Israeli Privacy Protection Authority Fines EY Israel and PwC Israel for Privacy Law Violations

Three weeks ago, the Israeli Privacy Protection Authority imposed administrative fines on Ernst & Young Israel and PwC Israel for violations of the Privacy Protection Law.

According to the Authority, both companies required visitors to their offices in Azrieli Town and Midtown Tel Aviv to scan their ID cards as a condition for entry—without providing the legally required notice in accordance with Section 11 of the Privacy Protection Law.

In the Authority’s official position paper regarding the collection and scanning of ID cards, it was clarified that an ID number serves as a "key" to accessing additional personal data about an individual. As such, it is considered personal information under the law, and is subject to the provisions of Chapter B of the Privacy Protection Law.

Section 11 of the law requires that any request for an individual's ID number or for scanning their ID must be accompanied by clear notice explaining:

• Whether there is a legal obligation to provide the information, or whether it is given voluntarily

• The purpose for which the information is being collected

• To whom the information will be transferred, and for what purpose

The Authority emphasized that when identity verification is required for service provision, organizations should consider privacy-friendly alternatives, such as: Sending a one-time code in advance for identity confirmation

Blacking out non-essential parts of the ID when taking a photo

Allowing the visitor to present their ID without scanning or storing it

Following the inspection, the Authority ruled that the companies had violated Section 11 and imposed a fixed administrative fine of 15,000 NIS on each company.

Important Note: Following the recent Amendment 13 to the Privacy Protection Law, monetary penalties for such violations may significantly increase in the future.