What does Israel’s Amendment 13 to the Privacy Protection Law mean for companies operating in Israel and beyond? Why does it matter now, and how should compliance and security leaders respond?

Data privacy regulation never slows down. Israel’s Amendment 13 to the Privacy Protection Law marks one of the most significant privacy reforms in recent years, aligning Israel more closely with global norms and dramatically raising expectations for organizations that collect, process, or share personal data. The amendment came into effect on August 14, 2025 - a clear signal that the time to adapt is now.

The amendment highlights where companies must focus, and underscores the urgency of adopting technology-driven approaches to compliance. Here’s what it changes, and what it teaches organizations preparing for the next wave of regulation.

‍

TL;DR: Amendment 13 in a Nutshell

• Enforcement is live → The PPA already fined HOT ₪70,000, proving it intends to use its new powers.
• Bigger risks → Companies can now be sued without proof of harm; fines may reach millions or up to 5% of turnover.
• New requirements → Mandatory DPOs, stricter notices and consent, AI governance, and security testing every 18 months.
• Higher standards → Data brokers, cross-border transfers, and sensitive data face tighter rules, aligned with GDPR.
• Automation is key → Manual compliance won’t scale. Continuous mapping, classification, alerts, and automated RoPA/DSR workflows are the only sustainable approach.

👉 Bottom line: Amendment 13 sets a new bar for privacy in Israel. MineOS helps companies adapt fast - with automation that turns complex regulatory demands into simple, repeatable workflows.

‍

Why are the stakes higher than ever?

Recent global trends have shortened the path for individuals seeking to enforce their privacy rights, and Israel is no exception. Amendment 13 enables individuals to sue without proving direct harm - lowering the litigation bar and raising exposure for companies.

The law also:

• Extends the statute of limitations for privacy violations to seven years.
• Expands the Israeli Privacy Protection Authority’s (PPA) enforcement powers, including the ability to impose significant fines, suspend processing, or even pursue criminal investigations.
• Introduces mechanisms for preliminary opinions and remediation, giving organizations a chance to correct issues before penalties escalate.
• Establishes new criminal offenses for actions like unauthorized use of personal data.

Importantly, enforcement is already here. The PPA has imposed a ₪70,000 fine on HOT for violations - an early signal that the Authority intends to actively use its expanded powers. This makes it clear: companies cannot afford to wait before adapting.

The message is simple: reactive compliance is no longer enough. To survive in this environment, companies must be able to demonstrate continuous, reliable control over their data processes.

‍

How can companies keep up with audits and classification?

The amendment introduces updated definitions of sensitive information, clarifies third-party liability, and sets notification thresholds for large-scale sensitive data. Specifically:

• The terms “personal information” and “highly sensitive information” have been redefined, with the latter explicitly including biometric, genetic, and other special categories of data.
• Notification to the PPA is required if breaches affect more than 100,000 individuals’ highly sensitive data.
• Database registration is now streamlined, applying mainly to public bodies and data brokers with over 10,000 records.

While registration obligations have eased, oversight requirements have intensified. Organizations must now be able to show, at any time, what data they hold, how it is classified, where it flows, and how it is shared. Without continuous mapping and classification, most organizations struggle to answer these questions.

In addition, data brokers and direct marketers are placed under stricter scrutiny: they must register databases, maintain detailed records of data sources and transfers, and respect deletion or opt-out requests. Communications must also include registration numbers.

Without continuous mapping and classification, most organizations will struggle to meet these obligations.

‍

How should organizations respond in real time?

Amendment 13 adds new triggers for immediate organizational action, from notifying the Authority to informing individuals or halting unlawful processing. In this environment, waiting for quarterly audits or manual reviews is too risky.

For organizations managing large sensitive databases, Amendment 13 also requires risk assessments and penetration testing at least every 18 months, with serious incidents promptly reported to the PPA. This shifts security testing from a best practice to a compliance obligation.

Automated flagging closes the gap. MineOS, for example, detects problematic processing in real time and raises alerts instantly, ensuring stakeholders can act before small issues become regulatory violations. This protects compliance teams from overwhelming manual workloads, and organizations from costly mistakes.

‍

Who must appoint a DPO under Amendment 13?

Another key governance change: certain organizations are now required to appoint a Data Protection Officer (DPO). This includes:

• Public bodies,
• Data brokers with more than 10,000 individuals, and
• Entities processing large-scale or highly sensitive data.
• Entities whose core activities involve systematic and ongoing monitoring of individuals.

The DPO must be independent, report directly to senior management, and oversee privacy compliance across the organization. (Notably, roles like the CISO cannot double as the DPO.)

This elevates privacy governance into a strategic leadership responsibility, not just a legal checkbox. To succeed, DPOs need continuous visibility into data processing, supported by automated monitoring and clear documentation.

‍

What new transparency requirements apply?

Amendment 13 raises the bar for privacy notices. At the point of collection, organizations must now disclose:

• Whether data provision is mandatory or voluntary,
• The consequences of refusal,
• The controller’s identity, and
• The individual’s rights.

Consent must also be informed, freely given, and often explicit, particularly for sensitive data and direct marketing. The PPA has made clear that its consent guidelines are binding obligations, not suggestions, meaning opt-in mechanisms and auditable consent records are now essential.

For organizations with multiple touchpoints, keeping these notices consistent and up-to-date is a logistical challenge. Automated workflows ensure disclosures are refreshed, accurate, and aligned with regulatory expectations.

‍

How does Amendment 13 address AI governance?

The PPA has clarified that artificial intelligence systems processing personal data will not go unregulated. Organizations must:

• Evaluate the risks of automated decision-making,
• Maintain transparency and explainability,
• Implement safeguards to reduce bias and discrimination, and
• Document systems and conduct impact assessments to prove compliance.

This mirrors international trends in AI oversight and signals Israel’s forward-leaning approach to responsible AI governance.

‍

What about penalties, rights, and cross-border transfers?

Amendment 13 also expands several critical areas organizations can’t overlook:

• Penalties → The PPA can impose fines that reach into the millions of shekels, and in some cases up to 5% of turnover, mirroring GDPR-style enforcement.
• Individual rights → The amendment reinforces data subjects’ rights to access, correction, and deletion, with stricter expectations for timely, consistent responses. Courts can now award statutory damages of up to ₪100,000 without proof of harm.
• Cross-border transfers → Transfers outside Israel now carry clearer obligations. For data originating from the EEA, controllers must meet enhanced retention, accuracy, and deletion requirements to preserve adequacy status.

Together, these updates reinforce the need for structured, technology-enabled workflows to manage compliance consistently across jurisdictions.

‍

Why is process automation the only sustainable option?

The amendment’s requirements, from breach notifications to the PPA, to responses to data subject rights, are structured, repeatable, and time-bound. Managing them manually invites delays and errors.

Automation makes compliance scalable. Preloaded templates, preconfigured rules, and automated workflows ensure reporting is accurate, timely, and consistent. Instead of a bottleneck, compliance becomes a routine function - preparing organizations not just for Amendment 13, but for whatever comes next.

‍

How does Amendment 13 fit into global standards?

Amendment 13 signals Israel’s broader alignment with international privacy norms. Borrowing heavily from the GDPR, the law reflects global expectations for accountability, transparency, security, and continuous monitoring.

This creates both challenges and opportunities:

• Companies must elevate their privacy frameworks to meet higher standards across industries.
• Compliance investments made for Amendment 13 can also support global operations, helping organizations unify strategies across jurisdictions and prepare for evolving requirements in Europe, North America, and beyond.
• By explicitly addressing AI governance and cross-border data transfers, Israel has shown it intends to remain not only compliant with adequacy requirements but also ahead of the curve in regulating emerging technologies.

‍

How MineOS Helps You Stay Ahead

MineOS is designed to make Amendment 13 compliance clear, automated, and sustainable:

• Continuous live data mapping and classification → Always know what data you hold, how it’s classified, and where it flows - a living data map that stays updated without manual effort.
• RoPA and audit automation → Automatically generate and maintain the records regulators demand under Amendment 13, backed by dual-scan flexibility (Smart Sampling + Deep Scan) to balance audit efficiency and security depth.
• DSR automation → Fulfill data subject requests at scale with AI-driven workflows, ensuring accurate, timely responses that meet strict deadlines.
• AI governance oversight → Track automated decision-making, ensure explainability and fairness, and document impact assessments to satisfy new AI-related expectations.
• Third-party risk management → Simplify vendor onboarding, enforce data processing agreements, and continuously monitor vendor compliance.
• Seamless integration builder → Connect compliance into your privacy, security, and IT stack with no-code automation that adapts as regulations evolve.

With MineOS, organizations gain the clarity, automation, and accountability they need to stay compliant, empower their DPOs, and future-proof their privacy programs.

‍

The bottom line

Amendment 13 sets a new bar for privacy in Israel. It raises litigation risk, strengthens transparency, embeds DPO governance, regulates AI, and expands the PPA’s enforcement powers. Crucially, the law became effective on August 14, 2025, and enforcement is already underway, signaling that companies must act now.

To succeed, organizations need more than policies - they need real-time visibility, automated processes, and sustainable governance frameworks. With MineOS’s automated mapping, classification, alerts, AI governance tools, and workflows, companies gain the clarity and control needed to stay compliant, empower their DPOs, and future-proof their data practices.

👉 Not sure where to start? Talk with us - MineOS helps companies map, automate, and future-proof compliance under Amendment 13 and beyond.