as requiring immediate review.
This alert outlines what changed, which businesses are affected, and the steps that should be taken without delay.
What changed – and when it takes effect
The DPA's enforcement posture shifted in the first quarter of 2025. Revised regulations under Israel's privacy protection legislative regime entered into operation, introducing stricter requirements for organisations that collect, store, or process personal data belonging to Israeli residents.
The core changes address three areas. First, the rules governing database registration were tightened. Organisations holding databases above defined thresholds must now maintain updated records and demonstrate active compliance – not merely passive registration. Second, requirements for cross-border data transfer arrangements were reinforced. Transfers to jurisdictions not recognised as adequate by the DPA now require documented safeguards. Third, the DPA formalised its expectations around consent mechanisms, specifying that consent must be granular, purpose-specific, and freely withdrawable.
These changes took effect progressively during 2025. The DPA confirmed that it began applying the updated enforcement criteria from mid-2025, with full enforcement – including financial penalties – operative from the fourth quarter of 2025 onward. Organisations that have not aligned their practices with the updated rules are already within the DPA's enforcement perimeter.
For companies with EU operations, the overlap with GDPR compliance requirements is significant. Israel holds an EU adequacy decision, meaning personal data can flow freely from the EU to Israel. However, that status depends on Israel maintaining a level of protection equivalent to EU standards. The DPA's intensified enforcement is partly driven by the need to preserve that adequacy recognition. Failure to comply with Israeli data protection law therefore carries a dual risk: domestic regulatory exposure and potential disruption to EU data flows.
Businesses managing AI-driven data processing should also note that the DPA has flagged automated decision-making and profiling as priority areas for review. For a detailed analysis of how Israeli AI regulation intersects with data protection obligations, see our coverage of AI and technology law in Israel.
Who is affected – thresholds and business categories
The updated enforcement regime applies broadly. However, certain categories of organisation face elevated exposure based on the nature and volume of their data processing activities.
International companies with Israeli data subjects. Any organisation – regardless of where it is incorporated – that processes personal data of Israeli residents is subject to Israeli data protection law. This includes e-commerce platforms, SaaS providers, financial services firms, healthcare technology companies, and professional services firms.
Data controllers operating registered databases. Organisations that maintain databases above the statutory registration threshold are subject to audit rights and reporting obligations. The threshold is determined by the number of data subjects and the sensitivity of the data categories held. Sensitive categories – health data, financial data, biometric data – attract lower thresholds and higher scrutiny.
Data processors handling Israeli personal data on behalf of third parties. Cloud service providers, marketing analytics firms, and outsourced HR platforms that process Israeli personal data are now explicitly within scope. The DPA has signalled that it will examine processor-level compliance – not only the obligations of the data controller at the top of the chain.
Companies relying on cross-border data transfer arrangements. Organisations transferring personal data out of Israel – particularly to jurisdictions outside the EU/EEA and Israel's recognised adequate countries list – must have documented transfer mechanisms in place. The DPA has identified this as a primary enforcement target in its published supervisory priorities.
For a full description of compliance obligations applicable to businesses in Israel, our data protection advisory practice in Israel provides jurisdiction-specific guidance.
To receive an expert assessment of your organisation's data protection exposure in Israel, contact us at info@ferrazwhitmore.com.
Immediate actions for international companies
The following steps reflect the DPA's current enforcement priorities and the requirements introduced by the updated regulatory regime.
- Audit your Israeli database registrations. Confirm whether your organisation holds databases that meet the registration threshold under Israeli data protection legislation. Registration must be current, accurate, and reflect the actual data categories and purposes in use. Outdated or missing registrations are among the first items the DPA examines on audit.
- Review all cross-border data transfer arrangements. Map every data flow that involves personal data of Israeli residents leaving Israel. For each transfer, confirm that the destination country is either on Israel's adequacy list or that an appropriate safeguard – such as a contractual mechanism recognised by the DPA – is documented and in force.
- Reassess your consent mechanisms. Review the consent language used to collect personal data from Israeli residents. Ensure that each consent is specific to its purpose, clearly worded, and supported by a withdrawal mechanism. Bundled or pre-ticked consents are unlikely to withstand DPA review under the updated standards.
- Clarify data controller and data processor responsibilities. Where your organisation engages third-party processors handling Israeli personal data, review the contractual terms governing those relationships. The DPA now expects written agreements that allocate responsibilities clearly and require processors to maintain adequate security measures.
- Prepare for DPA contact. The DPA has the authority to initiate audits, request documentation, and issue compliance notices on short timelines. Designate an internal point of contact for DPA correspondence. Ensure that relevant records – including database registrations, transfer documentation, and consent records – can be produced promptly.
For comparative context on how data protection enforcement developments in other high-growth markets are unfolding, our alert on data protection enforcement in the UAE covers parallel regulatory activity in the region.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our data protection practice supports international companies in managing regulatory exposure in Israel and across the Middle East and Asia-Pacific region. We assist data controllers and data processors in aligning consent mechanisms, cross-border data transfer arrangements, and database compliance programmes with the requirements of local data protection legislation. Our team combines Portuguese civil law expertise with English common law tradition – a dual perspective that is particularly valuable when advising clients whose data flows span multiple legal systems. Engaging a lawyer in Israel with cross-border data protection experience is essential when the DPA's enforcement scrutiny extends to international processors and transfer arrangements. As a law firm operating in Israel and across 46 jurisdictions, Ferraz & Whitmore provides the coordination that multi-jurisdictional data compliance requires. To discuss your organisation's data protection position in Israel, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.