Israel’s Privacy Protection Authority Steps Up Enforcement: First Fines Under Amendment 13

In a significant move toward stricter data protection enforcement, Israel’s Privacy Protection Authority (PPA) has begun imposing administrative fines under the recently implemented Amendment 13 to the Privacy Protection Law, 1981. The amendment, which strengthens the Authority’s supervisory and enforcement powers, marks a new era of accountability for both organizations and individuals who misuse personal data.

Case in Point: Unauthorized Access by a National Insurance Institute of Israel Employee

A recent case highlights this shift. A National Insurance Institute employee used her authorized system access for personal purposes, retrieving sensitive personal information from the Institute’s databases. The data related to the ex-wife of her current partner and members of the ex-wife’s family — actions carried out amid an ongoing divorce dispute.

The investigation began after the PPA received a complaint alleging unlawful use of personal data. In response, the Authority launched an inspection procedure and requested detailed system logs from the National Insurance Institute. These logs revealed that between 2020 and 2021, the employee performed 20 different data queries — 15 of which involved sensitive and private information about the complainant and her family — with no legitimate professional justification.

Enforcement Decision and Penalty

In August 2025, the PPA determined that the employee had violated the Privacy Protection Law in 15 separate instances by using personal data for purposes inconsistent with the original intent of the databases. The Authority ruled that these acts constituted a breach of Section 8(b) of the law and imposed an administrative fine of 75,000 NIS.

A Message of Deterrence and Compliance

This case is one of the first to demonstrate the PPA’s intensified enforcement policy under Amendment 13. It sends a clear message: public sector employees and private organizations alike are expected to maintain strict compliance with privacy principles and purpose limitations. Unauthorized access — even by individuals with legitimate credentials — will be met with decisive sanctions.

As Israel’s data protection regime continues to evolve, this decision underscores the growing importance of internal compliance mechanisms, access controls, and employee awareness programs to prevent similar incidents in the future.