This country-specific Q&A provides an overview to technology laws and regulations that may occur in the Israel.
It will cover communications networks and their operators, databases and software, data protection, AI, cybersecurity as well as the author’s view on planned future reforms of the merger control regime.
This Q&A is part of the global guide to Technology. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/index.php/practice-areas/technology
Are communications networks or services regulated? If so what activities are covered and what licences or authorisations are required?
Communications networks and services are highly regulated in Israel, with regulation spanning from telecommunication services (e.g., land and mobile telephony, internet providers and infrastructure providers) to conventional radio and broadcast services. Generally all conventional telecommunication networks require a governmental permit, license or franchise which may include the scope of permitted services and activities, consumer protection provisions, security and emergency provisions and may prohibit certain broadcast content. Additional regulatory obligations stem from anti-trust considerations.
Is there any specific regulator for the provisions of communications-related services? Are they independent of the government control?
The main regulator for communications-related services is the Israeli Ministry of Communications, which is a government office. In addition there are several independent regulators that have a mandate to supervise specific sectors such as the radio and broadcast sector (e.g., The Second Authority for Television & Radio and the Israeli Public Broadcast Corporation). Many of the reforms introduced to the communications sector are a result of independent committees formed by the Israeli Ministry of Communications.
Does an operator need to be domiciled in the country? Are there any restrictions on foreign ownership of telecoms operators?
In general, a telecommunication operator must be domiciled in Israel. Such requirement may be imposed by law - mainly the Communications Law (Telecommunications and Broadcasting), 5742-1982 ("Bezeq Law"), which requires cable and satellite operators to be domiciled in Israel - or by the license terms (e.g., cellular providers). In addition, in several cases the law or license terms may dictate a minimum Israeli ownership in a telecommunication operator. For example, a national news provider must be domiciled in Israel; the CEO and a majority of the members of the board must be Israeli citizens; and foreign citizens may not hold more than a third of such corporation. The Bezeq Law imposes additional restrictions on foreign ownership of telecommunication companies that are deemed an "Essential Service".
Are there any regulations covering interconnection between operators? If so are these different for operators with market power? What are the principal consumer protection regulations that apply specifically to telecoms services?
The Bezeq Law provides the framework regarding interconnection between operators (including specifying interconnection payments). For example, each of the cellular portable radio-telephone operators' licenses granted pursuant to Bezeq Law includes specific obligations with regards to interconnection between operators. The regulator may treat operators with market power differently and is actively encouraging competition in the telecommunications sector. A recent example is the regulator`s requirement from Bezeq, the Israeli Telecommunications Corp. Ltd, a leader in the telecommunication sector, to allow a secondary market of its infrastructure and allow other providers to provide their customers with services on Bezeq`s infrastructure.
Among such regulations are the Bezeq Law, Consumer Protection Act of 5742-1981 together with its stemming regulations and the Contract Law of 1973. Such legislations regulate the engagement of service provides with consumers in general and also the telecom industry with some specific provisions for this industry, with regulations varying from restrictions on minimum service periods to account termination provisions and include provisions relating to after-sale service and call-center service. In addition, consumer protection regulations are specified in each telecommunications license which are specific for each telecommunication sector. For example, a cellular portable radio-telephone operator’s license includes, among others, a minimum service availability requirement and notification to the consumer upon exhaustion of subscribed services.
What legal protections are offered in relation to the creators of computer software?
The Copyright Law of 2007 (the "Copyright Law") governs the protection of computer software and was enacted in accordance with the provisions of the Trade-Related Aspects of Intellectual Property Rights (TRIPS) Agreement. According to the Copyright Law, computer software is considered as a "literary work", and the copyright protection is granted to computer software for "any way it is expressed in" (i.e. not only for source code). A developer of computer software is not required to register the software to gain statutory protection. Such protection includes, among others, the sole right to copy, advertise, perform publicly, broadcast, make a derivative work, rent, or make the software available to the public. The Copyright Law permits to copy or make a derivative work for holders of a licensed copy of the software, and for specific purposes (e.g. software backup, compilation to other software, data security inspection, etc.). The copyright protection is granted for the lifetime term of the developer plus an additional 70 years after the developer’s death. It is customary to claim that if software is developed by a company with multiple developers contributing to it, the term is practically unlimited. Breach of such law may grant the developer a right to financial compensation without the need to prove damages (statutory damages), and may impose criminal liability. Moral rights which regularly award certain credit rights to copyright developers, are not awarded to software developers since the enactment of the 2007 law. In certain circumstances, computer software (mainly algorithms) may also be registered as a patent.
Are specific intellectual property rights in respect of data/databases recognised?
The Copyrights Law recognises, in certain circumstances, copyrights in a compilation of data (e.g., a database). Such recognition requires the database to include an original arrangement of the works or the data contained in it. In several rulings, the Israeli Supreme Court narrowed the protection granted to databases, reinforcing the originality and unique arrangement of the works requirement. E.g., the telephone company`s phone database will not be protected, while an encyclopaedia will be granted protection. Such protection will not cover the data contained in the database. In addition, databases may also be protected as a "commercial secret" under the Commercial Torts Law of 1999, if the content of the database is considered confidential and is designated for a specific group of people.
What key protections exist for personal data?
Key protections of personal data are granted under the Basic Law: Human Dignity and Liberty, 5752 – 1992, and the Protection of Privacy Law, 5741-1981 ("PPL") and its Regulations, and include among others:
- The right for privacy is a constitutional right. Accordingly, any statute which limits this right must befit the values of the state of Israel, be for a proper purpose, and not be broader than required.
- The PPL states that a data-subject should be duly informed by the data-owner, when requested to provide personal data: (a) whether he/she is obligated by law or legal requirement to provide such information, or whether the provision of such information is based on free will; (b) the purposes for which the data-owner requests such information; and (c) who are the recipients of such information (if and to the extent applicable), and for what purposes will recipients use such data.
- The use of personal data should be pursuant to the data-subject's informed consent. As a result, the data-owner (and data-holder) may not use the personal data for any other purpose. In the event the purposes for use of information are changed, data subject's informed consent should be re-obtained.
- Unless specifically prohibited under the PPL, each data-subject may view, inspect and amend his/her personal data which resides in the data-owner's systems, the extent to which he/she finds the information incorrect, incomplete, unclear or not up to date.
- Further, each data-subject has the right to ask for deletion of his/her information from a database which is being used for direct mailing. Based on the recent Israeli Database Registrar's Guidelines (2/2017) regarding direct mailing and direct mailing services, such right also applies to databases for direct mailing services. However, to the extent such databases are being used for other purposes (such as providing services) - other information may be retained by the data-owner as deemed required for legitimate business reasons, for the duration as required under applicable law.
- The new Privacy Protection Regulations (Data Security), 5777-2017 (the "Security Regulations") promulgated pursuant to the PPL incorporate minimization requirements with respect to the amount of information stored, the purpose of collection, the use of the information, and access privileges granted to employees and providers of outsourcing services. Also, under the Security Regulations (which will enter into force in May 2018), any data-owner and data-holder will be required to implement various security measures to protect personal data.
Are there restrictions on the transfer of personal data overseas?
Transfer of personal data is subject to the Privacy Protection Regulations (Transfer of Data to Databases Abroad), 5761-2001. Personal data may not be transferred overseas, unless the law of the recipient’s country ensures a level of protection which is no less than the level of protection of personal data provided by Israeli law. However, a data-owner may also transfer personal data overseas if: (a) the data-subject has consented to the transfer; (b) the data-subject’s consent cannot be obtained, and the transfer is essential for the protection of his/her health or physical wellbeing; (c) transfer is to a corporation under the control of the database-owner, and such corporation has guaranteed the protection of privacy after the transfer; (d) transfer is to an entity which has contractually agreed to comply with the Israeli law provisions governing the processing and use of such data as applied to a database located in Israel; (e) the data was made publically available or was opened for public inspection by a legal authority; (f) transfer is essential for public safety or security; (g) transfer is required by Israeli Law; or (h) transfer is: (1) to a country which is party of the European Convention for the Protection of Individuals with Regard to Automatic Processing of Sensitive Data; (2) to a country which duly receives information from a member state of the European Committee under the same terms of acceptance; or (3) in relation to which the Registrar of Databases announced, in an announcement published in the Official Gazette, that it has an authority for the protection of privacy, after reaching an arrangement for cooperation with the said authority.
Following the cancelation of the EU-US Safe Harbour (in October 2015), the Israeli Law, Information and Technology Authority ("ILITA") has issued a statement that exemption (h)(2) above can no longer be used for the transfer of data overseas, and if necessary – a data-owner should qualify such transfer by using the other existing exemptions. However, the official wording of the applicable regulations remained unchanged. It should be noted that ILITA has not officially recognized the applicability of the EU-US Privacy Shield as adequate in Israel and hence use of this vehicle to transfer personal data from Israel to the US is questionable.
What is the maximum fine that can be applied for breach of data protection laws?
Breach of the PPL (especially in relation to databases) may result in a declaration of violation by ILITA and imposition of administrative fines. Such fines may amount up to NIS 5,000 if the breach is by an individual, and NIS 25,000 if it is a corporation. Breach of privacy with no intent constitutes a civil tort, and the data-subject may also sue for statutory damages in an amount up to NIS 50,000 (without proving actual damages). In addition, breach of privacy with intent constitutes a criminal offense, which is punishable by a 5-year imprisonment term, and breach of database related provisions constitutes a criminal offense, which is punishable by a 1-year imprisonment term.
Are there any restrictions applicable to cloud-based services?
Generally, Israeli law does not specifically address cloud-based services.
If a data-owner uses outsourcing services of cloud-service providers for processing of personal data, it will be subject to the Databases Registrar Guidelines 2/2011 on Use of Outsourcing Services to Process Personal Information. Such guidelines require, among others, to execute background check on the service provider, and to include certain provisions in the agreement between the data-controller and the service provider (such as audit, inspection, training for employees, confidentiality obligations, guarantees (such as professional liability insurance), deletion of information upon termination of the agreement and ensuring data-subjects' rights are fully and duly maintained). Further, if the use of cloud-based services requires the transfer of data overseas, such transfer will be governed by the Privacy Protection Regulations (Transfer of Data to Databases Abroad), 5761-2001 (as described in Section 9 above).
In addition, the Banking Supervision Department of the Bank of Israel has issued a directive on risk management in cloud environment. Such directive applies to the banking industry while using cloud-based services, and is in the process of replacement by a new directive (a draft has been published). It is also worth noting that the the Commissioner of the Capital Market, Insurance and Savings at the Israeli Ministry of Finance has issued directives for cyber-risk management of financial institutional entities (such as insurance companies and pension funds), which among others refer to the use of cloud-based services.
Are there specific requirements for the validity of an electronic signature?
The Electronic Signature Law, 5761-2001, specifies the requirements for the validity of electronic signatures on documents that require, by Israeli law, a signature. Such requirements include, among others, the use of specific authentication software and a specific electronic certificate authenticating the identity of signor. Such law does not relate to electronic signatures that are used for purposes that do not require signatures by law, which validity shall continue to be subject to general laws and case law applicable to the validity of signatures.
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
Not necessarily. The terms of each contract regarding such employees, assets and third party contracts would govern their transfer. Further, employees will not automatically be transferred to the outsourcing supplier.
If a software program which purports to be an early form of A.I. malfunctions, who is liable?
In case of bodily injury, several laws stipulate liability in different circumstances notwithstanding fault. For example, under the Liability for Defective Products Law, 1980, the manufacturer of a product will be liable for any bodily injury caused by a product malfunction. Likewise, the Road Accident Victims Compensation Law – 1975 stipulates full liability on the driver of a vehicle for any bodily injury. However, it may be unclear who would be considered the driver.
With respect to damages other than bodily injury, different regimes will apply in accordance with contractual undertakings and applicable tort law theories (e.g., negligence and breach of duty care).
What key laws exist in terms of the criminality of hacking/DDOS attacks?
Although not specifically relating to DDOS attacks, there are several laws applicable to the cybersecurity sector. Three main Israeli cybersecurity-related statues are the Computers Law, 5755-1995, PPL and the Penal Law of 5737-1977. Such Penal Law criminalizes hacking and prohibits, among others, programming software to carry out an illegal operations.
The Security Regulations (which will enter into force in May 2018) will require any data-owner and data-holder to implement various security measures to protect personal data. In addition, specific regulators have issued regulations imposing minimum standards with respect to cybersecurity. Most notably is the recent guideline to financial institutional entities published by the Commissioner of the Capital Market, Insurance and Savings at the Israeli Ministry of Finance mentioned in Section 11 above, which includes guidelines for managing cyber risks within specified institutions and adopting certain measures to enhance cyber protection, and the draft of a similar guideline by the Banking Supervision Department of the Bank of Israel applicable to banks.
What technology development will create the most legal change in the jurisdiction?
The increased use of blockchain technology may create the most legal change in the Israeli jurisdiction in the upcoming years, as such technology may disrupt conventional ways of doing business. Law makers may need to adopt and find creative ways to "manage" and regulate the use of this technology in different business cases, given the blockchain technology`s un-centralized nature and other unique features. For example, among the areas affected are security (e.g., anti-laundering laws and national security) and data protection and privacy. Such legislation may be local or part of a global effort to regulate the blockchain technology and its uses.
Which current legal provision/regime creates the greatest impediment to economic development/ commerce?
Bureaucracy and ease-of-doing-business stand out as the greatest impediment to economic development in Israel. For example, in terms of incorporating a new Israeli company as well as opening a bank account in Israel, the processes and timelines require streamlining and acceleration.
Do you believe the legal system specifically encourages or hinders digital services?
In our view, the Israeli legal system mostly encourages the development and use of digital services in unregulated sectors, while hindering its use in regulated sectors. There is considerable governmental support for digitalizing government services (e.g., Digital Israel). However, regulated sectors such as the telecommunication and financial sector may be considered slow in adopting new digital services due to the need for the regulatory approval, and in addition regulation of different aspects of the hi-tech sector should be taken into account (such as regulation of encryption and authentication means, and of dual-use technologies).
To what extent is the legal system ready to deal with the legal issues associated with artificial intelligence?
We expect that the legal and ethical questions that arise out of use of artificial intelligence will require new and specific regulation. With that being said, as the Israeli legal system is based on court precedents, the legal issues associated with the use of artificial intelligence may be settled faster than expected as increased use will force the courts to set precedents on these issues. It would seem that until legal precedents are set, legal issues associated with artificial intelligence will be assessed on a case-by-case basis.