IL Regulatory Update: Draft Guidance from Israel's Privacy Protection Authority

In April 2025, Israel’s Privacy Protection Authority (PPA) released a draft guidance clarifying how core principles of privacy law apply to artificial intelligence (AI) systems. The guidance outlines regulatory expectations for companies using AI technologies that process personal data.

1. Scope of the Law

Any AI system that processes personal data—at any stage of its lifecycle—is subject to the Privacy Protection Law. A valid legal basis, such as informed consent, is required for processing.

2. Informed Consent

Organizations must clearly explain the purposes of data use (including potential future uses), how the AI system operates, who is processing the data, and the associated privacy risks. Importantly, publicly available personal information does not constitute consent for AI-based processing unless explicit consent is given.

3. Accountability and Internal Governance

Companies are expected to implement internal AI policies, establish appropriate governance frameworks, and ensure managerial oversight. High-risk AI systems require the appointment of a Data Protection Officer (DPO) and completion of a Data Protection Impact Assessment (DPIA) before development or deployment.

4. Data Security

The guidance emphasizes the unique cybersecurity risks posed by AI systems. Organizations must minimize data collection, adopt advanced safeguards, and thoroughly vet external tools and vendors.

5. Right of Access and Correction

Data subjects have the right not only to access and correct their personal data, but also—under certain conditions—to access algorithmic outputs, especially when there's a risk of perpetuating inaccurate information. The PPA will place enforcement priority on these rights under Sections 13–14 of the law in AI-related contexts.

6. Data Minimization

Only strictly necessary data should be collected and processed. Organizations must regularly review and delete or anonymize redundant information.

7. Prohibition on Data Mining Without Consent

Mining personal data from the internet—including from public websites—without explicit consent is strictly prohibited. Doing so violates Israel’s data security regulations and may be considered a severe security breach.