“Privacy is a very important aspect in building trust in digital economies. So, when we make sure that the privacy principles are respected and are implemented then this would build public trust in certain systems…” said Sharon Azarya, Head of International Affairs at the Israeli Privacy Protection Authority, while talking about Israel’s data protection regulation practices during the second day of PrivacyNama 2022 on October 7.
Azarya conversed with Renuka Sane, Associate Professor at the National Institute of Public Finance and Policy and moderator, during the opening session of ‘Data Protection Regulators’ about data protection and regulation with regards to privacy. During the session, Sane asked Azarya about the functioning of the Israel Data Protection Authority.
MediaNama is hosting these discussions with support from Mozilla, Meta, Walmart, Amazon, the Centre for Communication Governance at NLU Delhi, Access Now, the Centre for Internet and Society, and the Advertising Standards Council of India.
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
How does the Israeli Authority choose the important topics of concern in the larger privacy space?
Each regulator has its own powers and I think that topics with which you engage has lot to do with your powers. We have retrospective actions and prospective actions when we decide what and how to enforce. For example, when we plan our annual year, we identify the market failures and topics that need addressal. To do that we consult the public, we roundtables with academia, stakeholders, NGOs and industry and we try to identify the things which our authority needs to give answers to.
During enforcement, sometimes you must give answers to something that is occurring. Moreover, you can’t take enforcement actions in every little infringement. So, when we use our powers to enforce, we try to identify the cases in which most individuals were affected, a lot of data subjects were affected, in cases of sensitive data or when potential damages are the highest.
And then you must choose your enforcement tool. When there was an intention to cause harm then we use our criminal powers. When we see that there is a big market failure in the specific sector, we have an audit to identify why things are happening, why things are not in compliance with the law and then we will issue corrective measures. When we use administrative powers, it is usually because we have either a lot of complaints from the public or when we have intelligence.
For policymaking, usually our authority issues guidelines. We plan by trying to identify new trends, technologies and then we analyse data flows, data protection implementation, use of personal data and privacy by design principles to enhance privacy.
Data security is one of the main concerns around the world. Regulators are very much engaged in this field. There is an obligation to report to us about data breaches and we try to guide the affected organizations on how to respond. So we have guidelines about it and this enables us to identify data breaches and to give support to affected organizations and the public.
In Israel there is a committee that is an Intergovernmental Committee that is now looking into artificial intelligence (AI) and trying to lay out the policy about it altogether. Facial recognition is also something that everyone is looking at around the world now. In Israel, there was a public debate about using facial recognition for law enforcement. There was a draft Bill about it and we raised a very vocal voice to fine-tune it into more proportionate components, and data minimization and data protection principles into the law. At the moment everything is frozen, but again because we really raised the public debate about it.
Nowadays, we’re looking into blockchain so you have to analyse again the data flow, you have to see where personal data is being used, what are the risks for privacy data in each technology, and how you can mitigate the risk. We try to use a proactive approach in which we analyse the technologies ahead of time and find again the risks and give guidance as to how to reduce the risks for privacy.
Is there a process you follow when analysing complaints or soliciting comments or being proactive and when responding to feedback on draft regulations?
When you issue regulations or when you enact the law in Israel Parliament, it is a public process in which all relevant stakeholders are invited to raise their voice and give their opinion. It’s a very delicate process because you have all those small businesses and medium sized businesses on which those kinds of regulations impose a lot of duties. So, in these processes the whole public is involved.
When the authority issues guidelines, we issue a draft which we publicize in our website and again we invite all relevant stakeholders to respond. You hear the NGOs on the one side which represent the data subjects and then you hear the industry and other public offices because sometimes the regulation affects other markets. There are a lot of other governmental stakeholders as well that are sometimes irrelevant to the discussion.
Are you obliged to give reasons accepting or not accepting some of the recommendations or suggestions that may come from these public consultations?
Our guidelines are not mandatory. They’re more like advice. We guide organizations how to conduct their activities in a way that decreases risks for violating privacy. Many times, organizations are brought to litigation by the private person and individual or group of individuals that claim their data was infringed. They go to court to seek damages because their privacy violations are also a civil claim where they can demand change in conduct or even receive compensation. Our law enables certain the amount of compensation without even proving damages.
Sometimes even the court will look at the guidelines and say if you fulfilled the guidelines then you did what you needed to do and this was unavoidable. So we hear everyone but we don’t have to justify why we reject or accept certain comment.
So anything that is mandatory, does it have to go through the Parliament?
Our enforcement toolbox is very varied. We have sanctions for criminal investigations and if we can extract adequate evidence, then this goes to criminal proceedings in courts. We also, issue fines that are mandatory but can be challenged in court. Another power that we have is correcting orders and that means that if we find organizations following law and regulations, then we send them corrective orders. So, we have powers because otherwise you’re not a regulator so our decisions in the enforcement routes are mandatory.
This whole process of issuing guidance or conducting enforcement requires a very high human capital and a very well-trained staff. What’s your sense of how Israel built up the human capability to do these things?
When you build the Data Protection Authority, you have to look at your powers to see what kind of personnel you need or what kind of professionals you need in your authority. I think, only Israel, UK, Iran, Ireland and the Philippines have powers to conduct criminal investigations. So, we need forensic experts to produce evidence that are adequate to criminal proceedings. We also have investigators and even people that work for the police working with us.
Of course, we need technical experts to understand the new technologies. We regulate data breaches so we employ data security experts, and their job is also to identify leaks ourselves. To analyse new technologies in terms of guidelines, we use our technology experts. Most of our employee employees are legal experts. That is a trend even abroad now that you have technical people that are doing some of the investigations and analysing new technologies.
We have online workshops in which we try to better explain our regulations, and to assist markets with implementing data protection principles. So, we also educate the public and issue recommendations at times on how to enhance public privacy, how to better adjust privacy settings in computers or phones and devices, etc.
If a breach happens, what is the division of labour between the two regulators in terms of investigation or enforcement? Are there formal processes through which this has been decided?
We don’t have a formal process, but since most markets are now data driven, we intersect with a lot of regulators. In enforcement and in policymaking, we try to engage with other regulators. The most common trend when we speak globally with regulators is the focus on collaboration between competition authorities, consumer authorities and privacy protection authorities. We have this kind of collaboration because sometimes even if authorities overlap, they can be more effective.
We had the issue of data portability in Israel. We don’t have data portability obligation in our privacy protection law, but we have sectorial, data portability obligations like in the financial market sectors. So in these kind of areas we give our advice and we even gave neutral opinion for Parliament to maybe enact data portability obligation.
With the police, sometimes they use us or vice versa. Then you have to decide who leads the investigation. You have to see which offense is more dominant, the privacy or other things that developed by using infringed personal data.
I can say that with regards to regulations, data security regulations, as I mentioned we have data security regulations, but then again, in the financial markets, they have even more strict obligations so they had their own thing and we saw what is the delta between our regulations and the special markets regulations.
Would it be better to have formal channels or MOUs for collaboration? What advice would you have for people considering this trade off?
Well, I think that if something is not broken, you don’t have to fix it. Of course, if it reaches the bridge then we will try to figure it out. I can also say that we have regulations regarding data transfers between the public organizations. So, in that respect it also assists us to, or other authorities to execute their powers, but it really needs to be on a case-by-case basis because sometimes you overlap, sometimes you complement one another.
What are the challenges that a regulator may have, when the government itself is collecting data or doing things that as a regulator you would object to?
We regulate public and private sectors. Privacy is deeply rooted in our institutions because we have the privacy under the Basic Human Rights Act. So the government is obliged to respect the privacy principles and to comply with the Privacy Protection Act, which they have derogations regarding national security. With regards to the Pegasus, the whole government was engaged in investigating the issue and we assisted and consulted but the General Attorney actually looked into this and issued an opinion.
So, this is how we collaborated with the highest legal instances in the government to make sure that technology is not used the way it’s not supposed to be used. We are involved in legislative processes for new databases that the government wants to establish. So, we are in involved in the enacting process itself and we can regulate it respectfully. They have to register database in our authority, and therefore, we have oversight powers to make sure that that things are done properly.
Does Israel have a non-personal data regulation? Does the same regulator look at both?
This is why we want to promote privacy enhancing technologies [PETs] because today with big data technologies and data analysis, sometimes non-personal data can, after you integrate it with other data, be personal data.
PET-like anonymization techniques and encryptions are very important components for data security. They enhance data security and minimizes the risk of personal data being unlawfully exposed. So once the data is secured or anonymized then you can even use it for public benefit purposes. Regulators also have to be I would say enablers because we have to acknowledge the fact that most digital markets are data driven and we want to allow innovation, but again, enhancing privacy protection.
So, the question if data is personal or not, that’s the question that will be the decision maker of whether or not the Privacy Act applies and then if the Privacy Act applies then we regulate it. But if it’s data about weather, then it’s none of our mandate.
The question about Israel being independent is actually very interesting. Our authority sits within the Ministry of Justice. So, sometimes people can say that that’s not independent, but we are independent. We issue our own opinion regarding legislation processes, sometimes against the government. Just a week ago, we promoted and are able to pass a government decision that stipulates that we are independent and that means that we can do whatever we want, or we think that is right, in accordance to our law.
How is it that the Authority is then financed?
First of all, you have to fulfil conditions to be a privacy protection regulator. You must have legal experience and relevant experience. All our DPAs have been non-political and there are non-political people sitting in the committee that appoints them. So, it’s a combination of the Minister and other non or other independent members in the committee that are responsible for the nomination.
So they check your experience. The current regulator was actually a worker in the Ministry of Justice in the international department and then he managed two units in our ministry and he was also the general director of another ministry. So he came with a lot of management know-how. The first DPA that we had came from the tech sector. He’s an attorney, and he had knowledge and technologies. So, these are the kinds of people that lead our authority. So we’re very independent and not political.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
Also Read:
- Data Protection Bill 2021: How India’s Data Protection Authority Will Be Set Up And Work
- When Should A Complaint Be Escalated To A Data Protection Authority? #PrivacyNama2021
- Interview: ‘Data Protection Authority Should Be Truly Independent’, Says MP Amar Patnaik
- #NAMA: Data Protection Authority’s Independence And Powers Under The Personal Data Protection Bill 2019
