Israel: Amendment 13 Brings AI Privacy Enforcement | TLY

AI Regulation Tracker  /  Data protection

Israel's Amendment 13 is now in force, and the privacy regulator is auditing AI use of personal data

Amendment 13 to Israel's Protection of Privacy Law took effect on August 14, 2025, and the Privacy Protection Authority is moving from reactive complaints to proactive audits of firms that run AI on personal data. Draft AI guidelines set the standard the regulator intends to enforce.

Israel's Amendment 13 is now in force, and the privacy regulator is auditing AI use of personal data regulation briefing
The Leveraged Years AI Regulation Tracker

Israel's largest privacy reform in four decades is now operational, and the regulator has signaled that it will act on it. Amendment 13 to the Protection of Privacy Law, 5741-1981, entered into force on August 14, 2025, according to the U.S. Library of Congress and the International Association of Privacy Professionals. The Privacy Protection Authority, the country's data regulator, has spent the preparatory period publishing guidance and building a compliance hub, and it has framed 2026 as the year it uses its expanded powers. For firms that run AI on personal data, the practical question is no longer whether Israeli privacy law reaches their systems. It does.

What Amendment 13 changed

Amendment 13 overhauls a statute first enacted in 1981. It broadens the definition of sensitive data, tightens consent and transparency requirements, and creates a mandatory data protection officer obligation for certain organizations, including public bodies, data brokers, and entities that process large volumes of personal data. It also strengthens the PPA's enforcement toolkit, including administrative sanctions, and, as secondary analysts note, allows individuals to bring claims without proving concrete damage in some circumstances. The reform does not single out AI as a separate regime. Instead, it applies the general privacy rules to AI processing and relies on guidance to explain how.

How the AI guidelines read the law

The PPA published a draft guidance in April 2025 on applying the Privacy Protection Law to AI systems. The document, still in draft as of the latest available reporting, states that a lawful basis is required for processing personal data at every stage of an AI system's lifecycle, including model training and operation. It calls for privacy by design, transparency and disclosure to data subjects, accountability, and respect for access, correction, and deletion rights when those rights concern AI systems. The comment period on the draft was extended to July 6, 2025. Readers should treat the guidelines as the regulator's stated interpretation rather than as a separate binding instrument, and should confirm the current status before relying on any specific provision.

Web scraping is now a named risk

One of the sharper messages in the draft guidance concerns data scraping for AI training. The PPA's position, as summarized by Israeli law firms reporting on the draft, is that organizations must assess what data they collect, review platform terms of use, and adopt policies to reduce legal exposure. The draft treats unauthorized scraping as a serious security incident that must be reported to the Authority, a characterization that had not been expressly stated in earlier Israeli privacy practice. Teams that assemble training sets by scraping public sites should not assume that public availability equals lawful use. The practical effect is that the sourcing of training data becomes a compliance decision, not just an engineering one, and firms should keep records of where each dataset came from and on what legal footing it was collected.

The shift to proactive audits

The most consequential change for compliance planning is posture, not text. The PPA has indicated it will move from reacting to complaints toward proactive review of higher-risk processing, and it has flagged AI systems as a priority. That means a firm may face regulator attention before any individual complains, and that the burden of showing a lawful and documented process sits with the organization from the outset. What the change does not do is create an outright ban on AI or on training with personal data. Lawful processing remains available where a valid basis, adequate transparency, and appropriate safeguards are in place. The distinction that matters is between firms that can produce that record on request and firms that cannot.

The cross-border angle for US readers

Amendment 13 binds organizations that process Israeli personal data regardless of where they sit, so a US company serving Israeli users or operating a subsidiary there is within scope. Beyond direct reach, Israel's approach of applying an established privacy law to the full AI lifecycle, rather than waiting for a bespoke AI statute, previews a method US regulators and state authorities may adopt. The operating assumption for any firm with Israeli data exposure should be that AI use is already regulated and increasingly audited.

Frequently Asked Questions

What changed with Amendment 13?

Amendment 13 to Israel's Protection of Privacy Law took effect on August 14, 2025. It broadens the definition of sensitive data, tightens consent and transparency rules, requires certain organizations to appoint a data protection officer, and expands the Privacy Protection Authority's enforcement and sanction powers.

Who is affected?

Any organization that processes Israeli personal data, with specific exposure for AI and machine-learning teams, data brokers, privacy officers, and companies that scrape data to train models. The law can reach foreign firms that handle Israeli personal data.

Are the AI guidelines binding law?

The AI guidelines were issued as a draft in April 2025 and set out how the PPA intends to apply the Privacy Protection Law to AI. The binding obligations come from Amendment 13 and the underlying statute. Confirm the guidelines' current status, since draft guidance can change before it is finalized.

Can we still scrape public websites to train models?

Public availability does not by itself make scraping lawful. The PPA's draft guidance treats unauthorized scraping as a serious, reportable security incident and expects organizations to assess the data collected, review platform terms, and adopt policies that reduce legal risk.

Do we have to appoint a data protection officer?

Amendment 13 requires certain organizations, including public bodies, data brokers, and entities processing large volumes of personal data, to appoint a data protection officer. Check your processing volume and category against the amendment's thresholds to confirm whether the obligation applies to you.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.