"Fresh from the oven" – as we Israelis say, The Israeli Privacy Protection Authority ("the Authority") published on May 3rd, 2022, a new memo regarding the scope of interpretation of the obligation "to Notify" in the context of collecting and using personal information (“PI “, "the Memo" respectively). The public is invited to send their remarks to the Memo by June 5th, 2022. The obligation to Notify is based on the basic civil right "to be forgotten".
The Right to be Notified as to the collection of PI is set forth in paragraph 11 to the Israeli Privacy Law (of 1981!) that determines that contacting a person for the purpose of holding or using PI held in a database will be accompanied by a Notice stating all of the following: (i) the purpose for which the PI is requested; (ii) to whom the PI will be forwarded; (iii) the reasons for sharing the PI; and (iv) whether the data holder is obliged by law to forward the data or that the forwarding of the data depends on his/her will and consent.
The Memo states that the Authority interprets the obligation to Notify set forth in section 11 of the Privacy Protection Law as an obligation that applies wherever PI about a person is collected on the basis of an application, whether the information was collected based on the person's consent, or whether the information was collected according to the law.
The Authority clarifies that the collection of information from a person and its use without "sufficient" notification to that person reflects on the validity of his/her informed consent and may constitute a violation of the provisions of the Privacy Protection Law. The Authority notes that if the information collected is particularly sensitive (such as biometric information), and in circumstances where there is an "inherent concern" that the consent given may be limited, it is recommended that the obligation to Notify be even broader than set forth in section 11.
To support this recommendation, the Authority refers to a judgment handed down by the National Labor Court in which it was determined that the Kalanswa municipal council failed to provide its employees with sufficient information regarding the collection of biometric information and how it is used. The Court ruled that the municipal council was expected to clarify, among other things, the following details: (i) a detailed explanation of what is being "collected"; (ii) who are the 'technicians' that are collecting the fingerprints and their training; (iii) whether the fingerprints are stored in a 'database'; (iv) who is responsible for the database and who has access to it and to the data stored in it; (v) is the information stored in the database being stored alongside other personal identifications; (vi) what data security measures have been taken; (vii) what are the possible risks; and so on.
The Memo also relates to the use of data collected by Artificial Intelligence or Algorithm based technologies. The Authority claim that this processing is done, in many cases, in a way that is not transparent enough with providing sufficient details and explanations on how it works, the criteria defined for it, and the information entered into it. This is problematic especially in technological systems used to make decisions about a person.
The Authority emphasizes that the provisions of section 11 of the Privacy Protection Law impose an obligation to Notify at the information gathering stage and also with regard to entities that collect PI through Algorithm-based decisions systems.
The Memo, though, also reminds us that the obligation to Notify is not absolute. There may be situations where such notification would be impossible or contrary to other legitimate interests. The extent of the obligation to Notify depends on the context. By stating so, the ambiguous wording of many terms in the Israeli Privacy Law, remain. This means that Israeli Courts will probably keep being busy.
Article provided by INPLP member: Adi Barkan-Lev (BL&Z Law Offices & Notaries, Israel)
Dr. Tobias Höllwarth (Managing Director INPLP)