Privacy & Cybersecurity Law Blog

Reporting from Israel, legal consultant Dr. Omer Tene writes:

In a detailed, 27-page decision (Admin. App. 24867-02-11 IDI Insurance v. Database Registrar), the Tel Aviv District Court recently upheld the validity of an instruction issued by the data protection regulator restricting financial institutions from using information about a third party’s attachment of their client’s account for the financial institution’s own purposes. The court held that the regulator is authorized to issue market instructions interpreting the law. The decision is likely to have far-reaching effects on the validity and weight given to a series of detailed guidance documents and market instructions published by the Israeli Law, Information and Technology Authority (“ILITA”) over the past two years. These include instructions regarding:

• outsourcing data processing operations;
• requirements for user authentication when providing remote access to personal data;
• employee screening and employment recruitment agencies; and
• the allocation of responsibility for databases between health insurers and primary health care providers.

In addition, ILITA issued a draft instruction concerning the collection of data from minors; draft guidance concerning privacy in the workplace; and, perhaps most importantly, draft data security regulations which are intended to replace the currently applicable regulations that date back to 1986 (the Privacy Protection Regulations (Conditions for Data Storage and Security and Public Sector Data Sharing), 1986).

In IDI Insurance, ILITA fined an insurance company for using information concerning the attachment of a client’s account in denying that client insurance. ILITA alleged that the insurance company violated the purpose limitation provisions in Sections 2(9) and 8(b) of the Privacy Protection Act, 1981. IDI Insurance claimed that it was entitled to use the information it had received. More importantly, it challenged ILITA’s authority to interpret the law, arguing that such interpretation is reserved for the legislature or judicial branch and not for a regulatory agency.

The court held that information received by a financial institution about an attachment may not be used for any other purpose, such as the determination of credit risk or client segmentation. Significantly, the court also held that while the regulator was authorized to exercise its discretion on a case-by-case basis, it could also set forth rules and instructions for future reference by market players.