The Israeli Privacy Protection Authority recently clarified that lists of names and email addresses would be considered “Information” for the purposes of the Israeli Privacy Protection Law
The Israeli Privacy Protection Law, 1981 and the regulations promulgated thereunder (the “Law”) is Israel’s principal data protection legislation. It applies, inter alia, to the protection of all personal information, and sets forth the obligations of individuals and entities, with regard to how they maintain and manage such information. One of the requirements imposed by the Law is for the holders of certain types of “Information” to register such information as a database and maintain such database in the manner provided for under the Law.
Generally: a “database” means a collection of data, kept by a magnetic or optic means and intended for computer processing, other than…. (2) a compilation that includes only names, addresses and methods of communication, which in itself does not produce a characterization which infringes the privacy of the persons whose names are included therein.” Israel’s Privacy Protection Authority (“PPA”) recently addressed the question of whether a compilation of names and e-mail addresses would be considered merely a list of “methods of communication,” thereby excluding holders of such lists from the obligations regarding databases.
In a statement issued on November 28, 2018, the PPA clarified that compilations of names and e-mail addresses would not fall within said exception. Therefore, a entity which possesses a list of names and email addresses must register such information as a database and will be subject to the provisions which regulate the maintenance and management of databases.
Relying, in its statement, upon the definition of “Information” set forth under the Law, (i.e. “data on a person’s personality, personal status, privacy, state of health, economic situation, professional training, opinions and belief”), the PPA notes that e-mail addresses can be used to deduce personal information such as occupation, marital status, age, opinions and beliefs, etc. E-mail addresses can also be used as tools for identifying a person with greater certainty and linking different information about him or her to different databases. Lastly, the PPA relies on an interpretation made with respect to the equivalent legal provisions in the European Union, whereunder it was determined that e-mail addresses constitute “personal data” which should be protected.
We urge individuals and entities which maintain lists of names and email addresses for business purposes to seek legal advice on the implications of the PPA’s recent statement.