This memorandum summarizes two recent developments relating to privacy and data protection law in Israel.
1. No More Database Registration or Maintenance Fees
In July, 2017, ILITA announced that the Constitution, Law and Justice Committee of the Israeli Knesset approved Justice Minister Ayelet Shaked's initiative to nullify database registration application fees and annual maintenance fees, effective immediately. Prior to the decision, owners of database subject to the database registration requirements under Israel’s Protection of Privacy Law – 1981 ( “Privacy Law”) were obligated to pay a fee upon initial registration of a database as well as an annual maintenance fee. Database registration and maintenance fees previously incurred remain due and are not waived by the decision.
We note that a draft law has been pending before the Knesset which, if passed, would replace the Privacy Law's database registration obligation with a notification obligation; this change would impact most but not all databases. Currently, the legal obligation to register databases in the manner required under the Privacy Law remains in effect. As such, database owners do need to continue to register databases to the extent required under the Privacy Law, but without payment of fees.
ILITA's announcement can be viewed at http://www.justice.gov.il/Units/ilita/news/Pages/Agra.aspx.
2. New ILITA Directive on Direct Mail and Direct Mail Services
On June 21, 2017, ILITA released Directive 2/2017 (“Directive”) regarding the interpretation and application of the Privacy Law provisions that address direct mail and direct mail services. The full text of the Directive can be accessed here. The Directive supplements guidance issued by ILITA in late 2016 on purchasing information used for direct mail activities (see here).
‘Direct mail’ is defined under the Privacy Law as ‘an individual approach to persons, based on their belonging to a population group, as determined by one or more characteristics of those persons whose names are included in a database’, and includes where contact is made in writing or in print, whether made via telephone, facsimile, computer or other means. ‘Direct mail services’ are defined as ‘the provision of direct mail services to others by way of transferring lists, adhesive labels or data by any means whatsoever’.
The Directive distinguishes direct mail from promotional messages (colloquially, 'spam') which are governed by the Communications Law – 1982. While 'direct mail' is characterized by targeted communications to a list of individuals who have been included on such list due specific characteristics of the data subjects (for example, due to religion, political affiliation or age) spam, by contrast, is defined by the nature of the communication and the method in which the communication is transmitted as opposed to by the way in which the recipients are chosen. Consequently, laws governing direct mail aim to protect a person’s right to privacy by preventing the dissemination of a person's characteristics that serve as a basis for targeting the communication, while laws governing spam are designed to prevent communication channels from being overwhelmed with mailings.
The Directive clarifies that the nature of the consent required for direct mail and direct mail services varies under the circumstances. While sending promotional messages or spam requires an express 'opt-in' in most cases, the default consent required for direct mail communications is 'opt-out', subject to exceptions.
One notable exception relates to a situation where personal data is collected pursuant to a non-negotiable standard contract (which may include, under certain circumstances, website or mobile application privacy policies). In this case, the position of ILITA is that where the primary purpose for which the data subject is entering into the contract does NOT relate to direct mail services, the data subject must expressly Opt-In to the use of personal information for direct mail purposes in order for consent to be deemed granted.
Having laid out the conceptual background to the direct mail provisions, the remainder of the Directive provides a detailed interpretation of Sections 17c – 17i of the Privacy Law which govern databases used for direct mailing purposes. The purpose of Sections 17c – 17i, as explained in the Directive, is to provide persons with a degree of control over the construction and use of the personality profiles that have been constructed. As such the provisions obligate the actor engaging in direct mail to indicate to the data subjects where and from whom such actor received data subjects' personal information, and to notify data subjects of how their personal data may be altered or removed from the database.
Entities that either engage in direct mail, or provide direct mail services to others should review the Directive, in conjunction with the Privacy Law, to ensure they are in compliance.