Noncompliance with data privacy laws and data breaches may lead to sanctions, fines, and penalties. The amounts are usually calculated according to the risk to which personal rights were exposed and the preventive measures taken by the data controllers, processors and sub-processors in relation to their respective role in the chain of personal data processing. There can be criminal penalties and administrative sanctions In Israel for violating privacy and data security laws.
In terms of criminal penalties, individuals who willfully infringe on the privacy of another under the Protection of Privacy Law, 1981 (PPL) may be imprisoned for up to 5 years. Individuals who commit violations relating to computerized databases may be imprisoned for up to one year. These violations may include: managing an unregistered database; using a database for a purpose it’s not registered for; not providing a full Privacy Notice; not giving employees access rights, etc. Generally, the Protection of Privacy Authority (PPA) only conducts criminal investigations when there are serious violations. In addition, there may be instances where a database is restricted or canceled when the PPL is breached, until the breach is rectified.
Administrative sanctions can include fines from ILS 10,000 (approx. USD 2,800) to ILS 25,000 (approx. USD 7,000) with additional fines for ongoing violations. The PPA often publishes violations on their website, which can serve as a basis for civil litigation.
Individuals can claim damages for breaches of the PPL relating to databases. In the event of a criminal conviction relating to the violation of an individual’s right to privacy, the court may allow statutory damages up to ILS 61,000 (approx. USD 17,000) to be paid to the impacted individual. In addition, in civil tort proceedings, violating the right to privacy of an individual may lead to statutory damages of up to ILS 61,000 (and twice that amount in certain circumstances).
